From 3b4ab05952a3ff50025bb1d1523dca55eadad026 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 12 Oct 2022 11:12:31 +0200
Subject: [PATCH] README: add letsencrypt configuration

---
 README.md                         |  5 ++++-
 docs/letsencrypt_photos.crans.org | 21 +++++++++++++++++++++
 docs/renewal-hooks_post_nginx     |  2 ++
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 docs/letsencrypt_photos.crans.org
 create mode 100755 docs/renewal-hooks_post_nginx

diff --git a/README.md b/README.md
index 3a83eaf..debbd13 100644
--- a/README.md
+++ b/README.md
@@ -92,13 +92,16 @@ production néccessite **une installation de Debian Bullseye ou plus récent**.
     $ sudo chmod g+rwx -R static media
     ```
 
-3.  **Configuration de UWSGI et NGINX.**
+3.  **Configuration de UWSGI, NGINX et Let's Encrypt.**
 
     ```bash
     $ sudo cp docs/uwsgi_photos.ini /etc/uwsgi/apps-available/uwsgi_photos.ini
     $ sudo ln -s /etc/uwsgi/apps-available/uwsgi_photos.ini /etc/uwsgi/apps-enabled/
     $ sudo cp docs/nginx_photos /etc/nginx/sites-available/photos.crans.org
     $ sudo ln -s /etc/nginx/sites-available/photos.crans.org /etc/nginx/sites-enabled/
+    $ sudo cp docs/letsencrypt_photos.crans.org /etc/letsencrypt/conf.d/photos.crans.org
+    $ sudo cp docs/renewal-hooks_post_nginx /etc/letsencrypt/renewal-hooks/post/nginx
+    $ sudo certbot --config /etc/letsencrypt/conf.d/photos.crans.org.ini certonly
     ```
 
 4.  **Base de données.**
diff --git a/docs/letsencrypt_photos.crans.org b/docs/letsencrypt_photos.crans.org
new file mode 100644
index 0000000..27fb91f
--- /dev/null
+++ b/docs/letsencrypt_photos.crans.org
@@ -0,0 +1,21 @@
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/photos.crans.org.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Uncomment and update to register with the specified e-mail address
+email = photos@crans.org
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Yes I want to sell my soul and my guinea pig.
+# UNCOMMENT ME when deploying this file to agree to terms
+#agree-tos = True
+
+# Use NGINX challenge
+authenticator = nginx
+
+cert-name = photos.crans.org
+domains = photos.crans.org
diff --git a/docs/renewal-hooks_post_nginx b/docs/renewal-hooks_post_nginx
new file mode 100755
index 0000000..b57d0c9
--- /dev/null
+++ b/docs/renewal-hooks_post_nginx
@@ -0,0 +1,2 @@
+#!/bin/bash
+nginx -t && nginx -s reload