From 63ab6ce021e53fdbefec220f508a5cec3a307780 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Wed, 28 Jul 2021 10:57:40 -0400
Subject: [PATCH] Add a timer service to periodically trigger the cert renewal
 service

---
 nixos/modules/issuer.nix | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index da56a430..aef8b8b4 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -182,10 +182,11 @@ in {
           "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
     };
 
-    # Certificate renewal.  We must declare that we *require* it in our
-    # service above.
-    systemd.services."${certServiceName}" = {
-      enable = true;
+    # Certificate renewal.  A short-lived service meant to be repeatedly
+    # activated to request a new certificate be issued, if the current one is
+    # close to expiring.
+    systemd.services.${certServiceName} = {
+      enable = cfg.tls;
       description = "Certificate ${domain}";
       serviceConfig = {
         ExecStart =
@@ -201,6 +202,33 @@ in {
           '';
       };
     };
+
+    # Periodically trigger the certificate renewal service.
+    systemd.timers.${certServiceName} = {
+      enable = cfg.tls;
+      timerConfig = {
+        # "Defines a timer relative to when the unit the timer unit is
+        # activating was last deactivated."
+        #
+        # Trigger the renewal service periodically.  Since it will activate
+        # and then deactivate each time this timer triggers, this timer will
+        # trigger it repeatedly.  The delay specified here is relative to the
+        # last time the target unit is deactivated and that advances to the
+        # current time after each time the trigger fires.
+        OnUnitInactiveSec = "3d";
+
+        # "Defines a timer relative to the moment the timer unit itself is
+        # activated."
+        #
+        # Since at the time this timer is activated we're not sure whether the
+        # renewal service has ever been activated or deactivated we don't know
+        # when if or when the other trigger will fire.  This ensures that
+        # shortly after this timer is activated it will trigger.  Thereafter,
+        # the other trigger will take over for periodic re-triggering.
+        OnActiveSec = "5m";
+      };
+    };
+
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80
-- 
GitLab