Test cert-store with nextcloud

2025-01-20 22:30:30 +02:00 · 2025-01-20 22:30:30 +02:00 · 5d07fa2fd4
commit 5d07fa2fd4
parent 485adefc8d
3 changed files with 25 additions and 3 deletions
--- a/services/acme-cert-store.nix
+++ b/services/acme-cert-store.nix
@ -4,6 +4,7 @@
    isNormalUser = true;
    description = "Read-only access to certs";
    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
    ];
  };

--- a/services/cert-store-client.nix
+++ b/services/cert-store-client.nix
@ -0,0 +1,21 @@
+{ ... }:
+{
+  services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+  systemd.services.nginx = {
+    wants = [ "mnt-acme.mount" ];
+    after = [ "mnt-acme.mount" ];
+  };
+
+  fileSystems."/mnt/acme" = {
+    device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme";
+    fsType = "sshfs";
+    options = [
+      "nodev"
+      "noatime"
+      "allow_other"
+      "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+    ];
+  };
+}
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 {
-  imports = [ ./acme-dns.nix ];
+  imports = [ ./cert-store-client.nix ];

  networking.firewall.allowedTCPPorts = [
    80
@ -35,8 +35,8 @@
      virtualHosts.${config.services.nextcloud.hostName} = {
        forceSSL = true;
        kTLS = true;
-        enableACME = true;
-        acmeRoot = null;
+        sslCertificate = "/mnt/acme/fullchain.pem";
+        sslCertificateKey = "/mnt/acme/key.pem";
      };
    };
  };