diff options
Diffstat (limited to 'nixos/modules/services/networking/ntp')
-rw-r--r-- | nixos/modules/services/networking/ntp/chrony.nix | 178 | ||||
-rw-r--r-- | nixos/modules/services/networking/ntp/ntpd.nix | 150 | ||||
-rw-r--r-- | nixos/modules/services/networking/ntp/openntpd.nix | 85 |
3 files changed, 413 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix new file mode 100644 index 00000000000..34728455a21 --- /dev/null +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -0,0 +1,178 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.chrony; + chronyPkg = cfg.package; + + stateDir = cfg.directory; + driftFile = "${stateDir}/chrony.drift"; + keyFile = "${stateDir}/chrony.keys"; + + configFile = pkgs.writeText "chrony.conf" '' + ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers} + + ${optionalString + (cfg.initstepslew.enabled && (cfg.servers != [])) + "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.servers}" + } + + driftfile ${driftFile} + keyfile ${keyFile} + ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"} + + ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} + + ${cfg.extraConfig} + ''; + + chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; +in +{ + options = { + services.chrony = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to synchronise your machine's time using chrony. + Make sure you disable NTP if you enable this service. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.chrony; + defaultText = literalExpression "pkgs.chrony"; + description = '' + Which chrony package to use. + ''; + }; + + servers = mkOption { + default = config.networking.timeServers; + defaultText = literalExpression "config.networking.timeServers"; + type = types.listOf types.str; + description = '' + The set of NTP servers from which to synchronise. + ''; + }; + + serverOption = mkOption { + default = "iburst"; + type = types.enum [ "iburst" "offline" ]; + description = '' + Set option for server directives. + + Use "iburst" to rapidly poll on startup. Recommended if your machine + is consistently online. + + Use "offline" to prevent polling on startup. Recommended if your + machine boots offline or is otherwise frequently offline. + ''; + }; + + enableNTS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Network Time Security authentication. + Make sure it is supported by your selected NTP server(s). + ''; + }; + + initstepslew = { + enabled = mkOption { + type = types.bool; + default = true; + description = '' + Allow chronyd to make a rapid measurement of the system clock error + at boot time, and to correct the system clock by stepping before + normal operation begins. + ''; + }; + + threshold = mkOption { + type = types.either types.float types.int; + default = 1000; # by default, same threshold as 'ntpd -g' (1000s) + description = '' + The threshold of system clock error (in seconds) above which the + clock will be stepped. If the correction required is less than the + threshold, a slew is used instead. + ''; + }; + }; + + directory = mkOption { + type = types.str; + default = "/var/lib/chrony"; + description = "Directory where chrony state is stored."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration directives that should be added to + <literal>chrony.conf</literal> + ''; + }; + + extraFlags = mkOption { + default = []; + example = [ "-s" ]; + type = types.listOf types.str; + description = "Extra flags passed to the chronyd command."; + }; + }; + }; + + config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + + environment.systemPackages = [ chronyPkg ]; + + users.groups.chrony.gid = config.ids.gids.chrony; + + users.users.chrony = + { uid = config.ids.uids.chrony; + group = "chrony"; + description = "chrony daemon user"; + home = stateDir; + }; + + services.timesyncd.enable = mkForce false; + + systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; + + systemd.tmpfiles.rules = [ + "d ${stateDir} 0755 chrony chrony - -" + "f ${driftFile} 0640 chrony chrony -" + "f ${keyFile} 0640 chrony chrony -" + ]; + + systemd.services.chronyd = + { description = "chrony NTP daemon"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "network.target" "nss-lookup.target" ]; + conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; + + path = [ chronyPkg ]; + + unitConfig.ConditionCapability = "CAP_SYS_TIME"; + serviceConfig = + { Type = "simple"; + ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; + + ProtectHome = "yes"; + ProtectSystem = "full"; + PrivateTmp = "yes"; + }; + + }; + }; +} diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix new file mode 100644 index 00000000000..12be0d045a8 --- /dev/null +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) ntp; + + cfg = config.services.ntp; + + stateDir = "/var/lib/ntp"; + + configFile = pkgs.writeText "ntp.conf" '' + driftfile ${stateDir}/ntp.drift + + restrict default ${toString cfg.restrictDefault} + restrict -6 default ${toString cfg.restrictDefault} + restrict source ${toString cfg.restrictSource} + + restrict 127.0.0.1 + restrict -6 ::1 + + ${toString (map (server: "server " + server + " iburst\n") cfg.servers)} + + ${cfg.extraConfig} + ''; + + ntpFlags = "-c ${configFile} -u ntp:ntp ${toString cfg.extraFlags}"; + +in + +{ + + ###### interface + + options = { + + services.ntp = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to synchronise your machine's time using ntpd, as a peer in + the NTP network. + </para> + <para> + Disables <literal>systemd.timesyncd</literal> if enabled. + ''; + }; + + restrictDefault = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set by default. + </para> + <para> + The default flags prevent external hosts from using ntpd as a DDoS + reflector, setting system time, and querying OS/ntpd version. As + recommended in section 6.5.1.1.3, answer "No" of + http://support.ntp.org/bin/view/Support/AccessRestrictions + ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ]; + }; + + restrictSource = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set on source. + </para> + <para> + The default flags allow peers to be added by ntpd from configured + pool(s), but not by other means. + ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" ]; + }; + + servers = mkOption { + default = config.networking.timeServers; + defaultText = literalExpression "config.networking.timeServers"; + type = types.listOf types.str; + description = '' + The set of NTP servers from which to synchronise. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + fudge 127.127.1.0 stratum 10 + ''; + description = '' + Additional text appended to <filename>ntp.conf</filename>. + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + description = "Extra flags passed to the ntpd command."; + example = literalExpression ''[ "--interface=eth0" ]''; + default = []; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.ntp.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + + # Make tools such as ntpq available in the system path. + environment.systemPackages = [ pkgs.ntp ]; + services.timesyncd.enable = mkForce false; + + systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; }; + + users.users.ntp = + { isSystemUser = true; + group = "ntp"; + description = "NTP daemon user"; + home = stateDir; + }; + users.groups.ntp = {}; + + systemd.services.ntpd = + { description = "NTP Daemon"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + + preStart = + '' + mkdir -m 0755 -p ${stateDir} + chown ntp ${stateDir} + ''; + + serviceConfig = { + ExecStart = "@${ntp}/bin/ntpd ntpd -g ${ntpFlags}"; + Type = "forking"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/ntp/openntpd.nix b/nixos/modules/services/networking/ntp/openntpd.nix new file mode 100644 index 00000000000..e86b71291f9 --- /dev/null +++ b/nixos/modules/services/networking/ntp/openntpd.nix @@ -0,0 +1,85 @@ +{ pkgs, lib, config, options, ... }: + +with lib; + +let + cfg = config.services.openntpd; + + package = pkgs.openntpd_nixos; + + configFile = '' + ${concatStringsSep "\n" (map (s: "server ${s}") cfg.servers)} + ${cfg.extraConfig} + ''; + + pidFile = "/run/openntpd.pid"; + +in +{ + ###### interface + + options.services.openntpd = { + enable = mkEnableOption "OpenNTP time synchronization server"; + + servers = mkOption { + default = config.services.ntp.servers; + defaultText = literalExpression "config.services.ntp.servers"; + type = types.listOf types.str; + inherit (options.services.ntp.servers) description; + }; + + extraConfig = mkOption { + type = with types; lines; + default = ""; + example = '' + listen on 127.0.0.1 + listen on ::1 + ''; + description = '' + Additional text appended to <filename>openntpd.conf</filename>. + ''; + }; + + extraOptions = mkOption { + type = with types; separatedString " "; + default = ""; + example = "-s"; + description = '' + Extra options used when launching openntpd. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + services.timesyncd.enable = mkForce false; + + # Add ntpctl to the environment for status checking + environment.systemPackages = [ package ]; + + environment.etc."ntpd.conf".text = configFile; + + users.users.ntp = { + isSystemUser = true; + group = "ntp"; + description = "OpenNTP daemon user"; + home = "/var/empty"; + }; + users.groups.ntp = {}; + + systemd.services.openntpd = { + description = "OpenNTP Server"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "dnsmasq.service" "bind.service" "network-online.target" ]; + serviceConfig = { + ExecStart = "${package}/sbin/ntpd -p ${pidFile} ${cfg.extraOptions}"; + Type = "forking"; + PIDFile = pidFile; + }; + }; + }; +} |