Add phased nginx setup for bilhej.se TLS on srvr.nu.

First-time host nginx setup needs HTTP-only vhost before certbot can
issue certs; the full bilhej.nginx.conf 443 block fails nginx -t until
those files exist.

- Add docker/bilhej.nginx.http.conf for ACME phase
- Reorder README one-time setup: HTTP vhost, certbot, then full config

README.md

@@ -285,9 +285,18 @@ Before the first deploy, complete these steps on the production server (`srvr.nu
 
    Set `bilhej.se` (and `www.bilhej.se`) A record to the server's public IP.
 
-3. **Obtain SSL Certificate**
+3. **Add HTTP-only Nginx vhost** (required before certs exist)
 
-   Run certbot in the nginx container:
+   The full [`docker/bilhej.nginx.conf`](docker/bilhej.nginx.conf) references TLS files that do not
+   exist yet. Deploy the HTTP-only config first:
+
+   ```bash
+   docker cp docker/bilhej.nginx.http.conf nginx:/etc/nginx/conf.d/bilhej.conf
+   docker exec nginx nginx -t
+   docker exec nginx nginx -s reload
+   ```
+
+4. **Obtain SSL Certificate**
 
    ```bash
    docker exec certbot certbot certonly \
@@ -295,12 +304,11 @@ Before the first deploy, complete these steps on the production server (`srvr.nu
      -d bilhej.se -d www.bilhej.se
    ```
 
-4. **Add Nginx Config**
+5. **Enable HTTPS proxy to the frontend**
-
-   Copy the Bilhej server block into the nginx container:
 
    ```bash
    docker cp docker/bilhej.nginx.conf nginx:/etc/nginx/conf.d/bilhej.conf
+   docker exec nginx nginx -t
    docker exec nginx nginx -s reload
    ```
 

docker/bilhej.nginx.http.conf

@@ -0,0 +1,15 @@
+# Phase 1: HTTP only — use before Let's Encrypt certs exist.
+# After certbot, replace with bilhej.nginx.conf (includes HTTPS).
+
+server {
+    listen 80;
+    server_name bilhej.se www.bilhej.se;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}