I’m using certbot standalone (in docker), so I configure nginx myself. I use the Mozilla config.
Please confirm whether I understand the process correctly? — When certbot is in charge of nginx config, it will download and configure options-ssl-nginx.conf, and so it will always be up to date. But in my case, I am in charge of nginx, so it’s my responsibility to keep it up to date (and ensure it doesn’t clash with the Mozilla config).
Is that file saved somewhere so I can just reference it, or must I actually download it?
If you manage your nginx yourself, you can follow whatever procedures you want to stay up to date with nginx configuration recommendations like Mozilla’s cryptographic recommendations. Certbot and nginx don’t require you to use a particular method, procedure, filename, etc. For example, you could just look at the Mozilla page once a month or once a year and see if anything has changed.
Although Certbot tries to follow Mozilla’s recommendations, there’s no guarantee that Certbot will be faster, or more to your liking, in how it updates when a change in the recommendations happens.
With --standalone you can choose to just regard Certbot as a source of certificates which has no connection to, and no bearing on, the other content of your nginx configuration.
Certbot's default options-ssl-nginx.conf is included with Certbot's source code. The file(s) are part of the installation, somewhere in /usr, not downloaded on demand.
Certbot will automatically copy it to /etc/letsencrypt/ when you use Certbot's Nginx plugin. If you don't modify it, Certbot will automatically update it in the future.
If you want to, you can modify the file as you like.
If you're not using Certbot's Nginx installer, it has zero effect on your life, and it would be a bit tricky to try to use the Certbot Nginx configuration without Certbot managing it.
It changes approximately as often as Mozilla's configuration does. Sometimes the Certbot team make changes to it, sometimes they skip changes Mozilla made.