nixos/acme: Disable lego renew sleeping

Lego has a built-in mechanism for sleeping for a random amount of time before renewing a certificate. In our environment this is not only unnecessary (as our systemd timer takes care of it) but also unwanted since it slows down the execution of the systemd service encompassing it, thus also slowing down the start up of any services its depending on. Also added FixedRandomDelay to the timer for more predictability.
NixOS · Oct 6, 2022 · 49c0fd7 · 49c0fd7
1 parent 657ecbc
commit 49c0fd7
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 7 deletions.
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
@@ -190,7 +190,7 @@ let
     );
     renewOpts = escapeShellArgs (
       commonOpts
-      ++ [ "renew" ]
+      ++ [ "renew" "--no-random-sleep" ]
       ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );
@@ -223,9 +223,9 @@ let
         # have many certificates, the renewals are distributed over
         # the course of the day to avoid rate limits.
         AccuracySec = "${toString (_24hSecs / numCerts)}s";
-
         # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
         RandomizedDelaySec = "24h";
+        FixedRandomDelay = true;
       };
     };
 

diff --git a/nixos/tests/common/acme/client/default.nix b/nixos/tests/common/acme/client/default.nix
@@ -9,11 +9,6 @@ in {
     defaults = {
       server = "https://${caDomain}/dir";
       email = "hostmaster@example.test";
-      # Avoid a random 0-8 minute sleep when testing renewals.
-      # We are not using LE servers in testing so this is not
-      # going to impact their load.
-      # See https://github.com/go-acme/lego/issues/1656
-      extraLegoRenewFlags = ["-no-random-sleep"];
     };
   };