nixos/acme: Disable lego renew sleeping

Lego has a built-in mechanism for sleeping for a random amount of time before renewing a certificate. In our environment this is not only unnecessary (as our systemd timer takes care of it) but also unwanted since it slows down the execution of the systemd service encompassing it, thus also slowing down the start up of any services its depending on. Also added FixedRandomDelay to the timer for more predictability.
2022-10-04 22:28:23 +01:00 · 2022-10-04 22:28:23 +01:00 · 49c0fd7d60
commit 49c0fd7d60
parent 657ecbca0e
2 changed files with 2 additions and 7 deletions
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@ -190,7 +190,7 @@ let
    );
    renewOpts = escapeShellArgs (
      commonOpts
-      ++ [ "renew" ]
+      ++ [ "renew" "--no-random-sleep" ]
      ++ optionals data.ocspMustStaple [ "--must-staple" ]
      ++ data.extraLegoRenewFlags
    );
@ -223,9 +223,9 @@ let
        # have many certificates, the renewals are distributed over
        # the course of the day to avoid rate limits.
        AccuracySec = "${toString (_24hSecs / numCerts)}s";
-
        # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
        RandomizedDelaySec = "24h";
+        FixedRandomDelay = true;
      };
    };

--- a/nixos/tests/common/acme/client/default.nix
+++ b/nixos/tests/common/acme/client/default.nix
@ -9,11 +9,6 @@ in {
    defaults = {
      server = "https://${caDomain}/dir";
      email = "hostmaster@example.test";
-      # Avoid a random 0-8 minute sleep when testing renewals.
-      # We are not using LE servers in testing so this is not
-      # going to impact their load.
-      # See https://github.com/go-acme/lego/issues/1656
-      extraLegoRenewFlags = ["-no-random-sleep"];
    };
  };