diff options
Diffstat (limited to 'nixos/modules/services/networking/ntp/chrony.nix')
-rw-r--r-- | nixos/modules/services/networking/ntp/chrony.nix | 57 |
1 files changed, 50 insertions, 7 deletions
diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index b7e4c89a155..96c6444c23a 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -4,20 +4,23 @@ with lib; let cfg = config.services.chrony; + chronyPkg = cfg.package; - stateDir = "/var/lib/chrony"; + stateDir = cfg.directory; + driftFile = "${stateDir}/chrony.drift"; keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers} + ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers} ${optionalString (cfg.initstepslew.enabled && (cfg.servers != [])) "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.servers}" } - driftfile ${stateDir}/chrony.drift + driftfile ${driftFile} keyfile ${keyFile} + ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"} ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} @@ -38,14 +41,48 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.chrony; + defaultText = "pkgs.chrony"; + description = '' + Which chrony package to use. + ''; + }; + servers = mkOption { default = config.networking.timeServers; + type = types.listOf types.str; description = '' The set of NTP servers from which to synchronise. ''; }; + serverOption = mkOption { + default = "iburst"; + type = types.enum [ "iburst" "offline" ]; + description = '' + Set option for server directives. + + Use "iburst" to rapidly poll on startup. Recommended if your machine + is consistently online. + + Use "offline" to prevent polling on startup. Recommended if your + machine boots offline or is otherwise frequently offline. + ''; + }; + + enableNTS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Network Time Security authentication. + Make sure it is supported by your selected NTP server(s). + ''; + }; + initstepslew = mkOption { + type = types.attrsOf (types.either types.bool types.int); default = { enabled = true; threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s) @@ -57,6 +94,12 @@ in ''; }; + directory = mkOption { + type = types.str; + default = "/var/lib/chrony"; + description = "Directory where chrony state is stored."; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -78,7 +121,7 @@ in config = mkIf cfg.enable { meta.maintainers = with lib.maintainers; [ thoughtpolice ]; - environment.systemPackages = [ pkgs.chrony ]; + environment.systemPackages = [ chronyPkg ]; users.groups.chrony.gid = config.ids.gids.chrony; @@ -95,6 +138,7 @@ in systemd.tmpfiles.rules = [ "d ${stateDir} 0755 chrony chrony - -" + "f ${driftFile} 0640 chrony chrony -" "f ${keyFile} 0640 chrony chrony -" ]; @@ -107,17 +151,16 @@ in after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; - path = [ pkgs.chrony ]; + path = [ chronyPkg ]; unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; + ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; ProtectHome = "yes"; ProtectSystem = "full"; PrivateTmp = "yes"; - StateDirectory = "chrony"; }; }; |