diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index cf82e5035d9..c8d5fcc4e6f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -292,6 +292,7 @@ ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix ./services/networking/tftpd.nix + ./services/networking/tlsdated.nix ./services/networking/tox-bootstrapd.nix ./services/networking/unbound.nix ./services/networking/unifi.nix diff --git a/nixos/modules/services/networking/tlsdated.nix b/nixos/modules/services/networking/tlsdated.nix new file mode 100644 index 00000000000..f2d0c9f35c9 --- /dev/null +++ b/nixos/modules/services/networking/tlsdated.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (pkgs) coreutils tlsdate; + + cfg = config.services.tlsdated; +in + +{ + + ###### interface + + options = { + + services.tlsdated = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable tlsdated daemon. + ''; + }; + + extraOptions = mkOption { + type = types.string; + description = '' + Additional command line arguments to pass to tlsdated. + ''; + }; + + sources = mkOption { + type = types.listOf (types.submodule { + options = { + host = mkOption { + type = types.string; + description = '' + Remote hostname. + ''; + }; + port = mkOption { + type = types.int; + description = '' + Remote port. + ''; + }; + proxy = mkOption { + type = types.nullOr types.string; + default = null; + description = '' + The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed: + + http://127.0.0.1:8118 + socks4a://127.0.0.1:9050 + socks5://127.0.0.1:9050 + + The proxy support should not leak DNS requests and is suitable for use with Tor. + ''; + }; + }; + }); + default = [ + { + host = "www.ptb.de"; + port = 443; + proxy = null; + } + ]; + description = '' + You can list one or more sources to fetch time from. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + # Make tools such as tlsdate available in the system path + environment.systemPackages = [ tlsdate ]; + + systemd.services.tlsdated = { + description = "tlsdated daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we + # hard-code base-path to /tmp and use PrivateTmp. + ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" '' + base-path /tmp + + ${concatMapStrings (src: '' + source + host ${src.host} + port ${toString src.port} + proxy ${if src.proxy == null then "none" else src.proxy} + end + '') cfg.sources} + ''} ${cfg.extraOptions}"; + PrivateTmp = "yes"; + }; + }; + + }; + +} diff --git a/pkgs/tools/networking/tlsdate/default.nix b/pkgs/tools/networking/tlsdate/default.nix new file mode 100644 index 00000000000..eea7dfcccac --- /dev/null +++ b/pkgs/tools/networking/tlsdate/default.nix @@ -0,0 +1,41 @@ +{ stdenv, fetchgit +, autoconf +, automake +, libevent +, libtool +, pkgconfig +, openssl +}: + +stdenv.mkDerivation { + name = "tlsdate-0.0.12"; + + src = fetchgit { + url = https://github.com/ioerror/tlsdate; + rev = "fd04f48ed60eb773c8e34d27ef2ee12ee7559a41"; + sha256 = "d97b7cc6fe64799c12c31a9ebd3a69c9bc954de2eaa7f70d113d39544472854d"; + }; + + buildInputs = [ + autoconf + automake + libevent + libtool + pkgconfig + openssl + ]; + + preConfigure = '' + export COMPILE_DATE=0 + ./autogen.sh + ''; + + doCheck = true; + + meta = { + description = "Secure parasitic rdate replacement"; + homepage = https://github.com/ioerror/tlsdate; + platforms = stdenv.lib.platforms.all; + maintainers = [ stdenv.lib.maintainers.tv ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 901e8c608b8..145c111be71 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2654,6 +2654,8 @@ let tiny8086 = callPackage ../applications/virtualization/8086tiny { }; + tlsdate = callPackage ../tools/networking/tlsdate { }; + tmpwatch = callPackage ../tools/misc/tmpwatch { }; tmux = callPackage ../tools/misc/tmux { };