nixos/acme: Disable lego renew sleeping

Lego has a built-in mechanism for sleeping for a random amount
of time before renewing a certificate. In our environment this
is not only unnecessary (as our systemd timer takes care of it)
but also unwanted since it slows down the execution of the
systemd service encompassing it, thus also slowing down the
start up of any services its depending on.

Also added FixedRandomDelay to the timer for more predictability.

2 files changed, 2 insertions, 7 deletions

diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
index 91ec24ab1f5..e9299fb1b3a 100644
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -190,7 +190,7 @@ let
     );
     renewOpts = escapeShellArgs (
       commonOpts
-      ++ [ "renew" ]
+      ++ [ "renew" "--no-random-sleep" ]
       ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );
@@ -223,9 +223,9 @@ let
         # have many certificates, the renewals are distributed over
         # the course of the day to avoid rate limits.
         AccuracySec = "${toString (_24hSecs / numCerts)}s";
-
         # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
         RandomizedDelaySec = "24h";
+        FixedRandomDelay = true;
       };
     };
 
diff --git a/nixos/tests/common/acme/client/default.nix b/nixos/tests/common/acme/client/default.nix
index 9a37e4f2fd3..503e610d1ac 100644
--- a/nixos/tests/common/acme/client/default.nix
+++ b/nixos/tests/common/acme/client/default.nix
@@ -9,11 +9,6 @@ in {
     defaults = {
       server = "https://${caDomain}/dir";
       email = "hostmaster@example.test";
-      # Avoid a random 0-8 minute sleep when testing renewals.
-      # We are not using LE servers in testing so this is not
-      # going to impact their load.
-      # See https://github.com/go-acme/lego/issues/1656
-      extraLegoRenewFlags = ["-no-random-sleep"];
     };
   };