Add automated TLS renewal and deployment documentation

Co-Authored-By: Oz <oz-agent@warp.dev>

scripts/setup-renewal-cron.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# scripts/setup-renewal-cron.sh
+# Installs/updates a daily cron entry for automated TLS renewal.
+
+set -euo pipefail
+
+REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+TLS_ENV_FILE="${REPO_DIR}/.tls-renewal.env"
+LOG_DIR="${REPO_DIR}/logs"
+LOG_FILE="${LOG_DIR}/tls-renew.log"
+CRON_MARKER="# nextcloud-docker tls renewal"
+CRON_SCHEDULE="${RENEW_CRON_SCHEDULE:-17 3 * * *}"
+DEFAULT_TOKEN_SCRIPT="${HOME}/bin/cloudflare-api-usertoken.sh"
+
+if [ -f "${TLS_ENV_FILE}" ]; then
+  # shellcheck disable=SC1090
+  set -a
+  source "${TLS_ENV_FILE}"
+  set +a
+fi
+
+if [ -z "${LETSENCRYPT_EMAIL:-}" ]; then
+  echo "ERROR: LETSENCRYPT_EMAIL is not set."
+  echo "Export it in your shell before running this script."
+  exit 1
+fi
+
+CLOUDFLARE_TOKEN_SCRIPT="${CLOUDFLARE_TOKEN_SCRIPT:-${DEFAULT_TOKEN_SCRIPT}}"
+CF_DNS_PROPAGATION_SECONDS="${CF_DNS_PROPAGATION_SECONDS:-60}"
+
+mkdir -p "${LOG_DIR}"
+chmod 700 "${LOG_DIR}"
+
+cat > "${TLS_ENV_FILE}" <<ENVFILE
+LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
+CLOUDFLARE_TOKEN_SCRIPT=${CLOUDFLARE_TOKEN_SCRIPT}
+CF_DNS_PROPAGATION_SECONDS=${CF_DNS_PROPAGATION_SECONDS}
+ENVFILE
+chmod 600 "${TLS_ENV_FILE}"
+
+CRON_COMMAND="cd ${REPO_DIR} && /usr/bin/env bash ${REPO_DIR}/scripts/renew-production-tls.sh >> ${LOG_FILE} 2>&1"
+CRON_LINE="${CRON_SCHEDULE} ${CRON_COMMAND} ${CRON_MARKER}"
+
+{
+  crontab -l 2>/dev/null | grep -v "${CRON_MARKER}" || true
+  echo "${CRON_LINE}"
+} | crontab -
+
+echo "==> Installed cron renewal job:"
+echo "    ${CRON_LINE}"
+echo "==> Stored renewal defaults in ${TLS_ENV_FILE}"
+echo "==> Logs will be written to ${LOG_FILE}"