I’m trying to set up a self-hosted nextcloud in a container with https.
I followed loosely this guide, except I decided to use a nixos container.
So I have in my host configuration
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "venet0";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
networking.firewall.allowedTCPPorts = [ 443 ];
containers = {
nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
forwardPorts = [{
protocol = "tcp";
hostPort = 443;
containerPort = 443;
}];
config = import ./nextcloud.nix;
};
};
And in the imported nextcloud.nix
:
{
...
security.acme = {
acceptTerms = true;
defaults.email = email; # variable contains email
};
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"${domain}" = {
forceSSL = true;
enableACME = true;
};
};
};
services.nextcloud = { ... };
services.postgresql = { ... };
networking.firewall.allowedTCPPorts = [ 443 ];
system.stateVersion = "23.05";
}
Unfortunately, I get an error when the server tries to get https sertificates:
2023/02/18 18:36:58 Could not create client: get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: Get “https://acme-v02.api.letsencrypt.org/directory”: dial tcp: lookup acme-v02.api.letsencrypt.org: Temporary failure in name resolution
Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
I’ve seen a few similar threads here (example) as well as this issue, but they don’t seem to be causing my problem - and the workaround supplied there (ensure acme services start after others) don’t seem to work for me.