diff options
| author | tv <tv@shackspace.de> | 2014-12-20 16:10:28 +0100 |
|---|---|---|
| committer | tv <tv@shackspace.de> | 2015-01-21 05:09:47 +0100 |
| commit | 3fdd9250638b77ef46eb9860f655013907fe4842 (patch) | |
| tree | b908dc8e9038d3bd0eb16ddd1348e554d4cb1cee /nixos/modules | |
| parent | 263a179946c23fddb000851e1631c7071f44b5d8 (diff) | |
| download | nixlib-3fdd9250638b77ef46eb9860f655013907fe4842.tar nixlib-3fdd9250638b77ef46eb9860f655013907fe4842.tar.gz nixlib-3fdd9250638b77ef46eb9860f655013907fe4842.tar.bz2 nixlib-3fdd9250638b77ef46eb9860f655013907fe4842.tar.lz nixlib-3fdd9250638b77ef46eb9860f655013907fe4842.tar.xz nixlib-3fdd9250638b77ef46eb9860f655013907fe4842.tar.zst nixlib-3fdd9250638b77ef46eb9860f655013907fe4842.zip | |
nixos: Add tlsdated service
Diffstat (limited to 'nixos/modules')
| -rwxr-xr-x | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/tlsdated.nix | 110 |
2 files changed, 111 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2a2a7b004163..ff535c973e99 100755 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -290,6 +290,7 @@ ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix ./services/networking/tftpd.nix + ./services/networking/tlsdated.nix ./services/networking/tox-bootstrapd.nix ./services/networking/unbound.nix ./services/networking/unifi.nix diff --git a/nixos/modules/services/networking/tlsdated.nix b/nixos/modules/services/networking/tlsdated.nix new file mode 100644 index 000000000000..f2d0c9f35c9c --- /dev/null +++ b/nixos/modules/services/networking/tlsdated.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (pkgs) coreutils tlsdate; + + cfg = config.services.tlsdated; +in + +{ + + ###### interface + + options = { + + services.tlsdated = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable tlsdated daemon. + ''; + }; + + extraOptions = mkOption { + type = types.string; + description = '' + Additional command line arguments to pass to tlsdated. + ''; + }; + + sources = mkOption { + type = types.listOf (types.submodule { + options = { + host = mkOption { + type = types.string; + description = '' + Remote hostname. + ''; + }; + port = mkOption { + type = types.int; + description = '' + Remote port. + ''; + }; + proxy = mkOption { + type = types.nullOr types.string; + default = null; + description = '' + The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed: + + http://127.0.0.1:8118 + socks4a://127.0.0.1:9050 + socks5://127.0.0.1:9050 + + The proxy support should not leak DNS requests and is suitable for use with Tor. + ''; + }; + }; + }); + default = [ + { + host = "www.ptb.de"; + port = 443; + proxy = null; + } + ]; + description = '' + You can list one or more sources to fetch time from. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + # Make tools such as tlsdate available in the system path + environment.systemPackages = [ tlsdate ]; + + systemd.services.tlsdated = { + description = "tlsdated daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we + # hard-code base-path to /tmp and use PrivateTmp. + ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" '' + base-path /tmp + + ${concatMapStrings (src: '' + source + host ${src.host} + port ${toString src.port} + proxy ${if src.proxy == null then "none" else src.proxy} + end + '') cfg.sources} + ''} ${cfg.extraOptions}"; + PrivateTmp = "yes"; + }; + }; + + }; + +} |