Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: 2e4a4b928b31
Choose a base ref
...
head repository: NixOS/nixpkgs
compare: 0f2565d51822
Choose a head ref
  • 2 commits
  • 1 file changed
  • 2 contributors

Commits on Feb 29, 2020

  1. nixos/acme: adjust renewal timer options 

    The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.

The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:

* Randomize the time certificates are renewed within a 24 hour period.

* Check for renewal every 24 hours, to ensure the certificate is always
  renewed before an expiry notice is sent out.

* Increase the AccuracySec (thus lowering the accuracy(!)), so that
  systemd can coalesce the renewal with other timers being run.

  (You might be worried that this would defeat the purpose of the time
  skewing, but systemd is documented as avoiding this by picking a
  random time.)

(cherry picked from commit 7b14bbd)
    @emilazy
    emilazy committed Feb 29, 2020
    Copy the full SHA
    f2c522a View commit details
    Browse the repository at this point in the history

Commits on Mar 3, 2020

  1. Merge pull request #80857 from emilazy/adjust-acme-20.03 

    [20.03] nixos/acme: adjust renewal timer options
    @lukateras
    lukateras committed Mar 3, 2020
    Copy the full SHA
    0f2565d View commit details
    Browse the repository at this point in the history