Merge branch '222.automatically-renew-payment-certificate' into 'develop'

Add a timer service to periodically trigger the cert renewal service Closes privatestorageops#222 See merge request privatestorage/PrivateStorageio!143

Merge branch '222.automatically-renew-payment-certificate' into 'develop'
66350e7b · Jean-Paul Calderone · 30e98750 · bcabf1fe · 66350e7b
Commit 66350e7b authored 3 years ago by Jean-Paul Calderone
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -182,11 +182,17 @@ in {
          "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
    };
-    # Certificate renewal.  We must declare that we *require* it in our
+    # Certificate renewal.  A short-lived service meant to be repeatedly
-    # service above.
+    # activated to request a new certificate be issued, if the current one is
-    systemd.services."${certServiceName}" = {
+    # close to expiring.
-      enable = true;
+    systemd.services.${certServiceName} = {
+      enable = cfg.tls;
      description = "Certificate ${domain}";
+      # Activate this unit periodically so that certbot can determine if the
+      # certificate expiration time is close enough to warrant a renewal
+      # request.
+      startAt = "weekly";
      serviceConfig = {
        ExecStart =
        let
@@ -201,6 +207,7 @@ in {
          '';
      };
    };
    # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
    networking.firewall.allowedTCPPorts = [
      80