From beadcc53979bde1e83480886b2d83fd21ca90026 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Tue, 14 Apr 2026 22:36:48 +0100
Subject: [PATCH] Use propagation wait instead of disabling ACME DNS check

Disabling the propagation check caused lego to submit to Let's
Encrypt before Cloudflare's authoritative nameservers had the
TXT record. A 30s wait gives Cloudflare time to propagate.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/nginx.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index b5a1393..09dc65e 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -62,7 +62,8 @@ in
         domain = "*.nordhammer.it";
         extraDomainNames = [ "nordhammer.it" ];
         dnsProvider = "cloudflare";
-        dnsPropagationCheck = false;
+        extraLegoRunFlags = [ "--dns.propagation-wait" "30s" ];
+        extraLegoRenewFlags = [ "--dns.propagation-wait" "30s" ];
         credentialFiles = {
           "CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";
         };