add acme cert to nextcloud

2023-12-08 16:49:34 +01:00
parent 65d61bf3eb
commit e696c25f90
2 changed files with 20 additions and 18 deletions
--- a/laptop/main.nix
+++ b/laptop/main.nix
@@ -109,6 +109,20 @@
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;

+  security.pki.certificates = [ ''
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
+MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
+MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
+IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
+f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
+y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
+HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
+AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
+gpuVkfVkA8gQCXNs5F9TnxA=
+-----END CERTIFICATE-----
+  ''];
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -1,19 +1,11 @@
 { config, pkgs, lib, inputs, vars, ... }:
 let
  wireguardIp = vars.wireguardIp;
+  fqdn = "nextcloud.local";
+  useHttps = config.services.step-ca.enable;
 in
 {
-    age.secrets.nextcloud-cert = {
-        file = ../secrets/nextcloud-cert.age;
-        owner = "nginx";
-        group = "nginx";
-    };
-    age.secrets.nextcloud-key = {
-        file = ../secrets/nextcloud-key.age;
-        owner = "nginx";
-        group = "nginx";
-    };
-   # Enable Nginx
+    security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/acme/directory";
    services.nginx = {
        enable = true;

@@ -28,18 +20,14 @@ in

        # Setup Nextcloud virtual host to listen on ports
        virtualHosts = {
-            "nextcloud.local" = {
+            "${fqdn}" = {
              serverAliases = [ wireguardIp ];
                ## Force HTTP redirect to HTTPS
-                forceSSL = true;
+                forceSSL = useHttps;
+                enableACME = useHttps;
                locations."~ \\.php(?:$|/)".extraConfig = ''
                  client_max_body_size 5G;
                '';
-                #sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-                sslCertificate = config.age.secrets.nextcloud-cert.path;
-                sslCertificateKey = config.age.secrets.nextcloud-key.path;
-                ## LetsEncrypt
-                #enableACME = true;
            };
        };
    };