Merge pull request 'Update nginx config and install docs to use certbot's nginx plugin' (#752) from norm/akkoma:docs-nginx-certbot into develop

Reviewed-on: #752
2024-04-24 17:08:39 +00:00 · 2024-04-24 17:08:39 +00:00 · 06847ca5f8
parent 80e1c094c7 0fa3fbf55e
commit 06847ca5f8
8 changed files with 155 additions and 229 deletions
--- a/docs/docs/installation/alpine_linux_en.md
+++ b/docs/docs/installation/alpine_linux_en.md
@ -145,47 +145,13 @@ If you want to open your newly installed instance to the world, you should run n
 doas apk add nginx
 ```

-* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
-
-```shell
-doas apk add certbot
-```
-
-and then set it up:
-
-```shell
-doas mkdir -p /var/lib/letsencrypt/
-doas certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
-
 * Copy the example nginx configuration to the nginx folder

 ```shell
 doas cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf
 ```

-* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name` and the paths to the certificates. You can use `nano` (install with `apk add nano` if missing).
-
-```
-server {
-    server_name    your.domain;
-    listen         80;
-    ...
-}
-
-server {
-    server_name your.domain;
-    listen 443 ssl http2;
-    ...
-    ssl_trusted_certificate   /etc/letsencrypt/live/your.domain/chain.pem;
-    ssl_certificate           /etc/letsencrypt/live/your.domain/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/your.domain/privkey.pem;
-    ...
-}
-```
-
+* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name`. You can use `nano` (install with `apk add nano` if missing).
 * Enable and start nginx:

 ```shell
@ -193,10 +159,37 @@ doas rc-update add nginx
 doas rc-service nginx start
 ```

-If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
+* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:

 ```shell
-doas certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
+doas apk add certbot certbot-nginx
+```
+
+and then set it up:
+
+```shell
+doas mkdir -p /var/lib/letsencrypt/
+doas certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
+To automatically renew, set up a cron job like so:
+
+```shell
+# Enable the crond service
+doas rc-update add crond
+doas rc-service crond start
+
+# Test that renewals work
+doas certbot renew --cert-name yourinstance.tld --nginx --dry-run
+
+# Add the renewal task to cron
+echo '#!/bin/sh
+certbot renew --cert-name yourinstance.tld --nginx
+' | doas tee /etc/periodic/daily/renew-akkoma-cert
+doas chmod +x /etc/periodic/daily/renew-akkoma-cert
+
 ```

 #### OpenRC service
--- a/docs/docs/installation/arch_linux_en.md
+++ b/docs/docs/installation/arch_linux_en.md
@ -136,16 +136,17 @@ If you want to open your newly installed instance to the world, you should run n
 sudo pacman -S nginx
 ```

-* Create directories for available and enabled sites:
+* Copy the example nginx configuration:

 ```shell
-sudo mkdir -p /etc/nginx/sites-{available,enabled}
+sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf
 ```

-* Append the following line at the end of the `http` block in `/etc/nginx/nginx.conf`:
+* Before starting nginx edit the configuration and change it to your needs (e.g. change servername, change cert paths)
+* Enable and start nginx:

-```Nginx
-include sites-enabled/*;
+```shell
+sudo systemctl enable --now nginx.service
 ```

 * Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
@ -158,32 +159,18 @@ and then set it up:

 ```shell
 sudo mkdir -p /var/lib/letsencrypt/
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
+sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
 ```

-If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.

---
-
-* Copy the example nginx configuration and activate it:
+To make sure renewals work, enable the appropriate systemd timer:

 ```shell
-sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/sites-available/akkoma.nginx
-sudo ln -s /etc/nginx/sites-available/akkoma.nginx /etc/nginx/sites-enabled/akkoma.nginx
+sudo systemctl enable --now certbot-renew.timer
 ```

-* Before starting nginx edit the configuration and change it to your needs (e.g. change servername, change cert paths)
-* Enable and start nginx:
-
-```shell
-sudo systemctl enable --now nginx.service
-```
-
-If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
-
-```shell
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
-```
+Certificate renewal should be handled automatically by Certbot from now on.

 #### Other webserver/proxies

--- a/docs/docs/installation/debian_based_en.md
+++ b/docs/docs/installation/debian_based_en.md
@ -155,23 +155,6 @@ If you want to open your newly installed instance to the world, you should run n
 sudo apt install nginx
 ```

-* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
-
-```shell
-sudo apt install certbot
-```
-
-and then set it up:
-
-```shell
-sudo mkdir -p /var/lib/letsencrypt/
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
-
---
-
 * Copy the example nginx configuration and activate it:

 ```shell
@ -186,12 +169,23 @@ sudo ln -s /etc/nginx/sites-available/akkoma.nginx /etc/nginx/sites-enabled/akko
 sudo systemctl enable --now nginx.service
 ```

-If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
+* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:

 ```shell
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
+sudo apt install certbot python3-certbot-nginx
 ```

+and then set it up:
+
+```shell
+sudo mkdir -p /var/lib/letsencrypt/
+sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
+Certificate renewal should be handled automatically by Certbot from now on.
+
 #### Other webserver/proxies

 You can find example configurations for them in `/opt/akkoma/installation/`.
--- a/docs/docs/installation/fedora_based_en.md
+++ b/docs/docs/installation/fedora_based_en.md
@ -135,23 +135,6 @@ If you want to open your newly installed instance to the world, you should run n
 sudo dnf install nginx
 ```

-* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
-
-```shell
-sudo dnf install certbot
-```
-
-and then set it up:
-
-```shell
-sudo mkdir -p /var/lib/letsencrypt/
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
-
---
-
 * Copy the example nginx configuration and activate it:

 ```shell
@ -165,12 +148,23 @@ sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.con
 sudo systemctl enable --now nginx.service
 ```

-If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
+* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:

 ```shell
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
+sudo dnf install certbot python3-certbot-nginx
 ```

+and then set it up:
+
+```shell
+sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
+Certificate renewal should be handled automatically by Certbot from now on.
+
+
 #### Other webserver/proxies

 You can find example configurations for them in `/opt/akkoma/installation/`.
--- a/docs/docs/installation/gentoo_en.md
+++ b/docs/docs/installation/gentoo_en.md
@ -201,25 +201,6 @@ Assuming you want to open your newly installed federated social network to, well
 include sites-enabled/*;
 ```

-* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
-
-```shell
- # emerge --ask app-crypt/certbot app-crypt/certbot-nginx
-```
-
-and then set it up:
-
-```shell
- # mkdir -p /var/lib/letsencrypt/
- # certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again). Often the answer to issues with certbot is to use the `--nginx` flag once you have nginx up and running.
-
-If you are using any additional subdomains, such as for a media proxy, you can re-run the same command with the subdomain in question. When it comes time to renew later, you will not need to run multiple times for each domain, one renew will handle it.
-
---
-
 * Copy the example nginx configuration and activate it:

 ```shell
@ -237,9 +218,24 @@ Pay special attention to the line that begins with `ssl_ecdh_curve`. It is stong

 ```shell
 # rc-update add nginx default
- # /etc/init.d/nginx start
+ # rc-service nginx start
 ```

+* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
+
+```shell
+ # emerge --ask app-crypt/certbot app-crypt/certbot-nginx
+```
+
+and then set it up:
+
+```shell
+ # mkdir -p /var/lib/letsencrypt/
+ # certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
 If you are using certbot, it is HIGHLY recommend you set up a cron job that renews your certificate, and that you install the suggested `certbot-nginx` plugin. If you don't do these things, you only have yourself to blame when your instance breaks suddenly because you forgot about it.

 First, ensure that the command you will be installing into your crontab works.
--- a/docs/docs/installation/otp_en.md
+++ b/docs/docs/installation/otp_en.md
@ -9,7 +9,7 @@ This guide covers a installation using an OTP release. To install Akkoma from so
 * For installing OTP releases on RedHat-based distros like Fedora and Centos Stream, please follow [this guide](./otp_redhat_en.md) instead.
 * A (sub)domain pointed to the machine

-You will be running commands as root. If you aren't root already, please elevate your priviledges by executing `sudo su`/`su`.
+You will be running commands as root. If you aren't root already, please elevate your priviledges by executing `sudo -i`/`su`.

 While in theory OTP releases are possbile to install on any compatible machine, for the sake of simplicity this guide focuses only on Debian/Ubuntu and Alpine.

@ -176,11 +176,6 @@ su akkoma -s $SHELL -lc "./bin/pleroma stop"

 ### Setting up nginx and getting Let's Encrypt SSL certificaties

-#### Get a Let's Encrypt certificate
-```sh
-certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
-```
-
 #### Copy Akkoma nginx configuration to the nginx folder

 The location of nginx configs is dependent on the distro
@ -209,6 +204,14 @@ $EDITOR path-to-nginx-config
 # Verify that the config is valid
 nginx -t
 ```
+
+#### Get a Let's Encrypt certificate
+```sh
+certbot --nginx -d yourinstance.tld -d media.yourinstance.tld
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
 #### Start nginx

