Update OTP install docs to use certbot nginx plugin

docs/docs/installation/alpine_linux_en.md

@@ -145,47 +145,13 @@ If you want to open your newly installed instance to the world, you should run n
 doas apk add nginx
 ```
 
-* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
-
-```shell
-doas apk add certbot
-```
-
-and then set it up:
-
-```shell
-doas mkdir -p /var/lib/letsencrypt/
-doas certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
-
 * Copy the example nginx configuration to the nginx folder
 
 ```shell
 doas cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf
 ```
 
-* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name` and the paths to the certificates. You can use `nano` (install with `apk add nano` if missing).
-
-```
-server {
-    server_name    your.domain;
-    listen         80;
-    ...
-}
-
-server {
-    server_name your.domain;
-    listen 443 ssl http2;
-    ...
-    ssl_trusted_certificate   /etc/letsencrypt/live/your.domain/chain.pem;
-    ssl_certificate           /etc/letsencrypt/live/your.domain/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/your.domain/privkey.pem;
-    ...
-}
-```
-
+* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name`. You can use `nano` (install with `apk add nano` if missing).
 * Enable and start nginx:
 
 ```shell
@@ -193,10 +159,37 @@ doas rc-update add nginx
 doas rc-service nginx start
 ```
 
-If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
+* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
 
 ```shell
-doas certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
+doas apk add certbot certbot-nginx
+```
+
+and then set it up:
+
+```shell
+doas mkdir -p /var/lib/letsencrypt/
+doas certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
+To automatically renew, set up a cron job like so:
+
+```shell
+# Enable the crond service
+doas rc-update add crond
+doas rc-service crond start
+
+# Test that renewals work
+doas certbot renew --cert-name yourinstance.tld --nginx --dry-run
+
+# Add the renewal task to cron
+echo '#!/bin/sh
+certbot renew --cert-name yourinstance.tld --nginx
+' | doas tee /etc/periodic/daily/renew-akkoma-cert
+doas chmod +x /etc/periodic/daily/renew-akkoma-cert
+
 ```
 
 #### OpenRC service

docs/docs/installation/fedora_based_en.md

@@ -135,23 +135,6 @@ If you want to open your newly installed instance to the world, you should run n
 sudo dnf install nginx
 ```
 
-* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
-
-```shell
-sudo dnf install certbot
-```
-
-and then set it up:
-
-```shell
-sudo mkdir -p /var/lib/letsencrypt/
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
-
----
-
 * Copy the example nginx configuration and activate it:
 
 ```shell
@@ -165,12 +148,23 @@ sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.con
 sudo systemctl enable --now nginx.service
 ```
 
-If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
+* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
 
 ```shell
-sudo certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
+sudo dnf install certbot python3-certbot-nginx
 ```
 
+and then set it up:
+
+```shell
+sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
+Certificate renewal should be handled automatically by Certbot from now on.
+
+
 #### Other webserver/proxies
 
 You can find example configurations for them in `/opt/akkoma/installation/`.

docs/docs/installation/gentoo_en.md

@@ -201,25 +201,6 @@ Assuming you want to open your newly installed federated social network to, well
 include sites-enabled/*;
 ```
 
-* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
-
-```shell
- # emerge --ask app-crypt/certbot app-crypt/certbot-nginx
-```
-
-and then set it up:
-
-```shell
- # mkdir -p /var/lib/letsencrypt/
- # certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again). Often the answer to issues with certbot is to use the `--nginx` flag once you have nginx up and running.
-
-If you are using any additional subdomains, such as for a media proxy, you can re-run the same command with the subdomain in question. When it comes time to renew later, you will not need to run multiple times for each domain, one renew will handle it.
-
----
-
 * Copy the example nginx configuration and activate it:
 
 ```shell
@@ -237,9 +218,24 @@ Pay special attention to the line that begins with `ssl_ecdh_curve`. It is stong
 
 ```shell
  # rc-update add nginx default
- # /etc/init.d/nginx start
+ # rc-service nginx start
 ```
 
+* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
+
+```shell
+ # emerge --ask app-crypt/certbot app-crypt/certbot-nginx
+```
+
+and then set it up:
+
+```shell
+ # mkdir -p /var/lib/letsencrypt/
+ # certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
 If you are using certbot, it is HIGHLY recommend you set up a cron job that renews your certificate, and that you install the suggested `certbot-nginx` plugin. If you don't do these things, you only have yourself to blame when your instance breaks suddenly because you forgot about it.
 
 First, ensure that the command you will be installing into your crontab works.

docs/docs/installation/otp_en.md

@@ -9,7 +9,7 @@ This guide covers a installation using an OTP release. To install Akkoma from so
 * For installing OTP releases on RedHat-based distros like Fedora and Centos Stream, please follow [this guide](./otp_redhat_en.md) instead.
 * A (sub)domain pointed to the machine
 
-You will be running commands as root. If you aren't root already, please elevate your priviledges by executing `sudo su`/`su`.
+You will be running commands as root. If you aren't root already, please elevate your priviledges by executing `sudo -i`/`su`.
 
