From 2e78ef9811bf18754c64c18c1800fcd92252b043 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 21 Feb 2022 17:44:43 +0100 Subject: surtr: tls: specific cert chain --- hosts/surtr/tls.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 17de1319..b5694c9b 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix @@ -87,7 +87,11 @@ in { security.acme = { acceptTerms = true; preliminarySelfsigned = true; # DNS challenge is slow - defaults.email = "phikeebaogobaegh@141.li"; + defaults = { + email = "phikeebaogobaegh@141.li"; + keyType = "rsa4096"; # we don't like NIST curves + extraLegoFlags = ["--preferred-chain" "ISRG Root X1"]; + }; certs = let domainAttrset = domain: { @@ -96,7 +100,6 @@ in { dnsProvider = "exec"; credentialsFile = knotDNSCredentials domain; dnsResolver = "1.1.1.1:53"; - keyType = "rsa4096"; # we don't like NIST curves } // cfg.domains.${domain}.certCfg; in genAttrs (attrNames cfg.domains) domainAttrset; }; -- cgit v1.2.3