 === "Alpine"
@ -252,32 +255,19 @@ If everything worked, you should see Akkoma-FE when visiting your domain. If tha
 ## Post installation

 ### Setting up auto-renew of the Let's Encrypt certificate
-```sh
-# Create the directory for webroot challenges
-mkdir -p /var/lib/letsencrypt
-
-# Uncomment the webroot method
-$EDITOR path-to-nginx-config
-
-# Verify that the config is valid
-nginx -t
-```

 === "Alpine"
    ```
-    # Restart nginx
-    rc-service nginx restart
-
    # Start the cron daemon and make it start on boot
    rc-service crond start
    rc-update add crond

    # Ensure the webroot menthod and post hook is working
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'rc-service nginx reload'
+    certbot renew --cert-name yourinstance.tld --nginx --dry-run

    # Add it to the daily cron
    echo '#!/bin/sh
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "rc-service nginx reload"
+    certbot renew --cert-name yourinstance.tld --nginx
    ' > /etc/periodic/daily/renew-akkoma-cert
    chmod +x /etc/periodic/daily/renew-akkoma-cert

@ -286,22 +276,7 @@ nginx -t
    ```

 === "Debian/Ubuntu"
-    ```
-    # Restart nginx
-    systemctl restart nginx
-
-    # Ensure the webroot menthod and post hook is working
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'systemctl reload nginx'
-
-    # Add it to the daily cron
-    echo '#!/bin/sh
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
-    ' > /etc/cron.daily/renew-akkoma-cert
-    chmod +x /etc/cron.daily/renew-akkoma-cert
-
-    # If everything worked the output should contain /etc/cron.daily/renew-akkoma-cert
-    run-parts --test /etc/cron.daily
-    ```
+    This should be automatically enabled with the `certbot-renew.timer` systemd unit.

 ## Create your first user and set as admin
 ```sh
--- a/docs/docs/installation/otp_redhat_en.md
+++ b/docs/docs/installation/otp_redhat_en.md
@ -82,6 +82,7 @@ Other than things bundled in the OTP release Akkoma depends on:
 * PostgreSQL (also utilizes extensions in postgresql-contrib)
 * nginx (could be swapped with another reverse proxy but this guide covers only it)
 * certbot (for Let's Encrypt certificates, could be swapped with another ACME client, but this guide covers only it)
+    * If you are using certbot, also install the `python3-certbot-nginx` package for the nginx plugin
 * libmagic/file

 First, update your system, if not already done:
@ -169,12 +170,6 @@ sudo -Hu akkoma ./bin/pleroma stop

 ### Setting up nginx and getting Let's Encrypt SSL certificaties

-#### Get a Let's Encrypt certificate
-
-```shell
-certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
-```
-
 #### Copy Akkoma nginx configuration to the nginx folder

 ```shell
@ -195,8 +190,15 @@ sudo nginx -t
 sudo systemctl start nginx
 ```

-At this point if you open your (sub)domain in a browser you should see a 502 error, that's because Akkoma is not started yet.
+#### Get a Let's Encrypt certificate

+```shell
+sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
+If you're successful with obtaining the certificates, opening your (sub)domain in a browser will result in a 502 error, since Akkoma hasn't been started yet.

 ### Setting up a system service

@ -239,19 +241,11 @@ sudo nginx -t
 # Restart nginx
 sudo systemctl restart nginx

-# Ensure the webroot menthod and post hook is working
-sudo certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'systemctl reload nginx'
-
-# Add it to the daily cron
-echo '#!/bin/sh
-certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
-' > /etc/cron.daily/renew-akkoma-cert
-sudo chmod +x /etc/cron.daily/renew-akkoma-cert
-
-# If everything worked the output should contain /etc/cron.daily/renew-akkoma-cert
-sudo run-parts --test /etc/cron.daily
+# Test that renewals work properly
+sudo certbot renew --cert-name yourinstance.tld --nginx --dry-run
 ```

+Assuming the commands were run successfully, certbot should be able to renew your certificates automatically via the `certbot-renew.timer` systemd unit.

