diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2015-07-12 07:13:04 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2015-11-03 15:07:18 +0100 |
commit | d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7 (patch) | |
tree | fd9d4cb21d636056e6dab1829992f05e9599bc3d /nixos/modules/services/networking | |
parent | c459e269eb378092ab166e8e9176d79752db7b27 (diff) | |
download | nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.gz nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.bz2 nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.lz nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.xz nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.zst nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.zip |
chrony service: Members of group chrony can use chronyc
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/chrony.nix | 61 |
1 files changed, 37 insertions, 24 deletions
diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix index 3c2d260de833..1cd678e7c621 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/chrony.nix @@ -8,26 +8,10 @@ let stateDir = "/var/lib/chrony"; - chronyUser = "chrony"; + keyFile = "/etc/chrony.keys"; cfg = config.services.chrony; - configFile = pkgs.writeText "chrony.conf" '' - ${toString (map (server: "server " + server + "\n") cfg.servers)} - - ${optionalString cfg.initstepslew.enabled '' - initstepslew ${toString cfg.initstepslew.threshold} ${toString (map (server: server + " ") cfg.initstepslew.servers)} - ''} - - driftfile ${stateDir}/chrony.drift - - ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} - - ${cfg.extraConfig} - ''; - - chronyFlags = "-m -f ${configFile} -u ${chronyUser}"; - in { @@ -85,31 +69,60 @@ in # Make chronyc available in the system path environment.systemPackages = [ pkgs.chrony ]; - systemd.services.ntpd.enable = false; + environment.etc."chrony.conf".text = + '' + ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} + + ${optionalString + cfg.initstepslew.enabled + "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}" + } + + driftfile ${stateDir}/chrony.drift + + keyfile ${keyFile} + generatecommandkey + + ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} + + ${cfg.extraConfig} + ''; + + users.extraGroups = singleton + { name = "chrony"; + gid = config.ids.gids.chrony; + }; users.extraUsers = singleton - { name = chronyUser; + { name = "chrony"; uid = config.ids.uids.chrony; + group = "chrony"; description = "chrony daemon user"; home = stateDir; }; - jobs.chronyd = - { description = "chrony daemon"; + systemd.services.ntpd.enable = false; + + systemd.services.chronyd = + { description = "chrony NTP daemon"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; - path = [ chrony ]; + path = [ pkgs.chrony ]; preStart = '' mkdir -m 0755 -p ${stateDir} - chown ${chronyUser} ${stateDir} + touch ${keyFile} + chmod 0640 ${keyFile} + chown chrony:chrony ${stateDir} ${keyFile} ''; - exec = "chronyd -n ${chronyFlags}"; + serviceConfig = + { ExecStart = "${pkgs.chrony}/bin/chronyd -n -m -u chrony"; + }; }; }; |