diff --git a/README.md b/README.md
index dce5f54..824a7a3 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
- 
+ 
@@ -10,7 +10,7 @@
If you already have an instance of `relay.tools` set up, you may be looking for the [documentation](docs.md)!
-If you would like to install `relay.tools` locally, check out the [Local Install Guide](relaytools-setup.md)!
+If you would like to install `relay.tools` locally, check out the [local install guide](relaytools-setup.md)!
# Installation
```
@@ -35,7 +35,22 @@ reboot
# Relay Creation
-- Navigate to your domain in a browser and select the drop-down menu
-- Sign in with Nostr (Authorize with NIP-07 extension)
+- Navigate to your domain in a browser and authorize with NIP-07 extension
+
+
+ 
+
+
+- Select 'create relay' from the drop-down menu
+
+
+ 
+
+
- Create some relays!
+
+
+ 
+
+
- Feel free to check out some of the other [documentation](docs.md)!
diff --git a/docs.md b/docs.md
index 18ff26d..135e7ce 100644
--- a/docs.md
+++ b/docs.md
@@ -2,37 +2,29 @@
Welcome to the extended documentation for `relay.tools`!
-- [Git Tracking](#git-tracking)
- [Logging in to Live Machines](#logging-in-to-live-machines)
- [Viewing the Logs](#viewing-the-logs)
+- [SSL Certificate Management](#ssl-certificate-management)
+- [Git Tracking](#git-tracking)
- [Disable Relay Creation](#disable-relay-creation)
-# Git Tracking
-
-`Relay.tools` contains a script to keep itself up to date.
-
-You may wish to fork the `relaycreator` repo and maintain your own branch to update at your leisure.
-
->**Replace `branch_name` and `YOUR.USERNAME` with your own details.**
-```
-cd /srv/relaycreator/
-git remote add -f [branch_name] https://github.com/YOUR.USERNAME/relaycreator
-git checkout -b new [branch_name]/main
-```
-
# Logging in to Live Machines
`Relay.tools` is comprised of 4 machines! *haproxy, strfry, relaycreator,* and *mysql*.
-You can sign into them with `machinectl login` to make live changes in production.
+There is also a utility container called *keys-certs-manager* used for certificate operations. It does not run persistently.
+
+Machines are what systemd-nspawn calls containers. They are separated from the host system and can be upgraded or changed using machine images.
-For example, `machinectl login strfry`.
+You can change shell into them with `machinectl shell` to make live changes in production.
-user: `root`
+For example, `machinectl shell strfry`.
-pass: `creator`
+For *keys-certs-manager* (which does not boot like the others), use:
->**`exit` will get you back to the login screen.**
+`systemd-nspawn -M keys-certs-manager /bin/bash`
+
+>**`exit or CTRL+D` will exit the shell back into the host machine.**
>
>**NOTE: Press `Ctrl + ]]]` to escape the login screen. You'll want to remember this!**
@@ -40,11 +32,10 @@ pass: `creator`
In this example, we'll view the `strfry` logs.
-- `machinectl login strfry`
-- enter `user` and `pass`
+- `machinectl shell strfry`
- `journalctl -u interceptor.service -f`
->**You can drop the `-f` to view all logs.**
+>**You can drop the `-u interceptor.service` to view all logs for this container.**
Cool, right?
@@ -60,6 +51,98 @@ The `relay id` is available in the `url` when visiting the landing page of any r
Try publishing a note to your relay if no one is using them yet. You'll see the magic happen in real-time!
+# SSL Certificate Management
+
+`Relay.tools` uses [Let's Encrypt](https://letsencrypt.org/) for SSL certificates. These are valid for 90 days and are **automatically renewed** by a systemd timer — no manual intervention required.
+
+## How It Works
+
+During `configure.sh`, a certificate is issued via certbot inside the *keys-certs-manager* container. The certificate and private key are combined into a single `bundle.pem` that haproxy uses for TLS.
+
+A systemd timer (`certrenew.timer`) runs twice daily and:
+1. Calls `certbot renew` inside *keys-certs-manager*
+2. Rebuilds `bundle.pem` if the certificate was actually renewed
+3. Reloads haproxy to pick up the new certificate
+
+Certbot only renews when the certificate is within 30 days of expiry, so most runs are quick no-ops.
