This complements c256080bb19370dcede045fcbc9335a76809934e, and
fixes <https://odoo.itopie.ch/web#id=281&action=491&active_id=2&model=project.task&view_type=form&cids=&menu_id=323>.

installation/nextcloud_itopie.md

@@ -84,7 +84,7 @@
 1. Redémarrer PHP-FPM : `# systemctl restart php8.2-fpm.service` 
 
 ### Installation de Nginx
-1. Installer nginx : `# apt install nginx`
+1. Installer nginx : `# apt install ssl-cert nginx curl`
 1. Ajouter la configuration suivante dans /etc/nginx/sites-available/${WEBSITENAME.TLD} \
    **ATTENTION**, variable à modifier par le nom du service : ${WEBSITENAME.TLD} !
    ```
@@ -274,7 +274,63 @@
        }
    }
    ```
+1. Activer le service : `# ln -s ../sites-available/${WEBSITENAME.TLD} /etc/nginx/sites-enabled/`
+1. Tester la configuration du service : `# nginx -t`
 1. Redémarrer NGINX : `# systemctl restart nginx.service` 
+1. Ouvrir le firewall :
+   ```
+   # vi /etc/nftables.conf
+   [
+    table inet filter {
+            chain INPUT {
+                    [...]
+                    ## Allow HTTP(s) from any location
+                    tcp dport { 80, 443 } ct state new counter packets 0 bytes 0 accept
+                    [...]
+            }
+    }
+    ]
+   # systemctl restart nftables.service
+   ```
+1. Tester la connexion : `# curl -I -L http://${WEBSITENAME.TLD}`
+1. Installer `certbot` pour [[Let's Encrypt|installation/apache/letsencrypt]] (cf. <https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04>) si VM "non-managé" (pas Infomaniak ou reverse-proxy itopie) :
+   ```
+   # apt-get install certbot python3-certbot-nginx
+   # certbot --nginx -d ${WEBSITENAME.TLD}
+   [...]
+   Enter email address (used for urgent renewal and security notices)
+    (Enter 'c' to cancel): it@${TLD}
+   
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Please read the Terms of Service at
+   https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
+   order to register with the ACME server. Do you agree?
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   (Y)es/(N)o: Yes
+   
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Would you be willing, once your first certificate is successfully issued, to
+   share your email address with the Electronic Frontier Foundation, a founding
+   partner of the Let's Encrypt project and the non-profit organization that
+   develops Certbot? We'd like to send you email about our work encrypting the web,
+   EFF news, campaigns, and ways to support digital freedom.
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   (Y)es/(N)o: No
+   Account registered.
+   Requesting a certificate for ${WEBSITENAME.TLD}
+   [...]
+   # sed -i -e 's,/etc/ssl/certs/ssl-cert-snakeoil.pem,/etc/letsencrypt/live/${WEBSITENAME.TLD}/fullchain.pem,' \
+            -e 's,/etc/ssl/private/ssl-cert-snakeoil.key,/etc/letsencrypt/live/${WEBSITENAME.TLD}/privkey.pem,' \
+         /etc/nginx/sites-enabled/nuage.uvcoop.ch
+   # systemctl restart nginx.service
+   # openssl s_client -showcerts -connect ${WEBSITENAME.TLD}:443 </dev/null 2>/dev/null | \
+      awk '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/' | \
+      openssl x509 -noout -text | \
+      grep DNS
+                     DNS:${WEBSITENAME.TLD}
+   # 
+   ```
+
 
 ### Installation de PostgreSQL
 1. Installer les paquets : `# apt install postgresql postgresql-client`