summary refs log tree commit diff
path: root/nixos/modules/services/networking
diff options
context:
space:
mode:
authorFranz Pletz <fpletz@fnordicwalking.de>2015-07-12 07:13:04 +0200
committerFranz Pletz <fpletz@fnordicwalking.de>2015-11-03 15:07:18 +0100
commitd89f269b26b9e98beb6f1ce9dfa7fab659d61ce7 (patch)
treefd9d4cb21d636056e6dab1829992f05e9599bc3d /nixos/modules/services/networking
parentc459e269eb378092ab166e8e9176d79752db7b27 (diff)
downloadnixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar
nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.gz
nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.bz2
nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.lz
nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.xz
nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.tar.zst
nixlib-d89f269b26b9e98beb6f1ce9dfa7fab659d61ce7.zip
chrony service: Members of group chrony can use chronyc
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r--nixos/modules/services/networking/chrony.nix61


1 files changed, 37 insertions, 24 deletions
diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix
index 3c2d260de833..1cd678e7c621 100644
--- a/nixos/modules/services/networking/chrony.nix
+++ b/nixos/modules/services/networking/chrony.nix
@@ -8,26 +8,10 @@ let
 
   stateDir = "/var/lib/chrony";
 
-  chronyUser = "chrony";
+  keyFile = "/etc/chrony.keys";
 
   cfg = config.services.chrony;
 
-  configFile = pkgs.writeText "chrony.conf" ''
-    ${toString (map (server: "server " + server + "\n") cfg.servers)}
-
-    ${optionalString cfg.initstepslew.enabled ''
-      initstepslew ${toString cfg.initstepslew.threshold} ${toString (map (server: server + " ") cfg.initstepslew.servers)}
-    ''}
-
-    driftfile ${stateDir}/chrony.drift
-
-    ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
-
-    ${cfg.extraConfig}
-  '';
-
-  chronyFlags = "-m -f ${configFile} -u ${chronyUser}";
-
 in
 
 {
@@ -85,31 +69,60 @@ in
     # Make chronyc available in the system path
     environment.systemPackages = [ pkgs.chrony ];
 
-    systemd.services.ntpd.enable = false;
+    environment.etc."chrony.conf".text =
+      ''
+        ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
+
+        ${optionalString
+          cfg.initstepslew.enabled
+          "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}"
+        }
+
+        driftfile ${stateDir}/chrony.drift
+
+        keyfile ${keyFile}
+        generatecommandkey
+
+        ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
+
+        ${cfg.extraConfig}
+      '';
+
+    users.extraGroups = singleton
+      { name = "chrony";
+        gid = config.ids.gids.chrony;
+      };
 
     users.extraUsers = singleton
-      { name = chronyUser;
+      { name = "chrony";
         uid = config.ids.uids.chrony;
+        group = "chrony";
         description = "chrony daemon user";
         home = stateDir;
       };
 
-    jobs.chronyd =
-      { description = "chrony daemon";
+    systemd.services.ntpd.enable = false;
+
+    systemd.services.chronyd =
+      { description = "chrony NTP daemon";
 
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
         conflicts = [ "ntpd.service" "systemd-timesyncd.service" ];
 
-        path = [ chrony ];
+        path = [ pkgs.chrony ];
 
         preStart =
           ''
             mkdir -m 0755 -p ${stateDir}
-            chown ${chronyUser} ${stateDir}
+            touch ${keyFile}
+            chmod 0640 ${keyFile}
+            chown chrony:chrony ${stateDir} ${keyFile}
           '';
 
-        exec = "chronyd -n ${chronyFlags}";
+        serviceConfig =
+          { ExecStart = "${pkgs.chrony}/bin/chronyd -n -m -u chrony";
+          };
       };
 
   };

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-02 14:56:15 +0000