From 9550d865e9ecf2d3e0767231a68548865da34f87 Mon Sep 17 00:00:00 2001 From: Ctem Date: Wed, 6 Jan 2021 19:33:39 +0900 Subject: nixos/chrony: add option to enable NTS authentication --- nixos/modules/services/networking/ntp/chrony.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index e6fa48daf46..5842761ba7e 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -10,7 +10,7 @@ let keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers} + ${concatMapStringsSep "\n" (server: "server " + server + " iburst" + optionalString (cfg.enableNTS) " nts") cfg.servers} ${optionalString (cfg.initstepslew.enabled && (cfg.servers != [])) @@ -19,6 +19,7 @@ let driftfile ${driftFile} keyfile ${keyFile} + ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"} ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} @@ -46,6 +47,15 @@ in ''; }; + enableNTS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Network Time Security authentication. + Make sure it is supported by your selected NTP server(s). + ''; + }; + initstepslew = mkOption { default = { enabled = true; -- cgit 1.4.1 From 2e131e1f45dd01bef5231744745931afadccdf90 Mon Sep 17 00:00:00 2001 From: Ctem Date: Wed, 6 Jan 2021 19:38:56 +0900 Subject: nixos/chrony: add option to choose between two commonly used server directive options --- nixos/modules/services/networking/ntp/chrony.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index 5842761ba7e..42dbc5c5612 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -10,7 +10,7 @@ let keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server + " iburst" + optionalString (cfg.enableNTS) " nts") cfg.servers} + ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers} ${optionalString (cfg.initstepslew.enabled && (cfg.servers != [])) @@ -47,6 +47,20 @@ in ''; }; + serverOption = mkOption { + default = "iburst"; + type = types.enum [ "iburst" "offline" ]; + description = '' + Set option for server directives. + + Use "iburst" to rapidly poll on startup. Recommended if your machine + is consistently online. + + Use "offline" to prevent polling on startup. Recommended if your + machine boots offline or is otherwise frequently offline. + ''; + }; + enableNTS = mkOption { type = types.bool; default = false; -- cgit 1.4.1 From 2aec205bd2bb23d0b1230e7639d9ff4134a2f656 Mon Sep 17 00:00:00 2001 From: Ctem Date: Wed, 6 Jan 2021 19:40:48 +0900 Subject: nixos/chrony: add option to change state directory --- nixos/modules/services/networking/ntp/chrony.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index 42dbc5c5612..d568a7aed88 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.chrony; - stateDir = "/var/lib/chrony"; + stateDir = cfg.directory; driftFile = "${stateDir}/chrony.drift"; keyFile = "${stateDir}/chrony.keys"; @@ -82,6 +82,12 @@ in ''; }; + directory = mkOption { + type = types.str; + default = "/var/lib/chrony"; + description = "Directory where chrony state is stored."; + }; + extraConfig = mkOption { type = types.lines; default = ""; -- cgit 1.4.1 From 54778551d6029e5ffdb6c530915477095a3f564f Mon Sep 17 00:00:00 2001 From: Ctem Date: Wed, 6 Jan 2021 19:42:28 +0900 Subject: nixos/chrony: add option to change package --- nixos/modules/services/networking/ntp/chrony.nix | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index d568a7aed88..b36484fed10 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.chrony; + chronyPkg = cfg.package; stateDir = cfg.directory; driftFile = "${stateDir}/chrony.drift"; @@ -40,6 +41,15 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.chrony; + defaultText = "pkgs.chrony"; + description = '' + Which chrony package to use. + ''; + }; + servers = mkOption { default = config.networking.timeServers; description = '' @@ -109,7 +119,7 @@ in config = mkIf cfg.enable { meta.maintainers = with lib.maintainers; [ thoughtpolice ]; - environment.systemPackages = [ pkgs.chrony ]; + environment.systemPackages = [ chronyPkg ]; users.groups.chrony.gid = config.ids.gids.chrony; @@ -139,12 +149,12 @@ in after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; - path = [ pkgs.chrony ]; + path = [ chronyPkg ]; unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; + ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; ProtectHome = "yes"; ProtectSystem = "full"; -- cgit 1.4.1