diff --git a/install/certbot-deploy-hook.sh b/install/certbot-deploy-hook.sh
new file mode 100644
index 0000000..aa49a49
--- /dev/null
+++ b/install/certbot-deploy-hook.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -euo pipefail
+
+domains=(${RENEWED_DOMAINS-})
+
+if [ ! ${#domains[@]} -eq 1 ]; then
+	chown -R root:nginx /etc/letsencrypt/archive/*/
+	chmod -R u=rwX,g=rX,o= /etc/letsencrypt/archive/*/
+
+	chown root:nginx /etc/letsencrypt/live/*/
+	chmod u=rwX,g=rX,o= /etc/letsencrypt/live/*/
+else
+	cert_name=${domains[0]}
+
+	cert_dir_archive=/etc/letsencrypt/archive/${cert_name}/
+	if [ -d ${cert_dir_archive} ]; then
+		chown -R root:nginx ${cert_dir_archive}
+		chmod -R u=rwX,g=rX,o= ${cert_dir_archive}
+	else
+		echo "${cert_dir_archive} doesn't exist" > /dev/stderr
+		exit 1
+	fi
+
+	cert_dir_live=/etc/letsencrypt/live/${cert_name}/
+	if [ -d ${cert_dir_live} ]; then
+		chown root:nginx ${cert_dir_live}
+		chmod u=rwX,g=rX,o= ${cert_dir_live}
+	else
+		echo "${cert_dir_live} doesn't exist" > /dev/stderr
+		exit 1
+	fi
+fi
diff --git a/install/certbot.ini b/install/certbot.ini
new file mode 100644
index 0000000..e7637d7
--- /dev/null
+++ b/install/certbot.ini
@@ -0,0 +1,13 @@
+non-interactive
+
+agree-tos
+no-eff-email
+email = "niver+letsencrypt@antopie.org"
+
+webroot
+webroot-path = "/srv/servnest/acme"
+
+key-type = "rsa"
+rsa-key-size = "3072"
+
+deploy-hook = "/root/certbot-deploy-hook.sh"