Comment by mxuribe
I have not automated much of my setup...but for the nginx and certbot portion, i think there is an option you can choose to have certbot NOT alter your nginx config (basically, leave it as-is)...and because the change that certbot applies (if i recall correctly) is really only insert the location(s) of the cert files under like /etc...i think you can apply the cert location initially in your nginx config, have certbot do its thing, then have it not change your config, and proceed. If nginx complains about having the cert locations present in congif file and the certs technically don't exist yet (since certbot has not done its thing at this stage)...then there's always the not-sopisticated method of starting with your nginx config without those cert locations, then have certbot alter your config, then have one of your automated steps re-replace the config with one that has all your needs plus has the expected certbot cert location parths inserted....like i said, not sophisticated, but it would work. I'm sure there are severral other ways to do this beyond what i noted. ;-)
As you say, nginx does complain about the cert files not existing, so that's pretty close to what I do. I just start with the non-ssl version, let certbot do it's thing, and then copy the result after it's deployed (if I remember). It's mildly annoying, but it takes about 2 minutes in total so it's been like that for 2 years now.
I'm sure there's something smarter I can do, like reading back the result afterwards or someting and altering my local file. But honestly, once nginx is configured for an application, I almost never touch the config again anyway.
I suspect I'm more likely to move everything over to cloudflare tunnels and ditch dealing with ssl locally altogether at this point.