diff options
author | Yegor Timoshenko <yegortimoshenko@riseup.net> | 2020-03-03 03:49:33 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-03 03:49:33 +0300 |
commit | 31aefc74c5f070ce3156136d7a320372c9543b42 (patch) | |
tree | 046f0d23de0446feff9774cf8868b3f535eba901 /nixos/modules/security/acme.nix | |
parent | c37b4466c0fca907ba2d62a2e7c85402aa8f4800 (diff) | |
parent | 7b14bbd7342cde743e5b06a4ccc53a7001d7a1d5 (diff) | |
download | nixlib-31aefc74c5f070ce3156136d7a320372c9543b42.tar nixlib-31aefc74c5f070ce3156136d7a320372c9543b42.tar.gz nixlib-31aefc74c5f070ce3156136d7a320372c9543b42.tar.bz2 nixlib-31aefc74c5f070ce3156136d7a320372c9543b42.tar.lz nixlib-31aefc74c5f070ce3156136d7a320372c9543b42.tar.xz nixlib-31aefc74c5f070ce3156136d7a320372c9543b42.tar.zst nixlib-31aefc74c5f070ce3156136d7a320372c9543b42.zip |
Merge pull request #80856 from emilazy/adjust-acme
nixos/acme: adjust renewal timer options
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 9e660b3d6a3b..65bd57242ffd 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -174,7 +174,7 @@ in renewInterval = mkOption { type = types.str; - default = "weekly"; + default = "daily"; description = '' Systemd calendar expression when to check for renewal. See <citerefentry><refentrytitle>systemd.time</refentrytitle> @@ -400,7 +400,17 @@ in systemd.tmpfiles.rules = map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs)); - systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair + systemd.timers = let + # Allow systemd to pick a convenient time within the day + # to run the check. + # This allows the coalescing of multiple timer jobs. + # We divide by the number of certificates so that if you + # have many certificates, the renewals are distributed over + # the course of the day to avoid rate limits. + numCerts = length (attrNames cfg.certs); + _24hSecs = 60 * 60 * 24; + AccuracySec = "${toString (_24hSecs / numCerts)}s"; + in flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}") ({ description = "Renew ACME Certificate for ${cert}"; @@ -409,8 +419,9 @@ in OnCalendar = cfg.renewInterval; Unit = "acme-${cert}.service"; Persistent = "yes"; - AccuracySec = "5m"; - RandomizedDelaySec = "1h"; + inherit AccuracySec; + # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/. + RandomizedDelaySec = "24h"; }; }) ); |