From 6ae3f8be973eeaafef3ed16134615f8f087927de Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Tue, 14 Apr 2026 22:38:20 +0100
Subject: [PATCH] Use Cloudflare resolver for ACME DNS propagation check

Route DNS propagation checks through 1.1.1.1 only, bypassing
the local resolver that caches stale responses and causes
wildcard cert DNS-01 challenges to time out.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/nginx.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index 09dc65e..b26dfea 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -62,8 +62,8 @@ in
         domain = "*.nordhammer.it";
         extraDomainNames = [ "nordhammer.it" ];
         dnsProvider = "cloudflare";
-        extraLegoRunFlags = [ "--dns.propagation-wait" "30s" ];
-        extraLegoRenewFlags = [ "--dns.propagation-wait" "30s" ];
+        extraLegoRunFlags = [ "--dns.resolvers" "1.1.1.1:53" ];
+        extraLegoRenewFlags = [ "--dns.resolvers" "1.1.1.1:53" ];
         credentialFiles = {
           "CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";
         };