add selfsigned cert for nextcloud

test-server/configuration.nix

@@ -104,6 +104,7 @@ in{
     restic
     hdparm
     wireguard-tools
+    openssl
   #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
   #  wget
   ];

test-server/modules/nextcloud.nix

@@ -1,6 +1,17 @@
 { config, pkgs, lib, inputs, ... }:
 {
-        # Enable Nginx
+
+    age.secrets.nextcloud-cert = {
+        file = ../secrets/nextcloud-cert.age;
+        owner = "nginx";
+        group = "nginx";
+    };
+    age.secrets.nextcloud-key = {
+        file = ../secrets/nextcloud-key.age;
+        owner = "nginx";
+        group = "nginx";
+    };
+    # Enable Nginx
     services.nginx = {
         enable = true;
 
@@ -20,13 +31,14 @@
                 ## Force HTTP redirect to HTTPS
                 #forceSSL = true;
 		#sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+		sslCertificate = config.age.secrets.nextcloud-cert.path ;
+		sslCertificateKey = config.age.secrets.nextcloud-key.path ;	
                 ## LetsEncrypt
                 #enableACME = true;
             };
         };
     };
 
-
     age.secrets.nextcloud-admin = {
         file = ../secrets/nextcloud-admin.age;
         owner = "nextcloud";

test-server/secrets/secrets.nix

@@ -8,6 +8,8 @@ in
   "github-runner-pw.age".publicKeys = [ nix-test-vm server ];
   "duckdns.age".publicKeys = [ nix-test-vm server ];
   "nextcloud-admin.age".publicKeys = [ nix-test-vm server ];
+  "nextcloud-cert.age".publicKeys = [ nix-test-vm server ];
+  "nextcloud-key.age".publicKeys = [ nix-test-vm server ];
   "restic-pw.age".publicKeys = [ nix-test-vm server ];
   "wireguard-private.age".publicKeys = [ nix-test-vm server ];
 }

test-server/secrets/selfsigned-cert.sh

@@ -0,0 +1,2 @@
+#! /usr/bin/env bash
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./nc-selfsigned.key -out ./nc-selfsigned.crt