First steps, ensure everything on the server is up to date:

sudo apt update && sudo apt upgrade

Then make sure that your hostname is set so you'll be able to access your server over the web, update external DNS records so that LetEncrypt can be used with a free certificate. e.g. ensure that you log into your DNS/domain admin service and make sure your server: moodle.example.com is pointing to your actual server. Without this LetsEncrypt won't be able to run later on.

Install nginx, PHP and LetsEncrypt Client

Install Nginx

sudo apt install nginx

Install php with the extra modules required for Moodle

sudo apt-get install php-fpm php-curl php-gd php-xmlrpc php-intl php-xml php-zip php-soap php-mbstring

Install LetEncrypt Client to secure traffic and login information

sudo apt install letsencrypt

Configure PHP-FPM

Edit PHP-FPM config as per Moodle instructions

sudo nano /etc/php/7.0/fpm/pool.d/www.conf

Uncomment / add the line

security.limit_extensions = .php

Configure nginx

Copy /etc/nginx/site-available/default to a new folder

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/moodle

Edit this config file with sudo nano /etc/nginx/sites-available/moodle - remove all mentions of default_site in the top section, enter /var/www/moodle as the server location and enter your server name.

Remove the comments on the PHP section so it reads as below:

location ~ [^/]\.php(/|$) {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

Enable the site, test the config file, and restart nginx

sudo ln -s /etc/nginx/sites-available/moodle /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx

Configure LetsEncrypt

Now the site is running a Certificate can be requested from LetEncrypt. Run sudo letsencrypt certonly --webroot -w /var/www/moodle -d moodle.example.com

Note the keychain location - something like: /etc/letsencrypt/live/moodle.example.com/fullchain.pem

Edit sudo nano /etc/nginx/snippets/ssl-moodle.example.com.conf

Add the following lines

ssl_certificate /etc/letsencrypt/live/moodle.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/moodle.example.com/privkey.pem;

Now edit sudo nano /etc/nginx/snippets/ssl-params.conf and paste in the following:

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Adjust the /etc/nginx/site-available/moodle file as follows;

server {
        listen 80;
        listen [::]:80;
        server_name YOUR_SERVER_NAME;
        return 301 https://$server_name$request_uri;
}
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        include snippets/ssl-moodle.example.com.conf;
        include snippets/ssl-params.conf;

        root /var/www/moodle;
        index index.html index.htm index.nginx-debian.html index.php;
        
        location / {
                First attempt to serve request as file, then
                as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        location ~ [^/]\.php(/|$) {
                include snippets/fastcgi-php.conf;
                fastcgi_split_path_info  ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

Get Moodle

Navigate to /var/www with cd /var/www

[I had to move .well-known out of the moodle folder first in order to get git to work - this was then moved back afterwards]

sudo git clone -b MOODLE_32_STABLE git://git.moodle.org/moodle.git

Install Postgres

sudo apt-get install postgresql postgresql-contrib php-pgsql

Use psql to create a new user for Postgres

sudo su - postgres
psql

Create the Moodle database user

CREATE USER moodle WITH PASSWORD 'password';
CREATE DATABASE moodle WITH OWNER moodle;
GRANT ALL PRIVILEGES ON DATABASE moodle to moodle;
\q

Get moodle using git

sudo git clone -b MOODLE_32_STABLE git://git.moodle.org/moodle.git

Create moodledata and cache folder and set permissions for Nginx (www-data)

sudo mkdir /var/moodledata
sudo mkdir /var/cache/moodle
sudo chown www-data:www-data /var/moodledata    
sudo chown www-data:www-data /var/cache/moodle

Set permissions on Moodle directory

 sudo chown -R $USER:$USER /var/www/moodle
 sudo chmod -R 755 /var/www

Navigate to your server address and Moodle should be running... follow through the install instructions and that should be it!