public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #108578 from ctem/feature/chrony

Browse Source 
nixos/chrony: add support for Network Time Security (NTS) authentication
This commit is contained in:
Anderson Torres 2021-01-22 09:36:08 -03:00 committed by GitHub
commit 0f31f03f22
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 45 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
nixos/modules/services/networking/ntp/chrony.nix
View File

@ -4,13 +4,14 @@ with lib;
let let
cfg = config.services.chrony; cfg = config.services.chrony;
chronyPkg = cfg.package;
stateDir = "/var/lib/chrony"; stateDir = cfg.directory;
driftFile = "${stateDir}/chrony.drift"; driftFile = "${stateDir}/chrony.drift";
keyFile = "${stateDir}/chrony.keys"; keyFile = "${stateDir}/chrony.keys";
configFile = pkgs.writeText "chrony.conf" '' configFile = pkgs.writeText "chrony.conf" ''
${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers} ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers}
${optionalString ${optionalString
(cfg.initstepslew.enabled && (cfg.servers != [])) (cfg.initstepslew.enabled && (cfg.servers != []))
@ -19,6 +20,7 @@ let
driftfile ${driftFile} driftfile ${driftFile}
keyfile ${keyFile} keyfile ${keyFile}
${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"}
${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
@ -39,6 +41,15 @@ in
''; '';
}; };
package = mkOption {
type = types.package;
default = pkgs.chrony;
defaultText = "pkgs.chrony";
description = ''
Which chrony package to use.
'';
};
servers = mkOption { servers = mkOption {
default = config.networking.timeServers; default = config.networking.timeServers;
type = types.listOf types.str; type = types.listOf types.str;
@ -47,6 +58,29 @@ in
''; '';
}; };
serverOption = mkOption {
default = "iburst";
type = types.enum [ "iburst" "offline" ];
description = ''
Set option for server directives.
Use "iburst" to rapidly poll on startup. Recommended if your machine
is consistently online.
Use "offline" to prevent polling on startup. Recommended if your
machine boots offline or is otherwise frequently offline.
'';
};
enableNTS = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable Network Time Security authentication.
Make sure it is supported by your selected NTP server(s).
'';
};
initstepslew = mkOption { initstepslew = mkOption {
default = { default = {
enabled = true; enabled = true;
@ -59,6 +93,12 @@ in
''; '';
}; };
directory = mkOption {
type = types.str;
default = "/var/lib/chrony";
description = "Directory where chrony state is stored.";
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -80,7 +120,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
meta.maintainers = with lib.maintainers; [ thoughtpolice ]; meta.maintainers = with lib.maintainers; [ thoughtpolice ];
environment.systemPackages = [ pkgs.chrony ]; environment.systemPackages = [ chronyPkg ];
users.groups.chrony.gid = config.ids.gids.chrony; users.groups.chrony.gid = config.ids.gids.chrony;
@ -110,12 +150,12 @@ in
after = [ "network.target" ]; after = [ "network.target" ];
conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ];
path = [ pkgs.chrony ]; path = [ chronyPkg ];
unitConfig.ConditionCapability = "CAP_SYS_TIME"; unitConfig.ConditionCapability = "CAP_SYS_TIME";
serviceConfig = serviceConfig =
{ Type = "simple"; { Type = "simple";
ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}";
ProtectHome = "yes"; ProtectHome = "yes";
ProtectSystem = "full"; ProtectSystem = "full";