+
+## Email Notifications (Optional)
+
+If you set `MYEMAIL` before running `configure.sh`, certbot registers with that email and Let's Encrypt will send you expiry warning notifications. The email is also saved to `/srv/relaycreator/.env` as `CERTBOT_EMAIL` for reference.
+
+If you didn't set an email initially and want to add one later, edit `/srv/relaycreator/.env`:
+```
+CERTBOT_EMAIL=you@example.com
+```
+
+>**The email is for Let's Encrypt notifications only.** Renewals work fine without it — certbot handles renewal using its stored account credentials regardless.
+
+## Checking Renewal Status
+
+```
+# Is the timer running?
+systemctl status certrenew.timer
+
+# View renewal logs
+journalctl -u certrenew.service
+
+# Trigger a manual renewal check
+systemctl start certrenew.service
+```
+
+## Troubleshooting Certificates
+
+**Certificate expired?** Trigger a manual renewal:
+```
+systemctl start certrenew.service
+journalctl -u certrenew.service -e
+```
+
+**Timer not running?** Re-enable it:
+```
+systemctl daemon-reload
+systemctl enable --now certrenew.timer
+```
+
+**Need to re-issue from scratch?** Stop haproxy first (certbot standalone needs port 80):
+```
+machinectl terminate haproxy
+systemd-nspawn --pipe -M keys-certs-manager /bin/bash -c \
+ 'certbot certonly --config-dir="/etc/haproxy/certs" \
+ --work-dir="/etc/haproxy/certs" \
+ --logs-dir="/etc/haproxy/certs" \
+ -d "yourdomain.com" --agree-tos \
+ --register-unsafely-without-email \
+ --standalone --preferred-challenges http \
+ --non-interactive'
+```
+Then rebuild `bundle.pem` and start haproxy:
+```
+systemd-nspawn --pipe -M keys-certs-manager /bin/bash -c \
+ 'cat /etc/haproxy/certs/live/yourdomain.com/fullchain.pem \
+ /etc/haproxy/certs/live/yourdomain.com/privkey.pem \
+ > /srv/haproxy/certs/bundle.pem && \
+ chmod 0600 /srv/haproxy/certs/bundle.pem'
+machinectl start haproxy
+```
+
+## Self-Signed Certificates
+
+If you configured with `SELF_SIGNED=yourdomain.com`, a self-signed certificate with very long validity is used instead. The automatic renewal timer is not enabled for self-signed deployments.
+
+# Git Tracking
+
+`Relay.tools` contains a script to keep itself up to date.
+
+You may wish to fork the `relaycreator` repo and maintain your own branch to update at your leisure.
+
+>**Replace `branch_name` and `YOUR.USERNAME` with your own details.**
+```
+cd /srv/relaycreator/
+git remote add -f [branch_name] https://github.com/YOUR.USERNAME/relaycreator
+git checkout -b new [branch_name]/main
+```
+
# Disable Relay Creation
You may wish to disable relay creation, especially if you do not have Lightning set up yet.
@@ -68,4 +151,5 @@ cd /srv/relaycreator/
sudo nano .env
```
- **Change `PAYMENTS_ENABLED=false` to `true`**
-- `machinectl restart relaycreator`
+- `machinectl terminate relaycreator`
+- `machinectl start relaycreator`
diff --git a/images/createrelay.png b/images/createrelay.png
new file mode 100644
index 0000000..be417be
Binary files /dev/null and b/images/createrelay.png differ
diff --git a/images/relaycreation.png b/images/relaycreation.png
new file mode 100644
index 0000000..3ba070c
Binary files /dev/null and b/images/relaycreation.png differ
diff --git a/rt.png b/images/rt.png
similarity index 100%
rename from rt.png
rename to images/rt.png
diff --git a/images/sample.md b/images/sample.md
new file mode 100644
index 0000000..ce01362
--- /dev/null
+++ b/images/sample.md
@@ -0,0 +1 @@
+hello
diff --git a/images/signin.png b/images/signin.png
new file mode 100644
index 0000000..0035def
Binary files /dev/null and b/images/signin.png differ