From fb8f75e9c794933489a07625579171da3a8a94f4 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Tue, 14 Apr 2026 22:48:58 +0100
Subject: [PATCH] Increase ACME DNS propagation timeout to 10 minutes

Cloudflare's authoritative nameservers take longer than the
default 2-minute timeout to propagate TXT records created via
API. Set CLOUDFLARE_PROPAGATION_TIMEOUT=600 to give enough
time for DNS-01 challenge validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/nginx.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index 4a4bcfe..b0ba787 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -62,13 +62,15 @@ in
         domain = "*.nordhammer.it";
         extraDomainNames = [ "nordhammer.it" ];
         dnsProvider = "cloudflare";
-        extraLegoFlags = [ "--dns.resolvers" "1.1.1.1:53" ];
         credentialFiles = {
           "CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";
         };
       };
     };
 
+    # Give Cloudflare authoritative NS more time to propagate TXT records
+    systemd.services."acme-order-renew-nordhammer.it".environment.CLOUDFLARE_PROPAGATION_TIMEOUT = "600";
+
     users.users.nginx.extraGroups = [ "acme" ];
 
     services.nginx = {