Save script:

`vim /etc/letsencrypt/renewal-hooks/deploy/sync-to-passive.sh`

Make executable:

`chmod +x /etc/letsencrypt/renewal-hooks/deploy/sync-to-passive.sh`

Add the user:

`useradd -r -s /bin/bash -m certbot`


Configure SSH Key auth:

```
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519_certbot -N ""
ssh-copy-id -i /root/.ssh/id_ed25519_certbot certbot@tywaf12.firstderivatives.com
```

Create logdir:

```
mkdir -p /var/log/letsencrypt
touch /var/log/letsencrypt/sync.log
```

Put in place the sudo rules:
```
vim  /etc/sudoers.d/certbot


# Allow certbot user to sync certificates and reload web server without password
certbot ALL=(ALL) NOPASSWD: /usr/bin/rsync
certbot ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx

```

Add ssh config for the Primary:

```
   tee -a /root/.ssh/config << EOF
   Host passive-certbot
       HostName tywaf12.firstderivatives.com
       User certbot
       IdentityFile /root/.ssh/id_ed25519_certbot
   EOF

```

Testing:

```
ssh certbot@tywaf12.firstderivatives.com 'sudo rsync --version'
ssh certbot@tywaf12.firstderivatives.com 'sudo systemctl reload nginx'
```