diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index da56a43012b7e53a6d5ced17123eb3d898b24f3e..aef8b8b4b1a2d7660bd816310212cb2d11b0b2cc 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -182,10 +182,11 @@ in {
"${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
};
- # Certificate renewal. We must declare that we *require* it in our
- # service above.
- systemd.services."${certServiceName}" = {
- enable = true;
+ # Certificate renewal. A short-lived service meant to be repeatedly
+ # activated to request a new certificate be issued, if the current one is
+ # close to expiring.
+ systemd.services.${certServiceName} = {
+ enable = cfg.tls;
description = "Certificate ${domain}";
serviceConfig = {
ExecStart =
@@ -201,6 +202,33 @@ in {
'';
};
};
+
+ # Periodically trigger the certificate renewal service.
+ systemd.timers.${certServiceName} = {
+ enable = cfg.tls;
+ timerConfig = {
+ # "Defines a timer relative to when the unit the timer unit is
+ # activating was last deactivated."
+ #
+ # Trigger the renewal service periodically. Since it will activate
+ # and then deactivate each time this timer triggers, this timer will
+ # trigger it repeatedly. The delay specified here is relative to the
+ # last time the target unit is deactivated and that advances to the
+ # current time after each time the trigger fires.
+ OnUnitInactiveSec = "3d";
+
+ # "Defines a timer relative to the moment the timer unit itself is
+ # activated."
+ #
+ # Since at the time this timer is activated we're not sure whether the
+ # renewal service has ever been activated or deactivated we don't know
+ # when if or when the other trigger will fire. This ensures that
+ # shortly after this timer is activated it will trigger. Thereafter,
+ # the other trigger will take over for periodic re-triggering.
+ OnActiveSec = "5m";
+ };
+ };
+
# Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
networking.firewall.allowedTCPPorts = [
80