2️⃣ Nginx and Certbot HTTPS

Step 1 — Install Dependencies

sudo apt install nginx certbot python3-certbot-nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx

---

Step 2 — Initial HTTP Reverse Proxy Setup

Create Nginx config for HTTP before SSL issuance:

sudo nano /etc/nginx/sites-available/gunbot.conf

Note:
Temporary location / blocks allow Nginx to start and Certbot to verify domains.

Example:

server {
    listen 80;
    server_name gunbot.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:5000; # live bot (added later)
    }
}

server {
    listen 80;
    server_name simulator.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:5002; # sim bot (added later)
    }   
}

Enable and test:

sudo ln -s /etc/nginx/sites-available/gunbot.conf /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

---

Step 3 — Obtain SSL Certificates

Issue certificates with Certbot:

sudo certbot certonly --nginx -d gunbot.yourdomain.com -d simulator.yourdomain.com

Verify:

sudo ls -l /etc/letsencrypt/live/gunbot.yourdomain.com/

---

Step 4 — Upgrade to HTTPS Reverse Proxy

Edit config:

sudo nano /etc/nginx/sites-available/gunbot.conf

Replace contents with:

server {
    listen 80;
    server_name gunbot.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name gunbot.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/gunbot.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/gunbot.yourdomain.com/privkey.pem;

    location / {
        proxy_pass https://127.0.0.1:5000; # live bot
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

server {
    listen 80;
    server_name simulator.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name simulator.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/simulator.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/simulator.yourdomain.com/privkey.pem;

    location / {
        proxy_pass https://127.0.0.1:5002; # sim bot
        include proxy_params;
        proxy_redirect off;
    }
}

Validate and reload:

sudo nginx -t
sudo systemctl reload nginx

---

Step 5 — Auto Renewal & Reload Hook

Test renewal:

sudo certbot renew --dry-run

Create reload hook:

sudo nano /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Add:

#!/bin/bash
# Reload Nginx after certificate renewal
systemctl reload nginx

# Define subdomains and matching Gunbot directories
declare -A INSTANCES=(
  ["gunbot.yourdomain.com"]="gunbot-live"
  ["simulator.yourdomain.com"]="gunbot-sim"
)

# Copy renewed certs and fix ownership
for DOMAIN in "${!INSTANCES[@]}"; do
  TARGET_DIR="/home/gunbot/${INSTANCES[$DOMAIN]}"
  sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$TARGET_DIR/localhost.key"
  sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$TARGET_DIR/localhost.crt"
  sudo chown gunbot:gunbot "$TARGET_DIR/localhost."*
done

Make executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh