diff --git a/.gitignore b/.gitignore
index 3329d57..e8bbc8a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@ autom4te.cache/**
 config.log
 config.status
 configure
+first-boot.sh
 guix-commit.txt
 id_ed25519
 id_ed25519.pub
diff --git a/Makefile.am b/Makefile.am
index 312e3b6..47d43cf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -39,7 +39,14 @@ guix-commit.txt: Makefile
 		s#LETSENCRYPT_EMAIL#$(LETSENCRYPT_EMAIL)#g ; \
 		s#VM_SSH_PUB_KEY#$(VM_SSH_PUB_KEY)#g" $< > $@
 
+%.sh: %.sh.tmpl guix-commit.txt Makefile
+	sed \
+		"s#DOMAIN#$(DOMAIN)#g ; \
+		s#LETSENCRYPT_EMAIL#$(LETSENCRYPT_EMAIL)#g" $< > $@
+	chmod +x $@
+
 IMAGE_SOURCE = \
+	first-boot.sh \
 	guix-commit.txt \
 	index.html \
 	mumble-vm-machine.scm \
diff --git a/README b/README
index a261991..50492d8 100644
--- a/README
+++ b/README
@@ -11,9 +11,7 @@ it's a good idea to use test domains before deployments.
 
 Once the image is booted:
 - You will need to login inside and run the following command:
-  # certbot certonly --standalone -d audio.experimental.a-lec.org
-  # herd restart nginx
-  # herd restart mumble-server
+  # first-boot.sh
 - You then need to set the root password.
 
 License
diff --git a/first-boot.sh.tmpl b/first-boot.sh.tmpl
new file mode 100644
index 0000000..32d4f9e
--- /dev/null
+++ b/first-boot.sh.tmpl
@@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see <http://www.gnu.org/licenses/>.
+set -e
+
+certbot certonly --standalone -d DOMAIN -m LETSENCRYPT_EMAIL
+herd restart mumble-server
+herd restart nginx
\ No newline at end of file
diff --git a/mumble-vm-system.scm.tmpl b/mumble-vm-system.scm.tmpl
index 07cc312..310121c 100644
--- a/mumble-vm-system.scm.tmpl
+++ b/mumble-vm-system.scm.tmpl
@@ -21,6 +21,7 @@
   #:use-module (gnu services telephony)
   #:use-module (gnu services web)
   #:use-module (guix build-system copy)
+  #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix utils)
@@ -43,6 +44,32 @@ replicate or contribute to it.")
     (home-page "DOMAIN")
     (license license:gpl3+)))
 
+(define first-boot-script
+  (package
+    (name "first-boot-script")
+    (version "0.1")
+    (source (local-file "first-boot.sh" ))
+    (build-system gnu-build-system)
+    (arguments
+     (list #:tests? #f ;no tests
+           #:phases
+           #~(modify-phases
+              %standard-phases
+              (delete 'build)
+              (delete 'configure)
+              (replace 'install
+                       (lambda _
+                         (chmod "first-boot.sh" #o755)
+                         (install-file
+                          "first-boot.sh"
+                          (string-append (string-append #$output "/bin"))))))))
+    (synopsis "Script to run on first boot.")
+    (description
+     "The first-boot.sh script generates the TLS certificate and restart
+the services after that.")
+    (home-page #f)
+    (license license:gpl3+)))
+
 (define-public %nginx-deploy-hook
   (program-file
    "nginx-deploy-hook"
@@ -71,6 +98,7 @@ replicate or contribute to it.")
    (packages
     (append
      (list certbot
+           first-boot-script
            htop
            iftop
            `(,isc-bind "utils")