summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-21 17:44:43 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-21 17:44:43 +0100
commit2e78ef9811bf18754c64c18c1800fcd92252b043 (patch)
tree3359e26b7e0978c33a267037f18a175f5b85728c
parent9ac0e36e05e925dfa0b8ceca591c7c13fa087896 (diff)
downloadnixos-2e78ef9811bf18754c64c18c1800fcd92252b043.tar
nixos-2e78ef9811bf18754c64c18c1800fcd92252b043.tar.gz
nixos-2e78ef9811bf18754c64c18c1800fcd92252b043.tar.bz2
nixos-2e78ef9811bf18754c64c18c1800fcd92252b043.tar.xz
nixos-2e78ef9811bf18754c64c18c1800fcd92252b043.zip
surtr: tls: specific cert chain
-rw-r--r--hosts/surtr/tls.nix7
1 files changed, 5 insertions, 2 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 17de1319..b5694c9b 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -87,7 +87,11 @@ in {
87 security.acme = { 87 security.acme = {
88 acceptTerms = true; 88 acceptTerms = true;
89 preliminarySelfsigned = true; # DNS challenge is slow 89 preliminarySelfsigned = true; # DNS challenge is slow
90 defaults.email = "phikeebaogobaegh@141.li"; 90 defaults = {
91 email = "phikeebaogobaegh@141.li";
92 keyType = "rsa4096"; # we don't like NIST curves
93 extraLegoFlags = ["--preferred-chain" "ISRG Root X1"];
94 };
91 certs = 95 certs =
92 let 96 let
93 domainAttrset = domain: { 97 domainAttrset = domain: {
@@ -96,7 +100,6 @@ in {
96 dnsProvider = "exec"; 100 dnsProvider = "exec";
97 credentialsFile = knotDNSCredentials domain; 101 credentialsFile = knotDNSCredentials domain;
98 dnsResolver = "1.1.1.1:53"; 102 dnsResolver = "1.1.1.1:53";
99 keyType = "rsa4096"; # we don't like NIST curves
100 } // cfg.domains.${domain}.certCfg; 103 } // cfg.domains.${domain}.certCfg;
101 in genAttrs (attrNames cfg.domains) domainAttrset; 104 in genAttrs (attrNames cfg.domains) domainAttrset;
102 }; 105 };