feat: step ca for nextcloud

2025-04-26 21:09:10 +08:00 · 2025-04-26 21:09:10 +08:00 · d6e8e23d3b
commit d6e8e23d3b
parent b655f6ad4e
7 changed files with 110 additions and 45 deletions
--- a/system/dev/dn-server/nextcloud.nix
+++ b/system/dev/dn-server/nextcloud.nix
@ -4,6 +4,19 @@
  lib,
  ...
 }:
+let
+  acmeWebRoot = "/var/www/nextcloud.net.dn/html/";
+
+  certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
+    ${pkgs.certbot}/bin/certbot certonly --webroot \
+    --webroot-path ${acmeWebRoot} -v \
+    -d nextcloud.net.dn \
+    --server https://ca.net.dn:8443/acme/acme/directory \
+    -m admin@mail.net.dn
+
+    chown nginx:nginx -R /etc/letsencrypt
+  '';
+in
 {
  imports = [
    "${
@ -97,6 +110,41 @@
    exiftool
  ];

+  services.nginx = {
+    virtualHosts = {
+      ${config.services.nextcloud.hostName} = {
+        listen = lib.mkForce [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+
+        locations."^~ /.well-known/acme-challenge/" = {
+          root = "/var/www/nextcloud.net.dn/html";
+          extraConfig = ''
+            default_type "text/plain";
+          '';
+        };
+
+        forceSSL = true;
+        sslCertificate = "/etc/letsencrypt/live/nextcloud.net.dn/fullchain.pem";
+        sslCertificateKey = "/etc/letsencrypt/live/nextcloud.net.dn/privkey.pem";
+
+        extraConfig = ''
+          ssl_protocols TLSv1.2 TLSv1.3;
+          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
+          ssl_prefer_server_ciphers on;
+        '';
+      };
+    };
+  };
+
  systemd.timers."nextcloud-backup" = {
    enable = true;
    description = "Nextcloud backup";
@ -148,4 +196,5 @@
        "${script}/bin/backup";
    };
  };
+
 }