Test cert-store with nextcloud

services/acme-cert-store.nix

@@ -4,6 +4,7 @@
     isNormalUser = true;
     description = "Read-only access to certs";
     openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
     ];
   };
 

services/cert-store-client.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+  systemd.services.nginx = {
+    wants = [ "mnt-acme.mount" ];
+    after = [ "mnt-acme.mount" ];
+  };
+
+  fileSystems."/mnt/acme" = {
+    device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme";
+    fsType = "sshfs";
+    options = [
+      "nodev"
+      "noatime"
+      "allow_other"
+      "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+    ];
+  };
+}

services/nextcloud.nix

@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 {
-  imports = [ ./acme-dns.nix ];
+  imports = [ ./cert-store-client.nix ];
 
   networking.firewall.allowedTCPPorts = [
     80
@@ -35,8 +35,8 @@
       virtualHosts.${config.services.nextcloud.hostName} = {
         forceSSL = true;
         kTLS = true;
-        enableACME = true;
+        sslCertificate = "/mnt/acme/fullchain.pem";
-        acmeRoot = null;
+        sslCertificateKey = "/mnt/acme/key.pem";
       };
     };
   };