Skip to content
Snippets Groups Projects
Commit 5f644324 authored by Jean-Paul Calderone's avatar Jean-Paul Calderone Committed by Florian Sesser
Browse files

Use the NixOS `startAt` configuration option 

This causes NixOS to generate the systemd timer unit for us and saves us
having to explain a lot of subtle systemd features.

It does pin execution to midnight on Monday but scaling to handle load spikes
is Let's Encrypt's problem, I guess.
parent 893288fd
No related branches found
No related tags found
3 merge requests!153merge staging into production,!148merge develop into staging,!145Prometheus niceties
Hide whitespace changes
Inline Side-by-side
nixos/modules/issuer.nix
+ 5
26
View file @ 5f644324
...@@ -188,6 +188,11 @@ in { ...@@ -188,6 +188,11 @@ in {
systemd.services.${certServiceName} = { systemd.services.${certServiceName} = {
enable = cfg.tls; enable = cfg.tls;
description = "Certificate ${domain}"; description = "Certificate ${domain}";
# Activate this unit periodically so that certbot can determine if the
# certificate expiration time is close enough to warrant a renewal
# request.
startAt = "weekly";
serviceConfig = { serviceConfig = {
ExecStart = ExecStart =
let let
...@@ -203,32 +208,6 @@ in { ...@@ -203,32 +208,6 @@ in {
}; };
}; };
# Periodically trigger the certificate renewal service.
systemd.timers.${certServiceName} = {
enable = cfg.tls;
timerConfig = {
# "Defines a timer relative to when the unit the timer unit is
# activating was last deactivated."
#
# Trigger the renewal service periodically. Since it will activate
# and then deactivate each time this timer triggers, this timer will
# trigger it repeatedly. The delay specified here is relative to the
# last time the target unit is deactivated and that advances to the
# current time after each time the trigger fires.
OnUnitInactiveSec = "3d";
# "Defines a timer relative to the moment the timer unit itself is
# activated."
#
# Since at the time this timer is activated we're not sure whether the
# renewal service has ever been activated or deactivated we don't know
# when if or when the other trigger will fire. This ensures that
# shortly after this timer is activated it will trigger. Thereafter,
# the other trigger will take over for periodic re-triggering.
OnActiveSec = "5m";
};
};
# Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server. # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment