From 03ebc20ea46f16ca4aa8f993570712e255a6f2d2 Mon Sep 17 00:00:00 2001 From: Tom Foster Date: Fri, 27 Dec 2024 16:49:27 +0000 Subject: [PATCH] Conduwuit Sections added on deploying Conduwuit using Docker with either Caddy or Nginx, mainly covering the common Docker options and linking back to the official docs. --- src/SUMMARY.md | 7 ++ src/conduwuit/README.md | 65 ++++++++++ src/conduwuit/config.md | 120 ++++++++++++++++++ src/conduwuit/docker.md | 100 +++++++++++++++ src/conduwuit/reverse-proxies/README.md | 23 ++++ src/conduwuit/reverse-proxies/caddy.md | 114 +++++++++++++++++ src/conduwuit/reverse-proxies/nginx.md | 160 ++++++++++++++++++++++++ src/conduwuit/reverse-proxies/ssl.md | 129 +++++++++++++++++++ 8 files changed, 718 insertions(+) create mode 100644 src/conduwuit/README.md create mode 100644 src/conduwuit/config.md create mode 100644 src/conduwuit/docker.md create mode 100644 src/conduwuit/reverse-proxies/README.md create mode 100644 src/conduwuit/reverse-proxies/caddy.md create mode 100644 src/conduwuit/reverse-proxies/nginx.md create mode 100644 src/conduwuit/reverse-proxies/ssl.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index a38420e..622b2ac 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -1,6 +1,13 @@ # Table of Contents - [Welcome](welcome.md) +- [Matrix Conduwuit](conduwuit/README.md) + - [Docker Deployment](conduwuit/docker.md) + - [Configuration](conduwuit/config.md) + - [Reverse Proxies](conduwuit/reverse-proxies/README.md) + - [SSL Certificates](conduwuit/reverse-proxies/ssl.md) + - [Caddy Configuration](conduwuit/reverse-proxies/caddy.md) + - [Nginx Configuration](conduwuit/reverse-proxies/nginx.md) - [Matrix Synapse](synapse/README.md) - [Deployment](synapse/deployment/README.md) - [Docker Compose with Templates](synapse/deployment/docker.md) diff --git a/src/conduwuit/README.md b/src/conduwuit/README.md new file mode 100644 index 0000000..a6e8967 --- /dev/null +++ b/src/conduwuit/README.md @@ -0,0 +1,65 @@ +# Matrix Conduwuit Homeserver Guides + +This section provides comprehensive guides for deploying Conduwuit, a featureful fork of the Conduit +Matrix homeserver. Written in Rust, Conduwuit aims to be a high-performance and efficient homeserver +that's easy to set up and "just works". + +## Quick Start + +These Docker guides will walk you through: + +1. [Docker Deployment](docker.md) - Set up the Conduwuit container +2. [Server Configuration](config.md) - Configure your homeserver +3. [Reverse Proxies](reverse-proxies/README.md) - Set up external access + - [SSL Certificates](reverse-proxies/ssl.md) - Secure your server + - Choose your proxy: + - [Caddy](reverse-proxies/caddy.md) - Simple, automatic HTTPS + - [Nginx](reverse-proxies/nginx.md) - Popular and flexible + +## Deployment Options + +While these guides focus on Docker deployment, Conduwuit provides several installation options: + +- **Docker containers** (covered in this guide) +- **Debian packages** (.deb) for x86_64 and ARM64 +- **Static binaries** for Linux (x86_64/ARM64) and macOS (x86_64/ARM64) + +You can find all these options in the [official releases](https://github.com/girlbossceo/conduwuit/releases). +For non-Docker deployments, refer to the [generic deployment guide](https://conduwuit.puppyirl.gay/deploying/generic.html) +which covers setting up users, systemd services, and more. + +Conduwuit is quite stable and very usable as a daily driver for low-medium sized homeservers. While +technically in Beta (inherited from Conduit), this status is becoming less relevant as the codebase +significantly diverges from upstream Conduit. + +Key features and differences from Conduit: + +- Written in Rust for high performance and memory efficiency +- Complete drop-in replacement for Conduit (when using RocksDB) +- Single-process architecture (no worker configuration needed) +- Actively maintained with regular updates +- Designed for stability and real-world use + +## Getting Help + +If you need assistance, you can join these Matrix rooms: + +- [#conduwuit:puppygock.gay](https://matrix.to/#/#conduwuit:puppygock.gay) - + Main