diff options
| author | Austin Seipp <aseipp@pobox.com> | 2018-09-24 00:21:52 -0500 |
|---|---|---|
| committer | Austin Seipp <aseipp@pobox.com> | 2018-09-24 15:42:44 -0500 |
| commit | 0ce90d58cca7a1318a50268e957f3faa3b80079c (patch) | |
| tree | 8e0480c0fc2447e55fafdb7439b5a023870b7c5c /nixos/modules/services/networking | |
| parent | 6ebad0821f207136f741a68790c6030592c9a131 (diff) | |
| download | nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.gz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.bz2 nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.lz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.xz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.zst nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.zip | |
nixos/chrony: clean up, rework to be a little closer to upstream
Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem so that Chrony flaws are mitigated, should they occur. Moving to ProtectSystem=full however, requires moving the chrony key files under /var/lib/chrony -- which should be fine, anyway. This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring that chronyd will only be launched in an environment where such a capability can be granted. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/services/networking')
| -rw-r--r-- | nixos/modules/services/networking/chrony.nix | 52 |
1 files changed, 20 insertions, 32 deletions
diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix index cef30661cc33..a363b545d649 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/chrony.nix @@ -3,12 +3,10 @@ with lib; let + cfg = config.services.chrony; stateDir = "/var/lib/chrony"; - - keyFile = "/etc/chrony.keys"; - - cfg = config.services.chrony; + keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} @@ -19,7 +17,6 @@ let } driftfile ${stateDir}/chrony.drift - keyfile ${keyFile} ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} @@ -27,18 +24,11 @@ let ${cfg.extraConfig} ''; - chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; - + chronyFlags = "-m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; in - { - - ###### interface - options = { - services.chrony = { - enable = mkOption { default = false; description = '' @@ -83,15 +73,9 @@ in description = "Extra flags passed to the chronyd command."; }; }; - }; - - ###### implementation - config = mkIf cfg.enable { - - # Make chronyc available in the system path environment.systemPackages = [ pkgs.chrony ]; users.groups = singleton @@ -113,26 +97,30 @@ in { description = "chrony NTP daemon"; wantedBy = [ "multi-user.target" ]; - wants = [ "time-sync.target" ]; - before = [ "time-sync.target" ]; - after = [ "network.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; path = [ pkgs.chrony ]; - preStart = - '' - mkdir -m 0755 -p ${stateDir} - touch ${keyFile} - chmod 0640 ${keyFile} - chown chrony:chrony ${stateDir} ${keyFile} - ''; + preStart = '' + mkdir -m 0755 -p ${stateDir} + touch ${keyFile} + chmod 0640 ${keyFile} + chown chrony:chrony ${stateDir} ${keyFile} + ''; serviceConfig = - { ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; + { Type = "forking"; + ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; + + ProtectHome = "yes"; + ProtectSystem = "full"; + PrivateTmp = "yes"; + + ConditionCapability = "CAP_SYS_TIME"; }; }; - }; - } |