diff options
Diffstat (limited to 'nixos/modules/services/networking/tlsdated.nix')
-rw-r--r-- | nixos/modules/services/networking/tlsdated.nix | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/tlsdated.nix b/nixos/modules/services/networking/tlsdated.nix new file mode 100644 index 00000000000..f2d0c9f35c9 --- /dev/null +++ b/nixos/modules/services/networking/tlsdated.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (pkgs) coreutils tlsdate; + + cfg = config.services.tlsdated; +in + +{ + + ###### interface + + options = { + + services.tlsdated = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable tlsdated daemon. + ''; + }; + + extraOptions = mkOption { + type = types.string; + description = '' + Additional command line arguments to pass to tlsdated. + ''; + }; + + sources = mkOption { + type = types.listOf (types.submodule { + options = { + host = mkOption { + type = types.string; + description = '' + Remote hostname. + ''; + }; + port = mkOption { + type = types.int; + description = '' + Remote port. + ''; + }; + proxy = mkOption { + type = types.nullOr types.string; + default = null; + description = '' + The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed: + + http://127.0.0.1:8118 + socks4a://127.0.0.1:9050 + socks5://127.0.0.1:9050 + + The proxy support should not leak DNS requests and is suitable for use with Tor. + ''; + }; + }; + }); + default = [ + { + host = "www.ptb.de"; + port = 443; + proxy = null; + } + ]; + description = '' + You can list one or more sources to fetch time from. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + # Make tools such as tlsdate available in the system path + environment.systemPackages = [ tlsdate ]; + + systemd.services.tlsdated = { + description = "tlsdated daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we + # hard-code base-path to /tmp and use PrivateTmp. + ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" '' + base-path /tmp + + ${concatMapStrings (src: '' + source + host ${src.host} + port ${toString src.port} + proxy ${if src.proxy == null then "none" else src.proxy} + end + '') cfg.sources} + ''} ${cfg.extraOptions}"; + PrivateTmp = "yes"; + }; + }; + + }; + +} |