Notes

Nginx must run on port 80 for it to work, otherwise you will get HTTP 404 errors when it tries to perform the challenge.
There are various instructions about getting it to work on non-standard ports; we'll see if they work when my renewal comes up!
Renewal is handled through a sysctl timer. To see it: systemctl list-timers --all ; The timers are in /etc/systemd/system/*.timer