更新はcertbot.timerで蹴って、renewal-hooks/deployのreload.shでnginxをreload。
/etc/systemd/system/certbot.service
[Unit]
Description=Certbot Renewal
[Service]
Type=oneshot
ExecStart=/usr/local/bin/certbot -q renew
PrivateTmp=true
/etc/systemd/system/certbot.timer
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target
/etc/letsencrypt/renewal-hooks/deploy/reload.sh
#!/bin/sh
systemctl reload nginx