Add automated TLS renewal and deployment documentation

Co-Authored-By: Oz <oz-agent@warp.dev>

scripts/install.sh

@@ -6,60 +6,68 @@ REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 SSL_DIR="${REPO_DIR}/nginx/ssl"
 DOMAIN="nxt.bhatfamily.in"
 
-echo "==> Ensuring required packages are installed (docker, docker-compose, ufw, openssl)..."
 if ! command -v docker >/dev/null 2>&1; then
-  echo "Docker is not installed. Install Docker and rerun this script."
+  echo "ERROR: Docker is not installed. Install Docker and rerun this script."
   exit 1
 fi
 
-if ! command -v docker compose >/dev/null 2>&1 && ! command -v docker-compose >/dev/null 2>&1; then
-  echo "docker compose / docker-compose is not installed. Install Docker Compose and rerun."
+if ! docker compose version >/dev/null 2>&1 && ! command -v docker-compose >/dev/null 2>&1; then
+  echo "ERROR: docker compose / docker-compose is not installed."
+  exit 1
+fi
+
+if ! command -v openssl >/dev/null 2>&1; then
+  echo "ERROR: openssl is not installed."
   exit 1
 fi
 
 if ! command -v ufw >/dev/null 2>&1; then
-  echo "ufw not found. Installing ufw requires root and internet access."
+  echo "INFO: ufw not found. Ensure ports 8082 and 8446 are open in your firewall/router."
 fi
 
+compose() {
+  if docker compose version >/dev/null 2>&1; then
+    docker compose "$@"
+  else
+    docker-compose "$@"
+  fi
+}
+
 mkdir -p "${SSL_DIR}"
 
-echo "==> Generating self-signed TLS certificate for ${DOMAIN} (valid 365 days)..."
+echo "==> Ensuring TLS files exist for nginx startup..."
 if [ ! -f "${SSL_DIR}/${DOMAIN}.crt" ] || [ ! -f "${SSL_DIR}/${DOMAIN}.key" ]; then
+  echo "==> Generating bootstrap self-signed certificate for ${DOMAIN} (valid 365 days)..."
   openssl req -x509 -nodes -newkey rsa:4096 \
     -keyout "${SSL_DIR}/${DOMAIN}.key" \
     -out "${SSL_DIR}/${DOMAIN}.crt" \
     -days 365 \
     -subj "/CN=${DOMAIN}"
 else
-  echo "Certificate already exists, skipping generation."
+  echo "==> Existing certificate/key found; skipping bootstrap certificate generation."
 fi
 
 if [ ! -f "${SSL_DIR}/dhparam.pem" ]; then
-  echo "==> Generating dhparam (this may take a while)..."
+  echo "==> Generating dhparam (one-time, may take a while)..."
   openssl dhparam -out "${SSL_DIR}/dhparam.pem" 2048
 fi
 
-echo "==> Configuring UFW firewall rules (allow 8082/tcp and 8446/tcp)..."
 if command -v ufw >/dev/null 2>&1; then
+  echo "==> Configuring UFW firewall rules (8082/tcp, 8446/tcp)..."
   sudo ufw allow 8082/tcp comment "Nextcloud HTTP"
   sudo ufw allow 8446/tcp comment "Nextcloud HTTPS"
-else
-  echo "ufw not installed; ensure ports 8082 and 8446 are open in your firewall/router."
 fi
 
-echo "==> Starting Nextcloud stack via Docker Compose..."
-cd "${REPO_DIR}"
+echo "==> Pulling and starting containers..."
+compose -f "${REPO_DIR}/docker-compose.yml" pull
+compose -f "${REPO_DIR}/docker-compose.yml" up -d
 
-if command -v docker compose >/dev/null 2>&1; then
-  docker compose pull
-  docker compose up -d
-else
-  docker-compose pull
-  docker-compose up -d
-fi
-
-echo "==> Nextcloud should now be reachable at:"
+echo "==> Stack started"
 echo "    http://${DOMAIN}:8082  (redirects to HTTPS)"
 echo "    https://${DOMAIN}:8446"
-echo ""
-echo "NOTE: Browser will warn about self-signed certificate. Replace with a valid cert for production."
+echo
+echo "For production TLS with Let's Encrypt DNS-01 (Cloudflare):"
+echo "  1) export CF_DNS_API_TOKEN=<token>"
+echo "  2) export LETSENCRYPT_EMAIL=<email>"
+echo "  3) ./scripts/provision-production-tls.sh"
+echo "  4) docker compose restart web"