diff options
Diffstat (limited to 'hosts/surtr')
-rw-r--r-- | hosts/surtr/tls.nix | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 17de1319..b5694c9b 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix | |||
@@ -87,7 +87,11 @@ in { | |||
87 | security.acme = { | 87 | security.acme = { |
88 | acceptTerms = true; | 88 | acceptTerms = true; |
89 | preliminarySelfsigned = true; # DNS challenge is slow | 89 | preliminarySelfsigned = true; # DNS challenge is slow |
90 | defaults.email = "phikeebaogobaegh@141.li"; | 90 | defaults = { |
91 | email = "phikeebaogobaegh@141.li"; | ||
92 | keyType = "rsa4096"; # we don't like NIST curves | ||
93 | extraLegoFlags = ["--preferred-chain" "ISRG Root X1"]; | ||
94 | }; | ||
91 | certs = | 95 | certs = |
92 | let | 96 | let |
93 | domainAttrset = domain: { | 97 | domainAttrset = domain: { |
@@ -96,7 +100,6 @@ in { | |||
96 | dnsProvider = "exec"; | 100 | dnsProvider = "exec"; |
97 | credentialsFile = knotDNSCredentials domain; | 101 | credentialsFile = knotDNSCredentials domain; |
98 | dnsResolver = "1.1.1.1:53"; | 102 | dnsResolver = "1.1.1.1:53"; |
99 | keyType = "rsa4096"; # we don't like NIST curves | ||
100 | } // cfg.domains.${domain}.certCfg; | 103 | } // cfg.domains.${domain}.certCfg; |
101 | in genAttrs (attrNames cfg.domains) domainAttrset; | 104 | in genAttrs (attrNames cfg.domains) domainAttrset; |
102 | }; | 105 | }; |