Two Nextcloud Instances Backed by Vault PKI

25.11.2025

nextcloud vault pki infra

Why I Want Two Nextclouds

I don’t just want “a cloud drive”. I want:

one test instance where I can break things,
one prod instance where I store real personal data.

Both should:

be fronted by my proxies,
use TLS certificates from my Vault PKI,
and eventually consume secrets from Vault.

High-Level Layout

[ Internet ]
   │
   ▼
[ mainproxy ] ──► [ proxytest ] ──► [ Nextcloud test ]
            └─► [ proxyprod ] ──► [ Nextcloud prod ]

Each Nextcloud instance runs under appuser (or separate users if I want).
TLS for each domain comes from:
pki-test for test,
pki-prod for prod.

Where Vault Fits

Vault issues:

server certs for the Nextcloud domains,
possibly DB credentials or other secrets for the app containers.

I like the idea that even my personal cloud is tied into the same PKI as Vault and the proxies. It makes the whole platform feel coherent.