From cc3ce9a13a32ce2326127c6af7ca6cabcdd71f2d Mon Sep 17 00:00:00 2001
From: Jeroen Simonetti <jeroen@simonetti.nl>
Date: Wed, 7 Oct 2020 13:01:08 +0200
Subject: [PATCH] nixos/security/acme: Add DNS resolver option

When using the ACME DNS-01 challenge, there is a possibility of a
failure to resolve the challenge if the record is not propagated
fast enough. To circumvent this generic DNS problem, this adds
a setting to explicitly tell the ACME provider to use a certain DNS
resolver to lookup the challenge.

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
---
 nixos/modules/security/acme.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 2d33ca7e79e7..31fbc3614744 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -110,6 +110,7 @@ let
     protocolOpts = if useDns then (
       [ "--dns" data.dnsProvider ]
       ++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
+      ++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
     ) else (
       [ "--http" "--http.webroot" data.webroot ]
     );
@@ -403,6 +404,17 @@ let
         '';
       };
 
+      dnsResolver = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "1.1.1.1:53";
+        description = ''
+          Set the resolver to use for performing recursive DNS queries. Supported:
+          host:port. The default is to use the system resolvers, or Google's DNS
+          resolvers if the system's cannot be determined.
+        '';
+      };
+
       credentialsFile = mkOption {
         type = types.path;
         description = ''