Unverified Commit 91b8ad76 authored by Martin Weinelt's avatar Martin Weinelt
Browse files

nixos/acme: Make the maximum jitter configurable 

Extracts the fixed 24h random delay into a configurable option suitable
for other profiles, that require different renew intervals.

With the introduction of LE's shortlived profile a fixed random delay
does not cut it anymore, as it will delay short renew intervals by up
to a day before they are run. In an ideal world we could make the delay
proportional to the renew interval, but the `OnCalendar=` format is a bit
too complicated.
parent b064e659

nixos/modules/security/acme/default.nix

+13 −1
Original line number Diff line number Diff line
@@ -330,7 +330,7 @@ let 
          # the course of the day to avoid rate limits.

          AccuracySec = "${toString (_24hSecs / numCerts)}s";

          # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.

          RandomizedDelaySec = "24h";

          RandomizedDelaySec = data.renewJitter;

          FixedRandomDelay = true;

        };

      };
@@ -637,6 +637,18 @@ let 
          description = ''

            Systemd calendar expression when to check for renewal. See

            {manpage}`systemd.time(7)`.



            If you reduce this from daily you might also want to adapt {option}`security.acme.defaults.renewJitter`.

          '';

        };



        renewJitter = lib.mkOption {

          type = lib.types.str;

          inherit (defaultAndText "renewJitter" "24h") default defaultText;

          description = ''

            Maximum jitter applied to a timer to stretch its execution

            intervals to prevent multiple timers from firing simultaneously. See

            `RandomizedDelaySecs=` in {manpage}`systemd.timer(5)`.

          '';

        };