support and discussion +- [#conduwuit-offtopic:girlboss.ceo](https://matrix.to/#/#conduwuit-offtopic:girlboss.ceo) - + Community chat +- [#conduwuit-dev:puppygock.gay](https://matrix.to/#/#conduwuit-dev:puppygock.gay) - + Development discussion + +Please review our [Community Code of Conduct](https://conduwuit.puppyirl.gay/conduwuit_coc.html) +before participating in these rooms. + +## Try It Out + +You can try Conduwuit on the official instance at `transfem.dev`, which provides both +[Element](https://element.transfem.dev) and [Cinny](https://cinny.transfem.dev) web clients. +This is a public homeserver listed on [servers.joinmatrix.org](https://servers.joinmatrix.org), +so please review the rules at [transfem.dev/homeserver_rules.txt](https://transfem.dev/homeserver_rules.txt) +before registering. + +Let's get started with deploying your own efficient Matrix homeserver! diff --git a/src/conduwuit/config.md b/src/conduwuit/config.md new file mode 100644 index 0000000..b1347da --- /dev/null +++ b/src/conduwuit/config.md @@ -0,0 +1,120 @@ +# Configuring Conduwuit + +This guide covers the essential Conduwuit configuration options for Docker deployments. For a +complete reference, see the [example configuration file](https://github.com/girlbossceo/conduwuit/blob/main/conduwuit-example.toml). + +## Example Configuration + +Start by downloading the example configuration file which includes comprehensive documentation for +all available options: + +```bash +curl -o data/conduwuit.toml https://raw.githubusercontent.com/girlbossceo/conduwuit/main/conduwuit-example.toml +``` + +## Core Settings + +These are the only required settings: + +```toml:conduwuit.toml +[global] +# Your server's domain name (required) +server_name = "server.name" + +# Trusted servers for key verification (recommended) +trusted_servers = ["envs.net", "beeper.com", "matrix.org"] +``` + +## Connection Settings + +Choose between TCP ports or Unix sockets: + +```toml:conduwuit.toml +# TCP Configuration +port = 6167 +address = "0.0.0.0" # For Docker + +# Or Unix Socket Configuration (recommended when possible) +unix_socket_path = "/run/conduwuit/conduwuit.sock" +unix_socket_perms = 666 +``` + +**Note:** If you're using Unix sockets, you'll need to ensure the `port` and `address` settings are +commented out or you'll get an error when Conduwuit launches. + +## Federation and Security + +```toml:conduwuit.toml +# Federation Controls +allow_federation = true +allow_public_room_directory_over_federation = true +allow_profile_lookup_federation_requests = true + +# Registration Controls +allow_registration = true +registration_token = "your-secure-token-here" + +# Privacy Settings +allow_device_name_federation = false +allow_legacy_media = false # Enable to allow older clients and servers to load media +``` + +You can generate a secure registration token using this command: + +```bash +# Generate a 64-character random token +openssl rand -base64 48 | tr -d '/+' | cut -c1-64 +``` + +## Performance Tuning + +In practice, I've found requiring DNS over TCP is the best way to run Conduwuit, as it can easily +DNS resolvers with UDP, and TCP offers a higher level of reliability. + +If you want to do this, you can set the cache high to save repeated lookups, and increase the +timeout to allow the batched lookups over TCP to do their thing: + +```toml:conduwuit.toml +# DNS Optimisation +dns_cache_entries = 1_000_000 +dns_timeout = 60 +query_over_tcp_only = true +``` + +## Presence and Real-time Features + +Conduwuit is extremely performant over federation, so these options should perform very well, but +you can choose whether or not you want them for performance or privacy reasons: + +```toml:conduwuit.toml +# Presence Settings +allow_local_presence = true +allow_incoming_presence = true +allow_outgoing_presence = true + +# Typing Indicators +allow_outgoing_typing = true +allow_incoming_typing = true +``` + +## URL Preview Settings + +URL previews are a great way to improve the user experience of your Matrix server, but they can +also be a source of abuse, so you can