diff --git a/compose.yml b/compose.yml
index fbee18e..6b79151 100644
--- a/compose.yml
+++ b/compose.yml
@@ -94,7 +94,7 @@ services:
     volumes:
       - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
       - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
-    entrypoint: "/bin/sh -c 'trap exit TERM; while [ -f /etc/letsencrypt/live ]; do certbot renew; sleep 12h & wait $${!}; done;'"
+    entrypoint: "/bin/sh -c 'trap exit TERM; while [ -e /etc/letsencrypt/live ]; do certbot renew; sleep 12h & wait $${!}; done;'"
     depends_on:
       init:
         condition: service_completed_successfully
diff --git a/setup.sh b/setup.sh
index 66a3d55..f4a89c0 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,5 +1,8 @@
 #!/bin/bash
 
+set -e
+set -x
+
 # set up data & secrets dir with the right ownerships in the default location
 # to stop docker autocreating them with random owners.
 # originally these were checked into the git repo, but that's pretty ugly, so doing it here instead.
@@ -8,44 +11,49 @@ mkdir -p secrets/{livekit,postgres,synapse}
 
 # create blank secrets to avoid docker creating empty directories in the host
 touch secrets/livekit/livekit_{api,secret}_key \
-	  secrets/postgres/postgres_password \
-	  secrets/synapse/signing.key
+      secrets/postgres/postgres_password \
+      secrets/synapse/signing.key
 
 # grab an env if we don't have one already
 if [[ ! -e .env  ]]; then
-	cp .env-sample .env
+    cp .env-sample .env
 
-	sed -ir s/^USER_ID=/USER_ID=$(id -u)/ .env
-	sed -ir s/^GROUP_ID=/GROUP_ID=$(id -g)/ .env
+    sed -ir s/^USER_ID=/USER_ID=$(id -u)/ .env
+    sed -ir s/^GROUP_ID=/GROUP_ID=$(id -g)/ .env
 
-	read -p "Enter base domain name (e.g. example.com): " DOMAIN
-	sed -ir s/^example.com/$DOMAIN/ .env
+    read -p "Enter base domain name (e.g. example.com): " DOMAIN
+    sed -ir s/^example.com/$DOMAIN/ .env
 
-	# SSL setup
-	mkdir -p data/ssl
-	read -p "Use local mkcert CA for SSL? [y/n]" use_mkcert
-	if [[ use_mkcert =~ ^[Yy]$ ]]; then
-		if [[ ! -x mkcert ]]; then
-			echo "Please install mkcert from brew/apt/yum etc"
-			exit
-		fi
-		mkcert -install
-		mkcert $DOMAIN '*.'$DOMAIN
-		mv ${DOMAIN}+1.pem data/ssl/fullchain.pem
-		mv ${DOMAIN}+1-key.pem data/ssl/privkey.pem
-		cp "$(mkcert -CAROOT)"/rootCA.pem data/ssl/ca-certificates.crt
-		# borrow letsencrypt's SSL config
-		curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "data/ssl/options-ssl-nginx.conf"
-	  	curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "data/ssl/ssl-dhparams.pem"
-	else
-		read -p "Use letsencrypt for SSL? [y/n]" use_letsencrypt
-		if [[ use_letsencrypt =~ ^[Yy]$ ]]; then
-			mkdir -p data/certbot/{conf,www}
-			ln -s data/ssl data/certbot/conf/live/$DOMAIN
-			touch data/ssl/ca-certificates.crt # will get overwritten by init-letsencrypt.sh
-			exec scripts/init-letsencrypt.sh
-		else
-			echo "Please put a valid {privkey,fullchain}.pem and ca-certificates.crt into data/ssl/"
-		fi
-	fi
+    # SSL setup
+    mkdir -p data/certbot/{conf,www} # stop broken binds
+    read -p "Use local mkcert CA for SSL? [y/n] " use_mkcert
+    if [[ use_mkcert =~ [Yy] ]]; then
+        if [[ ! -x mkcert ]]; then
+            echo "Please install mkcert from brew/apt/yum etc"
+	    exit
+        fi
+        mkcert -install
+        mkcert $DOMAIN '*.'$DOMAIN
+        mkdir -p data/ssl
+        mv ${DOMAIN}+1.pem data/ssl/fullchain.pem
+        mv ${DOMAIN}+1-key.pem data/ssl/privkey.pem
+        cp "$(mkcert -CAROOT)"/rootCA.pem data/ssl/ca-certificates.crt
+        # borrow letsencrypt's SSL config
+        curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "data/ssl/options-ssl-nginx.conf"
+          curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "data/ssl/ssl-dhparams.pem"
+    else
+        read -p "Use letsencrypt for SSL? [y/n] " use_letsencrypt
+        if [[ use_letsencrypt =~ [Yy] ]]; then
+	    mkdir -p data/certbot/conf/live/$DOMAIN
+	    if [[ ! -L data/ssl ]]; then
+                ln -s ../data/certbot/conf/live/$DOMAIN data/ssl
+	    fi
+            touch data/ssl/ca-certificates.crt # will get overwritten by init-letsencrypt.sh
+            exec ./init-letsencrypt.sh
+        else
+            echo "Please put a valid {privkey,fullchain}.pem and ca-certificates.crt into data/ssl/"
+        fi
+    fi
+else
+    echo ".env already exists; move it out of the way first to re-setup"
 fi