 While in theory OTP releases are possbile to install on any compatible machine, for the sake of simplicity this guide focuses only on Debian/Ubuntu and Alpine.
 
@@ -176,11 +176,6 @@ su akkoma -s $SHELL -lc "./bin/pleroma stop"
 
 ### Setting up nginx and getting Let's Encrypt SSL certificaties
 
-#### Get a Let's Encrypt certificate
-```sh
-certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
-```
-
 #### Copy Akkoma nginx configuration to the nginx folder
 
 The location of nginx configs is dependent on the distro
@@ -209,6 +204,14 @@ $EDITOR path-to-nginx-config
 # Verify that the config is valid
 nginx -t
 ```
+
+#### Get a Let's Encrypt certificate
+```sh
+certbot --nginx -d yourinstance.tld -d media.yourinstance.tld
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
 #### Start nginx
 
 === "Alpine"
@@ -252,32 +255,19 @@ If everything worked, you should see Akkoma-FE when visiting your domain. If tha
 ## Post installation
 
 ### Setting up auto-renew of the Let's Encrypt certificate
-```sh
-# Create the directory for webroot challenges
-mkdir -p /var/lib/letsencrypt
-
-# Uncomment the webroot method
-$EDITOR path-to-nginx-config
-
-# Verify that the config is valid
-nginx -t
-```
 
 === "Alpine"
     ```
-    # Restart nginx
-    rc-service nginx restart
-
     # Start the cron daemon and make it start on boot
     rc-service crond start
     rc-update add crond
 
     # Ensure the webroot menthod and post hook is working
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'rc-service nginx reload'
+    certbot renew --cert-name yourinstance.tld --nginx --dry-run
 
     # Add it to the daily cron
     echo '#!/bin/sh
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "rc-service nginx reload"
+    certbot renew --cert-name yourinstance.tld --nginx
     ' > /etc/periodic/daily/renew-akkoma-cert
     chmod +x /etc/periodic/daily/renew-akkoma-cert
 
@@ -286,22 +276,7 @@ nginx -t
     ```
 
 === "Debian/Ubuntu"
-    ```
-    # Restart nginx
-    systemctl restart nginx
-
-    # Ensure the webroot menthod and post hook is working
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'systemctl reload nginx'
-
-    # Add it to the daily cron
-    echo '#!/bin/sh
-    certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
-    ' > /etc/cron.daily/renew-akkoma-cert
-    chmod +x /etc/cron.daily/renew-akkoma-cert
-
-    # If everything worked the output should contain /etc/cron.daily/renew-akkoma-cert
-    run-parts --test /etc/cron.daily
-    ```
+    This should be automatically enabled with the `certbot-renew.timer` systemd unit.
 
 ## Create your first user and set as admin
 ```sh

docs/docs/installation/otp_redhat_en.md

@@ -82,6 +82,7 @@ Other than things bundled in the OTP release Akkoma depends on:
 * PostgreSQL (also utilizes extensions in postgresql-contrib)
 * nginx (could be swapped with another reverse proxy but this guide covers only it)
 * certbot (for Let's Encrypt certificates, could be swapped with another ACME client, but this guide covers only it)
+    * If you are using certbot, also install the `python3-certbot-nginx` package for the nginx plugin
 * libmagic/file
 
 First, update your system, if not already done:
@@ -169,12 +170,6 @@ sudo -Hu akkoma ./bin/pleroma stop
 
 ### Setting up nginx and getting Let's Encrypt SSL certificaties
 
-#### Get a Let's Encrypt certificate
-
-```shell
-certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
-```
-
 #### Copy Akkoma nginx configuration to the nginx folder
 
 ```shell
@@ -195,8 +190,15 @@ sudo nginx -t
 sudo systemctl start nginx
 ```
 
-At this point if you open your (sub)domain in a browser you should see a 502 error, that's because Akkoma is not started yet.
+#### Get a Let's Encrypt certificate
 
+```shell
+sudo certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
+If you're successful with obtaining the certificates, opening your (sub)domain in a browser will result in a 502 error, since Akkoma hasn't been started yet.
 
 ### Setting up a system service
 
@@ -239,19 +241,11 @@ sudo nginx -t
 # Restart nginx
 sudo systemctl restart nginx
 
-# Ensure the webroot menthod and post hook is working
-sudo certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'systemctl reload nginx'
-
-# Add it to the daily cron
-echo '#!/bin/sh
-certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
-' > /etc/cron.daily/renew-akkoma-cert
-sudo chmod +x /etc/cron.daily/renew-akkoma-cert
-
-# If everything worked the output should contain /etc/cron.daily/renew-akkoma-cert
-sudo run-parts --test /etc/cron.daily
+# Test that renewals work properly
+sudo certbot renew --cert-name yourinstance.tld --nginx --dry-run
 ```
 
+Assuming the commands were run successfully, certbot should be able to renew your certificates automatically via the `certbot-renew.timer` systemd unit.
 
 ## Create your first user and set as admin
 ```shell