 ## Create your first user and set as admin
 ```shell
--- a/installation/nginx/akkoma.nginx
+++ b/installation/nginx/akkoma.nginx
@ -1,10 +1,7 @@
 # default nginx site config for Akkoma
 #
-# Simple installation instructions:
-# 1. Install your TLS certificate, possibly using Let's Encrypt.
-# 2. Replace 'example.tld' with your instance's domain wherever it appears.
-# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
-#    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
+# See the documentation at docs.akkoma.dev for your particular distro/OS for
+# installation instructions.

 proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g
                 inactive=720m use_temp_path=off;
@ -15,25 +12,19 @@ upstream phoenix {
    server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
 }

-server {
-    server_name    example.tld;
-
-    listen         80;
-    listen         [::]:80;
-
-    # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
-    # that the directory exists and that it is accessible by the webserver. If you followed
-    # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
-    # You may need to load this file with the ssl server block commented out, run certbot
-    # to get the certificate, and then uncomment it.
-    #
-    # location ~ /\.well-known/acme-challenge {
-    #     root /var/lib/letsencrypt/;
-    # }
-    location / {
-      return         301 https://$server_name$request_uri;
-    }
-}
+# If you are setting up TLS certificates without certbot, uncomment the
+# following to enable HTTP -> HTTPS redirects. Certbot users don't need to do
+# this as it will automatically do this for you.
+# server {
+#     server_name    example.tld media.example.tld;
+#
+#     listen         80;
+#     listen         [::]:80;
+#
+#     location / {
+#         return         301 https://$server_name$request_uri;
+#     }
+# }

 # Enable SSL session caching for improved performance
 ssl_session_cache shared:ssl_session_cache:10m;
@ -41,22 +32,29 @@ ssl_session_cache shared:ssl_session_cache:10m;
 server {
    server_name example.tld;

-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
-    ssl_session_tickets off;
+    # Once certbot is set up, this will automatically be updated to listen to
+    # port 443 with TLS alongside a redirect from plaintext HTTP.
+    listen 80;
+    listen [::]:80;

-    ssl_trusted_certificate   /etc/letsencrypt/live/example.tld/chain.pem;
-    ssl_certificate           /etc/letsencrypt/live/example.tld/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/example.tld/privkey.pem;
+    # If you are not using Certbot, comment out the above and uncomment/edit the following
+#     listen 443 ssl http2;
+#     listen [::]:443 ssl http2;
+#     ssl_session_timeout 1d;
+#     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+#     ssl_session_tickets off;
+#
+#     ssl_trusted_certificate   /etc/letsencrypt/live/example.tld/chain.pem;
+#     ssl_certificate           /etc/letsencrypt/live/example.tld/fullchain.pem;
+#     ssl_certificate_key       /etc/letsencrypt/live/example.tld/privkey.pem;
+#
+#     ssl_protocols TLSv1.2 TLSv1.3;
+#     ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+#     ssl_prefer_server_ciphers off;
+#     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
+#     ssl_stapling on;
+#     ssl_stapling_verify on;

-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-    ssl_prefer_server_ciphers off;
-    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
-    ssl_stapling on;
-    ssl_stapling_verify on;

    gzip_vary on;
    gzip_proxied any;
@ -86,27 +84,22 @@ server {

 # Upload and MediaProxy Subdomain
 # (see main domain setup for more details)
-server {
-    server_name    media.example.tld;
-
-    listen         80;
-    listen         [::]:80;
-
-    location / {
-      return         301 https://$server_name$request_uri;
-    }
-}
-
 server {
    server_name media.example.tld;

-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    # Same as above, will be updated to HTTPS once certbot is set up.
+    listen 80;
+    listen [::]:80;

-    ssl_trusted_certificate   /etc/letsencrypt/live/media.example.tld/chain.pem;
-    ssl_certificate           /etc/letsencrypt/live/media.example.tld/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/media.example.tld/privkey.pem;
-    # .. copy all other the ssl_* and gzip_* stuff from main domain
+    # If you are not using certbot, comment the above and copy all the ssl
+    # stuff from above into here.
+
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;

    # the nginx default is 1m, not enough for large media uploads
    client_max_body_size 16m;