surtr: tls: specific cert chain

1 files changed, 5 insertions, 2 deletions

diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 17de1319..b5694c9b 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -87,7 +87,11 @@ in {
     security.acme = {
       acceptTerms = true;
       preliminarySelfsigned = true; # DNS challenge is slow
-      defaults.email = "phikeebaogobaegh@141.li";
+      defaults = {
+        email = "phikeebaogobaegh@141.li";
+        keyType = "rsa4096"; # we don't like NIST curves
+        extraLegoFlags = ["--preferred-chain" "ISRG Root X1"];
+      };
       certs =
         let
           domainAttrset = domain: {
@@ -96,7 +100,6 @@ in {
             dnsProvider = "exec";
             credentialsFile = knotDNSCredentials domain;
             dnsResolver = "1.1.1.1:53";
-            keyType = "rsa4096"; # we don't like NIST curves
           } // cfg.domains.${domain}.certCfg;
         in genAttrs (attrNames cfg.domains) domainAttrset;
     };