From 3fdd9250638b77ef46eb9860f655013907fe4842 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Sat, 20 Dec 2014 16:10:28 +0100
Subject: nixos: Add tlsdated service

---
 nixos/modules/module-list.nix                  |   1 +
 nixos/modules/services/networking/tlsdated.nix | 110 +++++++++++++++++++++++++
 2 files changed, 111 insertions(+)
 create mode 100644 nixos/modules/services/networking/tlsdated.nix

(limited to 'nixos/modules')

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 2a2a7b004163..ff535c973e99 100755
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -290,6 +290,7 @@
   ./services/networking/tcpcrypt.nix
   ./services/networking/teamspeak3.nix
   ./services/networking/tftpd.nix
+  ./services/networking/tlsdated.nix
   ./services/networking/tox-bootstrapd.nix
   ./services/networking/unbound.nix
   ./services/networking/unifi.nix
diff --git a/nixos/modules/services/networking/tlsdated.nix b/nixos/modules/services/networking/tlsdated.nix
new file mode 100644
index 000000000000..f2d0c9f35c9c
--- /dev/null
+++ b/nixos/modules/services/networking/tlsdated.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (pkgs) coreutils tlsdate;
+
+  cfg = config.services.tlsdated;
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.tlsdated = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable tlsdated daemon.
+        '';
+      };
+
+      extraOptions = mkOption {
+        type = types.string;
+        description = ''
+          Additional command line arguments to pass to tlsdated.
+        '';
+      };
+
+      sources = mkOption {
+        type = types.listOf (types.submodule {
+          options = {
+            host = mkOption {
+              type = types.string;
+              description = ''
+                Remote hostname.
+              '';
+            };
+            port = mkOption {
+              type = types.int;
+              description = ''
+                Remote port.
+              '';
+            };
+            proxy = mkOption {
+              type = types.nullOr types.string;
+              default = null;
+              description = ''
+                The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed:
+
+                 http://127.0.0.1:8118
+                 socks4a://127.0.0.1:9050
+                 socks5://127.0.0.1:9050
+
+                The proxy support should not leak DNS requests and is suitable for use with Tor.
+              '';
+            };
+          };
+        });
+        default = [
+          {
+            host = "www.ptb.de";
+            port = 443;
+            proxy = null;
+          }
+        ];
+        description = ''
+          You can list one or more sources to fetch time from.
+        '';
+      };
+
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    # Make tools such as tlsdate available in the system path
+    environment.systemPackages = [ tlsdate ];
+
+    systemd.services.tlsdated = {
+      description = "tlsdated daemon";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we
+        # hard-code base-path to /tmp and use PrivateTmp.
+        ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" ''
+          base-path /tmp
+
+          ${concatMapStrings (src: ''
+          source
+              host    ${src.host}
+              port    ${toString src.port}
+              proxy   ${if src.proxy == null then "none" else src.proxy}
+          end
+          '') cfg.sources}
+        ''} ${cfg.extraOptions}";
+        PrivateTmp = "yes";
+      };
+    };
+
+  };
+
+}
-- 
cgit 1.4.1