diff --git a/README.md b/README.md
index 160a1e9..5fbe28c 100644
--- a/README.md
+++ b/README.md
@@ -24,3 +24,13 @@ ansible-pull \
 The file ~/.vault_pass.txt contains the cleartext password to the vault
 file where the Dreamhost API key and the Gitea deploy keys are stored
 encrypted.
+
+## Prerequisites
+
+A container called **nginx** should exist, with these packages already installed:
+
+```sh
+lxc exec nginx -- apt -y install nginx certbot python3-certbot-nginx
+```
+
+This container should listen to external connections, in order to allow **Let's Encrypt** certificates to be assigned and renewed. It's strongly suggested to protect it using **fail2ban**, Geo-IP restrictions, or other security measures.
\ No newline at end of file