README: add letsencrypt configuration

README.md

@@ -92,13 +92,16 @@ production néccessite **une installation de Debian Bullseye ou plus récent**.
     $ sudo chmod g+rwx -R static media
     ```
 
-3.  **Configuration de UWSGI et NGINX.**
+3.  **Configuration de UWSGI, NGINX et Let's Encrypt.**
 
     ```bash
     $ sudo cp docs/uwsgi_photos.ini /etc/uwsgi/apps-available/uwsgi_photos.ini
     $ sudo ln -s /etc/uwsgi/apps-available/uwsgi_photos.ini /etc/uwsgi/apps-enabled/
     $ sudo cp docs/nginx_photos /etc/nginx/sites-available/photos.crans.org
     $ sudo ln -s /etc/nginx/sites-available/photos.crans.org /etc/nginx/sites-enabled/
+    $ sudo cp docs/letsencrypt_photos.crans.org /etc/letsencrypt/conf.d/photos.crans.org
+    $ sudo cp docs/renewal-hooks_post_nginx /etc/letsencrypt/renewal-hooks/post/nginx
+    $ sudo certbot --config /etc/letsencrypt/conf.d/photos.crans.org.ini certonly
     ```
 
 4.  **Base de données.**

docs/letsencrypt_photos.crans.org

@@ -0,0 +1,21 @@
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/photos.crans.org.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Uncomment and update to register with the specified e-mail address
+email = photos@crans.org
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Yes I want to sell my soul and my guinea pig.
+# UNCOMMENT ME when deploying this file to agree to terms
+#agree-tos = True
+
+# Use NGINX challenge
+authenticator = nginx
+
+cert-name = photos.crans.org
+domains = photos.crans.org

docs/renewal-hooks_post_nginx

@@ -0,0 +1,2 @@
+#!/bin/bash
+nginx -t && nginx -s reload