diff --git a/rsync_letsencrypt/Makefile b/rsync_letsencrypt/Makefile
new file mode 100644
index 0000000..ca0aa91
--- /dev/null
+++ b/rsync_letsencrypt/Makefile
@@ -0,0 +1,64 @@
+.PHONY: all fetch_certs reload_nginx refresh_pg
+
+all: fetch_certs reload_nginx refresh_pg
+
+LETSENCRYPT_PATH=/mnt/letsencrypt
+
+###############################################################################
+# Fetch the certificates from my remote server using rsync
+#
+# The combination of `--info=NAME` and pipe into grep means this target will
+# have a non-zero exit code if nothing has been updated.
+# This way, the other targets will run only when some certificate has been
+# updated
+
+REMOTE_LETSENCRYPT_PATH=rsync://user@caladan/letsencrypt
+RSYNCD_PASSWD=/mnt/secrets/rsyncd_password
+RSYNC_OPTS=--archive --delete --acls --xattrs --compress --human-readable
+
+fetch_certs:
+	rsync \
+		$(RSYNC_OPTS) \
+		--info=NAME \
+		--password-file=$(RSYNCD_PASSWD) \
+		$(REMOTE_LETSENCRYPT_PATH) \
+		$(LETSENCRYPT_PATH) | \
+	grep .
+
+###############################################################################
+# Reload the nginx instance running on my reverse proxy docker-compose service
+# so that it uses the new certificates
+
+NGINX_COMPOSE_FILE=/srv/services/reverse_proxy/docker-compose.yml
+
+reload_nginx: fetch_certs
+	docker-compose \
+		--file $(NGINX_COMPOSE_FILE) \
+		exec nginx \
+		nginx -s reload
+
+###############################################################################
+# Copy the certificate for the postgresql domain to the folder where postgre
+# service expects it
+# After running the fetch_certs target, the postgresql fullchain.pem and
+# privkey.pem should be available. Copy those to the postgre SSL folder.
+
+PG_DOMAIN=pg.monotremata.xyz
+PG_SSL_PATH=/mnt/docker_volumes/postgres/ssl
+
+$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/fullchain.pem: fetch_certs
+$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/privkey.pem: fetch_certs
+
+$(PG_SSL_PATH)/server.crt: $(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/fullchain.pem
+	mkdir -p $(PG_SSL_PATH)
+	rsync --copy-links \
+		$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/fullchain.pem \
+		$(PG_SSL_PATH)/server.crt
+
+$(PG_SSL_PATH)/server.key: $(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/privkey.pem
+	mkdir -p $(PG_SSL_PATH)
+	rsync --copy-links \
+		$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/privkey.pem \
+		$(PG_SSL_PATH)/server.key
+
+refresh_pg: $(PG_SSL_PATH)/server.crt $(PG_SSL_PATH)/server.key
diff --git a/rsync_letsencrypt/README.md b/rsync_letsencrypt/README.md
new file mode 100644
index 0000000..fdf8ba9
--- /dev/null
+++ b/rsync_letsencrypt/README.md
@@ -0,0 +1,7 @@
+# rsync letsencrypt
+
+This DAG pulls my letsencrypt certificates from my public server that issues
+and renews them using rsync.
+
+If any certificate has been updated, it reloads my Nginx reverse proxy
+instance and updates the certificates for my PostgreSQL instance.