choose whether you want to use them here: + +```toml:conduwuit.toml +# URL Preview Controls +url_preview_domain_contains_allowlist = ["*"] +url_preview_domain_explicit_allowlist = ["*"] +url_preview_url_contains_allowlist = ["*"] +url_preview_max_spider_size = 16_777_216 +url_preview_check_root_domain = true +``` + +## Advanced Options + +There are tons of other options available, including setting TURN servers for VoIP calling. + +For detailed tuning of database performance, federation behaviour, or other advanced settings, +refer to the [example configuration file](https://raw.githubusercontent.com/girlbossceo/conduwuit/main/conduwuit-example.toml) +which includes comprehensive documentation for all available options. diff --git a/src/conduwuit/docker.md b/src/conduwuit/docker.md new file mode 100644 index 0000000..ecf966e --- /dev/null +++ b/src/conduwuit/docker.md @@ -0,0 +1,100 @@ +# Deploying Conduwuit with Docker + +This guide covers deploying Conduwuit using Docker and Docker Compose, with several options for +reverse proxy configurations. + +## Container Images + +Official Conduwuit images are available from GitHub's container registry: + +| Image | Notes | +|--------------------------------------|------------------------------------------------| +| ghcr.io/girlbossceo/conduwuit:latest | Stable releases, recommended for production | +| ghcr.io/girlbossceo/conduwuit:main | Latest features, suitable for personal servers | + +While the `:latest` tag is recommended for production use, the `:main` tag provides access to the +latest features and fixes. The main branch undergoes significant testing before changes are merged, +making it reliable for personal use while not necessarily "stable" for production environments. + +## Quick Start + +The simplest way to run Conduwuit is with a basic Docker command: + +```bash +docker run -d -p 8448:6167 \ + -v db:/var/lib/conduwuit/ \ + -e CONDUWUIT_SERVER_NAME="your.server.name" \ + -e CONDUWUIT_ALLOW_REGISTRATION=false \ + --name conduwuit ghcr.io/girlbossceo/conduwuit:latest +``` + +However, for production deployments, we recommend using Docker Compose for better maintainability. + +## Docker Compose Deployment + +We provide two main deployment patterns, depending on how you want to connect to your reverse proxy: + +### TCP Port Configuration + +This configuration exposes Conduwuit on a TCP port, suitable for when your reverse proxy is on a +different host or when using Kubernetes: + +```yaml:docker-compose.yml +version: '3.8' + +services: + conduwuit: + cpus: 3 + image: ghcr.io/girlbossceo/conduwuit:latest + environment: + CONDUWUIT_CONFIG: '/var/lib/conduwuit/conduwuit.toml' + mem_limit: 4G + ports: + - "6167:6167" + restart: unless-stopped + volumes: + - ./data:/var/lib/conduwuit +``` + +### Unix Socket Configuration + +This configuration uses Unix sockets for improved performance when your reverse proxy is on the same +host: + +```yaml:docker-compose.yml +version: '3.8' + +services: + conduwuit: + cpus: 3 + image: ghcr.io/girlbossceo/conduwuit:latest + environment: + CONDUWUIT_CONFIG: '/var/lib/conduwuit/conduwuit.toml' + mem_limit: 4G + restart: unless-stopped + volumes: + - ./data:/var/lib/conduwuit + - /run/conduwuit:/run/conduwuit +``` + +For both configurations, create a configuration file in the `data` directory: + +```bash +curl -o data/conduwuit.toml https://raw.githubusercontent.com/girlbossceo/conduwuit/main/conduwuit-example.toml +``` + +See the [configuration guide](config.md) for more information on configuring Conduwuit, and the +[reverse proxy guide](reverse-proxies/README.md) for more information on how to set up a reverse +proxy to handle inbound connections to the server. + +## Starting the Server + +Once you've chosen and configured your setup: + +```bash +# Start the services +docker compose up -d + +# View the logs +docker compose logs -f +``` diff --git a/src/conduwuit/reverse-proxies/README.md b/src/conduwuit/reverse-proxies/README.md new file mode 100644 index 0000000..e4b70a6 --- /dev/null +++ b/src/conduwuit/reverse-proxies/README.md @@ -0,0 +1,23 @@ +# Configuring Reverse Proxies for Conduwuit + +A reverse proxy is essential for running Conduwuit in production, handling TLS termination and +providing a secure interface to the internet. This section covers configuration for three popular +reverse proxies: + +Before configuring your chosen reverse proxy, you'll need to [set up SSL certificates](ssl.md) +for your domains. + +1. [Caddy](caddy.md) - Known for its simplicity and automatic HTTPS +2. [Nginx](nginx.md) - Popular for its performance and flexibility + +Choose the guide that matches your preferred reverse proxy. All options will provide: + +- TLS termination +- HTTP/2 support +- Proper header forwarding +- WebSocket support for live updates + +If you're new to reverse proxies, Caddy might be the easier choice as it handles SSL certificates +automatically. If you're using Docker Compose, Traefik integrates particularly well with container +deployments. However, if you're already familiar with Nginx or need more fine-grained control, +the Nginx configuration will serve you well. diff --git a/src/conduwuit/reverse-proxies/caddy.md b/src/conduwuit/reverse-proxies/caddy.md new file mode 100644 index 0000000..8b2e7ea --- /dev/null +++ b/src/conduwuit/reverse-proxies/caddy.md @@ -0,0 +1,114 @@ +# Configuring Caddy for Conduwuit + +This guide covers setting up Caddy as a reverse proxy for Conduwuit. Caddy is recommended for new +users as it handles TLS certificates automatically with sensible defaults. + +1. [Basic Configuration](#basic-configuration) +2. [Vanity Domain Configuration](#vanity-domain-configuration) +3. [Matrix Homeserver Configuration](#matrix-homeserver-configuration) +4. [Verification](#verification) + +## Basic Configuration + +First, ensure Caddy is configured to use the DNS challenge for your certificates if you want +to use a wildcard certificate. Otherwise, it will obtain individual certificates as needed. + +## Vanity Domain Configuration + +The main domain (server.name) needs to serve Matrix well-known files on the standard HTTPS port +(443). This allows other Matrix servers to discover your homeserver's location: + +```caddyfile:Caddyfile +server.name { + # Matrix client-server well-known + handle /.well-known/matrix/client { + respond `{ + "m.homeserver": { + "base_url": "https://matrix.server.name" + }, + "org.matrix.msc3575.proxy": { + "url": "https://matrix.server.name" + } + }` 200 { + header Content-Type application/json + header Access-Control-Allow-Origin * + } + } + + # Matrix server-server well-known + handle /.well-known/matrix/server { + respond `{ + "m.server": "matrix.server.name:443" + }` 200 { + header Content-Type application/json + } + } + + # Matrix Support contact information (MSC1929) + handle /.well-known/matrix/support { + respond `{ + "contacts": [ + { + "matrix_id": "@admin:server.name", + "email_address": "admin@server.name", + "role": "m.role.admin" + } + ] + }` 200 { + header Content-Type application/json + header Access-Control-Allow-Origin * + } + } + + # Return 404 for all other paths + handle /* { + respond "Not Found" 404 + } +} +``` + +## Matrix Homeserver Configuration + +If we make the homeserver accessible via both the delegated subdomain (matrix.server.name) as well +as through your Matrix domain on the default Matrix federation port (8448), then this will ensure +federation works even if well-known discovery fails: + +```caddyfile:Caddyfile +matrix.server.name, server.name:8448 { + # Proxy all Matrix traffic to Conduwuit + handle /* { + reverse_proxy unix//run/conduwuit/conduwuit.sock { + transport unix { + # Disable buffering for immediate data transfer + buffer_size 0 + } + } + } + + # Compression for JSON responses + encode gzip +} +``` + +## Verification + +To verify your configuration: + +```bash +# Test the configuration +caddy validate + +# Reload if the test passes +caddy reload + +# Test the well-known endpoints +curl https://server.name/.well-known/matrix/server +curl https://server.name/.well-known/matrix/client +curl https://server.name/.well-known/matrix/support + +# Test the Matrix