From 5f6443249d9802170e40f3631de682f5c93121cb Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Thu, 29 Jul 2021 08:23:00 -0400
Subject: [PATCH] Use the NixOS `startAt` configuration option

This causes NixOS to generate the systemd timer unit for us and saves us
having to explain a lot of subtle systemd features.

It does pin execution to midnight on Monday but scaling to handle load spikes
is Let's Encrypt's problem, I guess.
---
 nixos/modules/issuer.nix | 31 +++++--------------------------
 1 file changed, 5 insertions(+), 26 deletions(-)

diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index aef8b8b4..ce1f928b 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -188,6 +188,11 @@ in {
     systemd.services.${certServiceName} = {
       enable = cfg.tls;
       description = "Certificate ${domain}";
+      # Activate this unit periodically so that certbot can determine if the
+      # certificate expiration time is close enough to warrant a renewal
+      # request.
+      startAt = "weekly";
+
       serviceConfig = {
         ExecStart =
         let
@@ -203,32 +208,6 @@ in {
       };
     };
 
-    # Periodically trigger the certificate renewal service.
-    systemd.timers.${certServiceName} = {
-      enable = cfg.tls;
-      timerConfig = {
-        # "Defines a timer relative to when the unit the timer unit is
-        # activating was last deactivated."
-        #
-        # Trigger the renewal service periodically.  Since it will activate
-        # and then deactivate each time this timer triggers, this timer will
-        # trigger it repeatedly.  The delay specified here is relative to the
-        # last time the target unit is deactivated and that advances to the
-        # current time after each time the trigger fires.
-        OnUnitInactiveSec = "3d";
-
-        # "Defines a timer relative to the moment the timer unit itself is
-        # activated."
-        #
-        # Since at the time this timer is activated we're not sure whether the
-        # renewal service has ever been activated or deactivated we don't know
-        # when if or when the other trigger will fire.  This ensures that
-        # shortly after this timer is activated it will trigger.  Thereafter,
-        # the other trigger will take over for periodic re-triggering.
-        OnActiveSec = "5m";
-      };
-    };
-
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80
-- 
GitLab