diff options
author | Anderson Torres <torres.anderson.85@protonmail.com> | 2021-01-22 09:36:08 -0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-22 09:36:08 -0300 |
commit | 0f31f03f2246a426b64f56aaf9c3f41fefd617ae (patch) | |
tree | 5c4ef042e471d78ae45d2e20112f0ae9527cc42c | |
parent | e986624620f82039739cee5465ed9a76fced2fa3 (diff) | |
parent | 54778551d6029e5ffdb6c530915477095a3f564f (diff) | |
download | nixpkgs-0f31f03f2246a426b64f56aaf9c3f41fefd617ae.tar nixpkgs-0f31f03f2246a426b64f56aaf9c3f41fefd617ae.tar.gz nixpkgs-0f31f03f2246a426b64f56aaf9c3f41fefd617ae.tar.bz2 nixpkgs-0f31f03f2246a426b64f56aaf9c3f41fefd617ae.tar.lz nixpkgs-0f31f03f2246a426b64f56aaf9c3f41fefd617ae.tar.xz nixpkgs-0f31f03f2246a426b64f56aaf9c3f41fefd617ae.tar.zst nixpkgs-0f31f03f2246a426b64f56aaf9c3f41fefd617ae.zip |
Merge pull request #108578 from ctem/feature/chrony
nixos/chrony: add support for Network Time Security (NTS) authentication
-rw-r--r-- | nixos/modules/services/networking/ntp/chrony.nix | 50 |
1 files changed, 45 insertions, 5 deletions
diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index 115340924a2..5e05a327a3f 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -4,13 +4,14 @@ with lib; let cfg = config.services.chrony; + chronyPkg = cfg.package; - stateDir = "/var/lib/chrony"; + stateDir = cfg.directory; driftFile = "${stateDir}/chrony.drift"; keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers} + ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers} ${optionalString (cfg.initstepslew.enabled && (cfg.servers != [])) @@ -19,6 +20,7 @@ let driftfile ${driftFile} keyfile ${keyFile} + ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"} ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} @@ -39,6 +41,15 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.chrony; + defaultText = "pkgs.chrony"; + description = '' + Which chrony package to use. + ''; + }; + servers = mkOption { default = config.networking.timeServers; type = types.listOf types.str; @@ -47,6 +58,29 @@ in ''; }; + serverOption = mkOption { + default = "iburst"; + type = types.enum [ "iburst" "offline" ]; + description = '' + Set option for server directives. + + Use "iburst" to rapidly poll on startup. Recommended if your machine + is consistently online. + + Use "offline" to prevent polling on startup. Recommended if your + machine boots offline or is otherwise frequently offline. + ''; + }; + + enableNTS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Network Time Security authentication. + Make sure it is supported by your selected NTP server(s). + ''; + }; + initstepslew = mkOption { default = { enabled = true; @@ -59,6 +93,12 @@ in ''; }; + directory = mkOption { + type = types.str; + default = "/var/lib/chrony"; + description = "Directory where chrony state is stored."; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -80,7 +120,7 @@ in config = mkIf cfg.enable { meta.maintainers = with lib.maintainers; [ thoughtpolice ]; - environment.systemPackages = [ pkgs.chrony ]; + environment.systemPackages = [ chronyPkg ]; users.groups.chrony.gid = config.ids.gids.chrony; @@ -110,12 +150,12 @@ in after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; - path = [ pkgs.chrony ]; + path = [ chronyPkg ]; unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; + ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; ProtectHome = "yes"; ProtectSystem = "full"; |