API +curl https://matrix.server.name/_matrix/federation/v1/version +``` + +You can also use the [Matrix Federation Tester](https://federationtester.matrix.org/) to verify +your server can communicate with other homeservers. diff --git a/src/conduwuit/reverse-proxies/nginx.md b/src/conduwuit/reverse-proxies/nginx.md new file mode 100644 index 0000000..fcd896b --- /dev/null +++ b/src/conduwuit/reverse-proxies/nginx.md @@ -0,0 +1,160 @@ +# Configuring Nginx for Conduwuit + +This guide covers setting up Nginx as a reverse proxy for Conduwuit, with optimisations for +performance and modern Matrix features. + +1. [Basic Configuration](#basic-configuration) +2. [Vanity Domain Configuration](#vanity-domain-configuration) +3. [Matrix Homeserver Configuration](#matrix-homeserver-configuration) +4. [Verification](#verification) + +## Basic Configuration + +First, set up an upstream definition for Conduwuit. Using Unix sockets is recommended when both +Nginx and Conduwuit are on the same machine for improved performance: + +```nginx:conf.d/upstreams.conf +upstream conduwuit_server { + # Unix socket (recommended for same-machine deployments) + server unix:/run/conduwuit/conduwuit.sock max_fails=0; + + # TCP alternative if needed + #server 127.0.0.1:6167 max_fails=0; + + # Connection pooling + keepalive 32; + keepalive_requests 1000; + keepalive_time 1h; + keepalive_timeout 600s; +} +``` + +## Vanity Domain Configuration + +The main domain (server.name) needs to serve Matrix well-known files on the standard HTTPS port +(443). This allows other Matrix servers to discover your homeserver's location: + +```nginx:conf.d/server.name.conf +# Main domain for well-known files +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name server.name; + + # TLS Configuration + ssl_certificate /etc/letsencrypt/live/server.name/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.name/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + # Logging (optional) + access_log off; + error_log off; + + # Matrix Server well-known + location /.well-known/matrix/server { + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '{"m.server": "matrix.server.name:443"}'; + } + + # Matrix Client well-known (with sliding sync support) + location /.well-known/matrix/client { + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '{"m.homeserver": {"base_url": "https://matrix.server.name"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.server.name"}}'; + } + + # Matrix Support contact information (MSC1929) + location /.well-known/matrix/support { + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '{"contacts": [{"matrix_id": "@admin:server.name", "email_address": "admin@server.name", "role": "m.role.admin"}]}'; + } + + # Optional: Return 404 for other URLs + location / { + return 404 "Not Found"; + } +} +``` + +**Note:** The well-known files help clients discover your server and provide important metadata, +update the domain names + +## Matrix Homeserver Configuration + +If we make the homeserver accessible via both the delegated subdomain (matrix.server.name) as well +as through your Matrix domain on the default Matrix federation port (8448), then this will ensure +federation works even if well-known discovery fails: + +```nginx:conf.d/matrix.server.name.conf +# Matrix homeserver +server { + listen 8448 ssl http2; + listen [::]:8448 ssl http2; + server_name matrix.server.name server.name; + + # TLS Configuration + ssl_certificate /etc/letsencrypt/live/server.name/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/server.name/privkey.pem; + include includes/common.conf; + + # Logging + access_log /var/log/nginx/conduwuit-access.log; + error_log /var/log/nginx/conduwuit-error.log; + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + + # Disable buffering for immediate data transfer + proxy_buffering off; + + # Compression for JSON responses + gzip on; + gzip_types application/json; + gzip_min_length 1000; + + # Matrix API endpoints + location /_matrix/ { + # Proxy settings + proxy_pass http://conduwuit_server; + + # Proxy Settings + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Proxy timeouts + proxy_read_timeout 60s; + proxy_send_timeout 60s; + } +} +``` + +## Verification + +To verify your configuration: + +```bash +# Test the Nginx configuration +nginx -t + +# Reload if the test passes +systemctl reload nginx + +# Test the well-known endpoints +curl https://server.name/.well-known/matrix/server +curl https://server.name/.well-known/matrix/client +curl https://server.name/.well-known/matrix/support + +# Test the Matrix API +curl https://matrix.server.name/_matrix/federation/v1/version +``` + +You can also use the [Matrix Federation Tester](https://federationtester.matrix.org/) to verify +your server can communicate with other homeservers. diff --git a/src/conduwuit/reverse-proxies/ssl.md b/src/conduwuit/reverse-proxies/ssl.md new file mode 100644 index 0000000..ca7a881 --- /dev/null +++ b/src/conduwuit/reverse-proxies/ssl.md @@ -0,0 +1,129 @@ +# SSL Certificates for Matrix Servers + +This guide covers obtaining SSL certificates for your Matrix homeserver using Certbot. We'll cover +both DNS validation (recommended) and HTTP validation methods. + +1. [DNS Validation](#dns-validation) +2. [HTTP Validation](#http-validation) +3. [Certificate Renewal](#certificate-renewal) +4. [Automatic Reloading](#automatic-reloading) + +## DNS Validation + +DNS validation is the recommended method as it: + +- Allows wildcard certificates (*.server.name) +- Doesn't require exposing ports 80/443 during validation +- Can be automated without temporary web server configuration + +Certbot provides plugins for many DNS providers. Here are some common options: + +- **Cloudflare** + + ```bash + # Cloudflare + apt install python3-certbot-dns-cloudflare + certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d server.name -d *.server.name + ``` + +- **Digital Ocean** + + ```bash + # Digital Ocean + apt install python3-certbot-dns-digitalocean + certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/digitalocean.ini -d server.name -d *.server.name + ``` + +- **OVH** + + ```bash + # OVH + apt install python3-certbot-dns-ovh + certbot certonly --dns-ovh --dns-ovh-credentials ~/.secrets/ovh.ini -d server.name -d *.server.name + ``` + +- **Route53** + + ```bash + # Route53 + apt install python3-certbot-dns-route53 + certbot certonly --dns-route53 -d server.name -d *.server.name + ``` + +Each provider requires appropriate credentials, which you can store securely in your profile: + +```bash +# Create credentials directory +mkdir -p ~/.secrets + +# Create and edit your provider's credentials file +nano ~/.secrets/provider.ini + +# Secure the credentials +chmod 600 ~/.secrets/provider.ini +``` + +## HTTP Validation + +If DNS validation isn't an option, you can use HTTP validation. This requires: + +- Separate certificates for each domain/subdomain +- Temporary HTTP access during validation +- Web server configuration for validation challenges + +1. Stop your reverse proxy temporarily: + + ```bash + systemctl stop nginx + ``` + +2. Generate certificates: + + ```bash + # Main domain + certbot certonly --standalone -d server.name + + # Matrix subdomain + certbot certonly --standalone -d matrix.server.name + ``` + +3. Restart your reverse proxy: + + ```bash + systemctl start nginx + ``` + +## Certificate Renewal + +Certbot automatically installs a renewal timer, but you can test the renewal process: + +```bash +# Test renewal (no changes made) +certbot renew --dry-run + +# Force renewal for testing +certbot renew --force-renewal + +# Check timer status +systemctl status certbot.timer +``` + +## Automatic Reloading + +Create a renewal hook to reload Nginx when certificates are renewed: + +```bash +# Create hooks directory if it doesn't exist +mkdir -p /etc/letsencrypt/renewal-hooks/deploy + +# Create reload script +cat > /etc/letsencrypt/renewal-hooks/deploy/nginx-reload << 'EOF' +#!/bin/bash +systemctl reload nginx +EOF + +# Make it executable +chmod +x /etc/letsencrypt/renewal-hooks/deploy/nginx-reload +``` + +Now your certificates will automatically renew and reload Nginx when needed.