1. decide on a global path like `/run/http/restart' 2. give your LE script access to write there 3. use a `.path' unit to trigger on the file above being created and triggering a one-liner that running as root restarts apache and deletes the file again
This way your “run as root” is limited to that one, tiny script
