Two Nextcloud Instances Backed by Vault PKI
Why I Want Two Nextclouds
I donβt just want βa cloud driveβ. I want:
- one test instance where I can break things,
- one prod instance where I store real personal data.
Both should:
- be fronted by my proxies,
- use TLS certificates from my Vault PKI,
- and eventually consume secrets from Vault.
High-Level Layout
[ Internet ]
β
βΌ
[ edge gateway ] βββΊ [ test proxy ] βββΊ [ Nextcloud test ]
βββΊ [ prod proxy ] βββΊ [ Nextcloud prod ]
- Each Nextcloud instance runs under
appuser(or separate users if I want). - TLS for each domain comes from:
- one environment-specific PKI mount for test,
- one environment-specific PKI mount for prod.
Where Vault Fits
Vault issues:
- server certs for the Nextcloud domains,
- possibly DB credentials or other secrets for the app containers.
I like the idea that even my personal cloud is tied into the same PKI as Vault and the proxies. It makes the whole platform feel coherent.