From 5d07fa2fd45cfb6b34b9cddb89a9c0c4ce6befdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= <vili.m.sinerva@gmail.com>
Date: Mon, 20 Jan 2025 22:30:30 +0200
Subject: [PATCH] Test cert-store with nextcloud

---
 services/acme-cert-store.nix   |  1 +
 services/cert-store-client.nix | 21 +++++++++++++++++++++
 services/nextcloud.nix         |  6 +++---
 3 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 services/cert-store-client.nix

diff --git a/services/acme-cert-store.nix b/services/acme-cert-store.nix
index 109a3e8..7f05bb8 100644
--- a/services/acme-cert-store.nix
+++ b/services/acme-cert-store.nix
@@ -4,6 +4,7 @@
     isNormalUser = true;
     description = "Read-only access to certs";
     openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
     ];
   };
 
diff --git a/services/cert-store-client.nix b/services/cert-store-client.nix
new file mode 100644
index 0000000..7b33913
--- /dev/null
+++ b/services/cert-store-client.nix
@@ -0,0 +1,21 @@
+{ ... }:
+{
+  services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+  systemd.services.nginx = {
+    wants = [ "mnt-acme.mount" ];
+    after = [ "mnt-acme.mount" ];
+  };
+
+  fileSystems."/mnt/acme" = {
+    device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme";
+    fsType = "sshfs";
+    options = [
+      "nodev"
+      "noatime"
+      "allow_other"
+      "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+    ];
+  };
+}
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index 5d9041c..72cf342 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 {
-  imports = [ ./acme-dns.nix ];
+  imports = [ ./cert-store-client.nix ];
 
   networking.firewall.allowedTCPPorts = [
     80
@@ -35,8 +35,8 @@
       virtualHosts.${config.services.nextcloud.hostName} = {
         forceSSL = true;
         kTLS = true;
-        enableACME = true;
-        acmeRoot = null;
+        sslCertificate = "/mnt/acme/fullchain.pem";
+        sslCertificateKey = "/mnt/acme/key.pem";
       };
     };
   };