Jean-Paul Calderone
--- a/nixos/modules/issuer.nix

+ 5

− 26
+++ b/nixos/modules/issuer.nix

+ 5

− 26
 @@ -188,6 +188,11 @@ in {
    systemd.services.${certServiceName} = {
      enable = cfg.tls;
      description = "Certificate ${domain}";
+      # Activate this unit periodically so that certbot can determine if the
+      # certificate expiration time is close enough to warrant a renewal
+      # request.
+      startAt = "weekly";
+
      serviceConfig = {
        ExecStart =
        let
 @@ -203,32 +208,6 @@ in {
      };
    };

-    # Periodically trigger the certificate renewal service.
-    systemd.timers.${certServiceName} = {
-      enable = cfg.tls;
-      timerConfig = {
-        # "Defines a timer relative to when the unit the timer unit is
-        # activating was last deactivated."
-        #
-        # Trigger the renewal service periodically.  Since it will activate
-        # and then deactivate each time this timer triggers, this timer will
-        # trigger it repeatedly.  The delay specified here is relative to the
-        # last time the target unit is deactivated and that advances to the
-        # current time after each time the trigger fires.
-        OnUnitInactiveSec = "3d";
-
-        # "Defines a timer relative to the moment the timer unit itself is
-        # activated."
-        #
-        # Since at the time this timer is activated we're not sure whether the
-        # renewal service has ever been activated or deactivated we don't know
-        # when if or when the other trigger will fire.  This ensures that
-        # shortly after this timer is activated it will trigger.  Thereafter,
-        # the other trigger will take over for periodic re-triggering.
-        OnActiveSec = "5m";
-      };
-    };
-
    # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
    networking.firewall.allowedTCPPorts = [
      80