Test cert-store with nextcloud
This commit is contained in:
parent
485adefc8d
commit
5d07fa2fd4
3 changed files with 25 additions and 3 deletions
|
@ -4,6 +4,7 @@
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
description = "Read-only access to certs";
|
description = "Read-only access to certs";
|
||||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
21
services/cert-store-client.nix
Normal file
21
services/cert-store-client.nix
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
|
||||||
|
|
||||||
|
systemd.services.nginx = {
|
||||||
|
wants = [ "mnt-acme.mount" ];
|
||||||
|
after = [ "mnt-acme.mount" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/mnt/acme" = {
|
||||||
|
device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme";
|
||||||
|
fsType = "sshfs";
|
||||||
|
options = [
|
||||||
|
"nodev"
|
||||||
|
"noatime"
|
||||||
|
"allow_other"
|
||||||
|
"IdentityFile=/etc/ssh/ssh_host_ed25519_key"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
{
|
{
|
||||||
imports = [ ./acme-dns.nix ];
|
imports = [ ./cert-store-client.nix ];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
80
|
80
|
||||||
|
@ -35,8 +35,8 @@
|
||||||
virtualHosts.${config.services.nextcloud.hostName} = {
|
virtualHosts.${config.services.nextcloud.hostName} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
kTLS = true;
|
kTLS = true;
|
||||||
enableACME = true;
|
sslCertificate = "/mnt/acme/fullchain.pem";
|
||||||
acmeRoot = null;
|
sslCertificateKey = "/mnt/acme/key.pem";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue