diff --git a/letsencrypt_renew/Makefile b/letsencrypt_renew/Makefile
new file mode 100644
index 0000000..6843dd0
--- /dev/null
+++ b/letsencrypt_renew/Makefile
@@ -0,0 +1,53 @@
+WD=/var/lib/dags/letsencrypt_renew
+
+RENEW=$(WD)/renewed_certs
+NGINX_RELOAD=$(WD)/nginx_reload
+PROSODY_IMPORT=$(WD)/prosody_import
+PROSODY_RELOAD=$(WD)/prosody_reload
+
+.PHONY: all
+
+all: $(RENEW) $(NGINX_RELOAD) $(PROSODY_RELOAD)
+
+################################################################################
+
+LETSENCRYPT_COMPOSE_FILE=/srv/services/letsencrypt/docker-compose.yml
+
+$(RENEW):
+	mkdir -p $(@D)
+	docker-compose \
+		--file $(LETSENCRYPT_COMPOSE_FILE) \
+		run --rm certbot \
+		renew --deploy-hook "touch $@"
+
+################################################################################
+
+NGINX_COMPOSE_FILE=/srv/services/www/docker-compose.yml
+
+$(NGINX_RELOAD): $(RENEW)
+	mkdir -p $(@D)
+	docker-compose \
+		--file $(NGINX_COMPOSE_FILE) \
+		exec nginx \
+		nginx -s reload
+	touch $@
+
+################################################################################
+
+PROSODY_COMPOSE_FILE=/srv/services/xmpp/docker-compose.yml
+
+$(PROSODY_IMPORT): $(RENEW)
+	mkdir -p $(@D)
+	docker-compose \
+		--file $(PROSODY_COMPOSE_FILE) \
+		exec prosody \
+		prosodyctl --root cert import /etc/letsencrypt/live
+	touch $@
+
+$(PROSODY_RELOAD): $(PROSODY_IMPORT)
+	mkdir -p $(@D)
+	docker-compose \
+		--file $(PROSODY_COMPOSE_FILE) \
+		exec prosody \
+		prosodyctl reload
+	touch $@
diff --git a/letsencrypt_renew/README.md b/letsencrypt_renew/README.md
new file mode 100644
index 0000000..9746398
--- /dev/null
+++ b/letsencrypt_renew/README.md
@@ -0,0 +1,11 @@
+# letsencrypt renew
+
+This DAG renews Letsencrypt certificates using certbot.
+
+If certificates are renewed, NGINX is reload to pick up the new ones and
+prosody imports the new certificates and realods too.
+
+## TODO
+
+I should probably only realod services when their specific certificates have
+been renewed.