stalwart/acme: reuse private key for cert renewal for TLSA record

diogotcorreia · Dec 31, 2024 · c3eb331 · c3eb331
1 parent a4a5068
commit c3eb331
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/profiles/services/stalwart-mail.nix b/profiles/services/stalwart-mail.nix
@@ -203,6 +203,12 @@ in {
       mailDomains
     );
 
+  security.acme.certs.${stalwartDomain} = {
+    # keep a stable private key for TLSA records (DANE)
+    # https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/14
+    extraLegoRenewFlags = ["--reuse-key"];
+  };
+
   modules.impermanence.directories = [dataDir];
   modules.services.restic = {
     backupPrepareCommand = ''