Merge pull request #108578 from ctem/feature/chrony

nixos/chrony: add support for Network Time Security (NTS) authentication
2021-01-22 09:36:08 -03:00
parent e986624620 54778551d6
commit 0f31f03f22
1 changed files with 45 additions and 5 deletions
--- a/nixos/modules/services/networking/ntp/chrony.nix
+++ b/nixos/modules/services/networking/ntp/chrony.nix
@@ -4,13 +4,14 @@ with lib;

 let
  cfg = config.services.chrony;
+  chronyPkg = cfg.package;

-  stateDir = "/var/lib/chrony";
+  stateDir = cfg.directory;
  driftFile = "${stateDir}/chrony.drift";
  keyFile = "${stateDir}/chrony.keys";

  configFile = pkgs.writeText "chrony.conf" ''
-    ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers}
+    ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers}

    ${optionalString
      (cfg.initstepslew.enabled && (cfg.servers != []))
@@ -19,6 +20,7 @@ let

    driftfile ${driftFile}
    keyfile ${keyFile}
+    ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"}

    ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}

@@ -39,6 +41,15 @@ in
        '';
      };

+      package = mkOption {
+        type = types.package;
+        default = pkgs.chrony;
+        defaultText = "pkgs.chrony";
+        description = ''
+          Which chrony package to use.
+        '';
+      };
+
      servers = mkOption {
        default = config.networking.timeServers;
        type = types.listOf types.str;
@@ -47,6 +58,29 @@ in
        '';
      };

+      serverOption = mkOption {
+        default = "iburst";
+        type = types.enum [ "iburst" "offline" ];
+        description = ''
+          Set option for server directives.
+
+          Use "iburst" to rapidly poll on startup. Recommended if your machine
+          is consistently online.
+
+          Use "offline" to prevent polling on startup. Recommended if your
+          machine boots offline or is otherwise frequently offline.
+        '';
+      };
+
+      enableNTS = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable Network Time Security authentication.
+          Make sure it is supported by your selected NTP server(s).
+        '';
+      };
+
      initstepslew = mkOption {
        default = {
          enabled = true;
@@ -59,6 +93,12 @@ in
        '';
      };

+      directory = mkOption {
+        type = types.str;
+        default = "/var/lib/chrony";
+        description = "Directory where chrony state is stored.";
+      };
+
      extraConfig = mkOption {
        type = types.lines;
        default = "";
@@ -80,7 +120,7 @@ in
  config = mkIf cfg.enable {
    meta.maintainers = with lib.maintainers; [ thoughtpolice ];

-    environment.systemPackages = [ pkgs.chrony ];
+    environment.systemPackages = [ chronyPkg ];

    users.groups.chrony.gid = config.ids.gids.chrony;

@@ -110,12 +150,12 @@ in
        after    = [ "network.target" ];
        conflicts = [ "ntpd.service" "systemd-timesyncd.service" ];

-        path = [ pkgs.chrony ];
+        path = [ chronyPkg ];

        unitConfig.ConditionCapability = "CAP_SYS_TIME";
        serviceConfig =
          { Type = "simple";
-            ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
+            ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}";

            ProtectHome = "yes";
            ProtectSystem = "full";