Add a timer service to periodically trigger the cert renewal service

893288fd · Jean-Paul Calderone · Florian Sesser · 30e98750 · 893288fd
Commit 893288fd authored 3 years ago by Jean-Paul Calderone Committed by Florian Sesser 3 years ago
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -182,10 +182,11 @@ in {
          "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
    };

-    # Certificate renewal.  We must declare that we *require* it in our
-    # service above.
-    systemd.services."${certServiceName}" = {
-      enable = true;
+    # Certificate renewal.  A short-lived service meant to be repeatedly
+    # activated to request a new certificate be issued, if the current one is
+    # close to expiring.
+    systemd.services.${certServiceName} = {
+      enable = cfg.tls;
      description = "Certificate ${domain}";
      serviceConfig = {
        ExecStart =
@@ -201,6 +202,33 @@ in {
          '';
      };
    };
+
+    # Periodically trigger the certificate renewal service.
+    systemd.timers.${certServiceName} = {
+      enable = cfg.tls;
+      timerConfig = {
+        # "Defines a timer relative to when the unit the timer unit is
+        # activating was last deactivated."
+        #
+        # Trigger the renewal service periodically.  Since it will activate
+        # and then deactivate each time this timer triggers, this timer will
+        # trigger it repeatedly.  The delay specified here is relative to the
+        # last time the target unit is deactivated and that advances to the
+        # current time after each time the trigger fires.
+        OnUnitInactiveSec = "3d";
+
+        # "Defines a timer relative to the moment the timer unit itself is
+        # activated."
+        #
+        # Since at the time this timer is activated we're not sure whether the
+        # renewal service has ever been activated or deactivated we don't know
+        # when if or when the other trigger will fire.  This ensures that
+        # shortly after this timer is activated it will trigger.  Thereafter,
+        # the other trigger will take over for periodic re-triggering.
+        OnActiveSec = "5m";
+      };
+    };
+
    # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
    networking.firewall.allowedTCPPorts = [
      80