infra-setup only handled the internal (newsfeed.internal) cert and vhost and
just printed a generic "set it up yourself" note for the WAN name. Now it also,
on the web host:
- issues the Let's Encrypt cert for rob.fyi idempotently (certbot, Cloudflare
DNS-01, ECDSA, --keep-until-expiring), skipping cleanly if the CF token or
certbot is absent;
- installs the certbot renew deploy-hook (reload nginx);
- installs the public vhost, gated on the cert existing so a missing cert can't
break `nginx -t` for all of nginx (external-tls.md §4).
PUBLIC_FQDN/CERT_EMAIL/CF_CREDS are infra-truth vars at the top; set PUBLIC_FQDN
empty to skip. Cloudflare A record + OPNsense :443 forward remain manual and are
called out in the closing output.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016fKZzDpvjiJ9eYbPGgJvUP