From a52cd5aa4310f98c551f35ca354090cc8fa258fc Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Fri, 1 Dec 2023 10:35:01 +0100
Subject: [PATCH] contrib/certbot: new document

---
 contrib/certbot.md | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 contrib/certbot.md

diff --git a/contrib/certbot.md b/contrib/certbot.md
new file mode 100644
index 0000000..ca0491a
--- /dev/null
+++ b/contrib/certbot.md
@@ -0,0 +1,35 @@
+# Setting up Certbot for soju
+
+If you are using [Certbot] to obtain HTTPS certificates, you can set up soju
+like so:
+
+- Obtain the certificate:
+
+      certbot certonly -d <domain>
+
+- Allow all local users to access certificates (private keys are still
+  protected):
+
+      chmod 0755 /etc/letsencrypt/{live,archive}
+
+- Allow the soju user to read the private key:
+
+      chmod 0640 /etc/letsencrypt/live/<domain>/privkey.pem
+      chgrp soju /etc/letsencrypt/live/<domain>/privkey.pem
+
+- Set the `tls` directive in the soju configuration file:
+
+      tls /etc/letsencrypt/live/<domain>/fullchain.pem /etc/letsencrypt/live/<domain>/privkey.pem
+
+- Configure Certbot to reload soju. Edit
+  `/etc/letsencrypt/renewal-hooks/post/soju.sh` and add a command to reload
+  soju, for instance:
+
+      #!/bin/sh
+      systemctl reload soju
+
+  Then mark the script as executable:
+
+      sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/soju.sh
+
+[Certbot]: https://certbot.eff.org/