Skip to content
Snippets Groups Projects
Commit 893288fd authored by Jean-Paul Calderone's avatar Jean-Paul Calderone Committed by Florian Sesser
Browse files

Add a timer service to periodically trigger the cert renewal service

parent 30e98750
No related branches found
No related tags found
3 merge requests!153merge staging into production,!148merge develop into staging,!145Prometheus niceties
Hide whitespace changes
Inline Side-by-side
nixos/modules/issuer.nix
+ 32
4
View file @ 893288fd
...@@ -182,10 +182,11 @@ in { ...@@ -182,10 +182,11 @@ in {
"${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}"; "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
}; };
# Certificate renewal. We must declare that we *require* it in our # Certificate renewal. A short-lived service meant to be repeatedly
# service above. # activated to request a new certificate be issued, if the current one is
systemd.services."${certServiceName}" = { # close to expiring.
enable = true; systemd.services.${certServiceName} = {
enable = cfg.tls;
description = "Certificate ${domain}"; description = "Certificate ${domain}";
serviceConfig = { serviceConfig = {
ExecStart = ExecStart =
...@@ -201,6 +202,33 @@ in { ...@@ -201,6 +202,33 @@ in {
''; '';
}; };
}; };
# Periodically trigger the certificate renewal service.
systemd.timers.${certServiceName} = {
enable = cfg.tls;
timerConfig = {
# "Defines a timer relative to when the unit the timer unit is
# activating was last deactivated."
#
# Trigger the renewal service periodically. Since it will activate
# and then deactivate each time this timer triggers, this timer will
# trigger it repeatedly. The delay specified here is relative to the
# last time the target unit is deactivated and that advances to the
# current time after each time the trigger fires.
OnUnitInactiveSec = "3d";
# "Defines a timer relative to the moment the timer unit itself is
# activated."
#
# Since at the time this timer is activated we're not sure whether the
# renewal service has ever been activated or deactivated we don't know
# when if or when the other trigger will fire. This ensures that
# shortly after this timer is activated it will trigger. Thereafter,
# the other trigger will take over for periodic re-triggering.
OnActiveSec = "5m";
};
};
# Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server. # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment