rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix ACME: add 30s propagation wait and re-enable full DNS check

Browse source 
The previous dnsPropagationCheck=false caused lego to ask LE to validate
before the TXT record was globally visible. Adding --dns.propagation-wait
gives Cloudflare time to serve the record from all edge locations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-07 17:16:07 +01:00
parent b27d2913e8
commit 476379f4e4
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
services/nginx.nix
View file

@ -64,7 +64,9 @@ in
domain = "*.nordhammer.it"; domain = "*.nordhammer.it";
extraDomainNames = [ "nordhammer.it" ]; extraDomainNames = [ "nordhammer.it" ];
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
dnsPropagationCheck = false; # Wait 30s after creating the TXT record before asking LE to validate
extraLegoRunFlags = [ "--dns.propagation-wait" "30s" ];
extraLegoRenewFlags = [ "--dns.propagation-wait" "30s" ];
credentialFiles = { credentialFiles = {
"CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token"; "CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";
}; };