From 476379f4e460ff9396a161bb2dc3f646297e8c1b Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Tue, 7 Apr 2026 17:16:07 +0100
Subject: [PATCH] Fix ACME: add 30s propagation wait and re-enable full DNS
 check

The previous dnsPropagationCheck=false caused lego to ask LE to validate
before the TXT record was globally visible. Adding --dns.propagation-wait
gives Cloudflare time to serve the record from all edge locations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/nginx.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index 2d1eea6..fb8f7e6 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -64,7 +64,9 @@ in
         domain = "*.nordhammer.it";
         extraDomainNames = [ "nordhammer.it" ];
         dnsProvider = "cloudflare";
-        dnsPropagationCheck = false;
+        # Wait 30s after creating the TXT record before asking LE to validate
+        extraLegoRunFlags = [ "--dns.propagation-wait" "30s" ];
+        extraLegoRenewFlags = [ "--dns.propagation-wait" "30s" ];
         credentialFiles = {
           "CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";
         };