nixos/security/acme: Add DNS resolver option

When using the ACME DNS-01 challenge, there is a possibility of a failure to resolve the challenge if the record is not propagated fast enough. To circumvent this generic DNS problem, this adds a setting to explicitly tell the ACME provider to use a certain DNS resolver to lookup the challenge. Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
2020-10-07 13:01:08 +02:00 · 2020-10-07 13:01:08 +02:00 · cc3ce9a13a
commit cc3ce9a13a
parent 420f89ceb2
1 changed files with 12 additions and 0 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -110,6 +110,7 @@ let
    protocolOpts = if useDns then (
      [ "--dns" data.dnsProvider ]
      ++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
+      ++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
    ) else (
      [ "--http" "--http.webroot" data.webroot ]
    );
@ -403,6 +404,17 @@ let
        '';
      };

+      dnsResolver = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "1.1.1.1:53";
+        description = ''
+          Set the resolver to use for performing recursive DNS queries. Supported:
+          host:port. The default is to use the system resolvers, or Google's DNS
+          resolvers if the system's cannot be determined.
+        '';
+      };
+
      credentialsFile = mkOption {
        type = types.path;
        description = ''