summary refs log tree commit diff
path: root/nixos/modules/services/networking/tlsdated.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/services/networking/tlsdated.nix')
-rw-r--r--nixos/modules/services/networking/tlsdated.nix110
1 files changed, 110 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/tlsdated.nix b/nixos/modules/services/networking/tlsdated.nix
new file mode 100644
index 00000000000..f2d0c9f35c9
--- /dev/null
+++ b/nixos/modules/services/networking/tlsdated.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (pkgs) coreutils tlsdate;
+
+  cfg = config.services.tlsdated;
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.tlsdated = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable tlsdated daemon.
+        '';
+      };
+
+      extraOptions = mkOption {
+        type = types.string;
+        description = ''
+          Additional command line arguments to pass to tlsdated.
+        '';
+      };
+
+      sources = mkOption {
+        type = types.listOf (types.submodule {
+          options = {
+            host = mkOption {
+              type = types.string;
+              description = ''
+                Remote hostname.
+              '';
+            };
+            port = mkOption {
+              type = types.int;
+              description = ''
+                Remote port.
+              '';
+            };
+            proxy = mkOption {
+              type = types.nullOr types.string;
+              default = null;
+              description = ''
+                The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed:
+
+                 http://127.0.0.1:8118
+                 socks4a://127.0.0.1:9050
+                 socks5://127.0.0.1:9050
+
+                The proxy support should not leak DNS requests and is suitable for use with Tor.
+              '';
+            };
+          };
+        });
+        default = [
+          {
+            host = "www.ptb.de";
+            port = 443;
+            proxy = null;
+          }
+        ];
+        description = ''
+          You can list one or more sources to fetch time from.
+        '';
+      };
+
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    # Make tools such as tlsdate available in the system path
+    environment.systemPackages = [ tlsdate ];
+
+    systemd.services.tlsdated = {
+      description = "tlsdated daemon";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we
+        # hard-code base-path to /tmp and use PrivateTmp.
+        ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" ''
+          base-path /tmp
+
+          ${concatMapStrings (src: ''
+          source
+              host    ${src.host}
+              port    ${toString src.port}
+              proxy   ${if src.proxy == null then "none" else src.proxy}
+          end
+          '') cfg.sources}
+        ''} ${cfg.extraOptions}";
+        PrivateTmp = "yes";
+      };
+    };
+
+  };
+
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-30 02:19:44 +0000