From a61e94329fd1698e31ffb798b7ed50e882249d49 Mon Sep 17 00:00:00 2001 From: Austin Seipp Date: Sat, 1 Dec 2018 12:49:16 -0600 Subject: nixos: shuffle all ntp services into their own dir This is reckless, ill-advised, pointless, and I will be scorned for it, but it makes me feel a lot better. Signed-off-by: Austin Seipp --- nixos/modules/module-list.nix | 6 +- nixos/modules/services/networking/chrony.nix | 129 -------------------- nixos/modules/services/networking/ntp/chrony.nix | 129 ++++++++++++++++++++ nixos/modules/services/networking/ntp/ntpd.nix | 134 +++++++++++++++++++++ nixos/modules/services/networking/ntp/openntpd.nix | 82 +++++++++++++ nixos/modules/services/networking/ntpd.nix | 134 --------------------- nixos/modules/services/networking/openntpd.nix | 82 ------------- 7 files changed, 348 insertions(+), 348 deletions(-) delete mode 100644 nixos/modules/services/networking/chrony.nix create mode 100644 nixos/modules/services/networking/ntp/chrony.nix create mode 100644 nixos/modules/services/networking/ntp/ntpd.nix create mode 100644 nixos/modules/services/networking/ntp/openntpd.nix delete mode 100644 nixos/modules/services/networking/ntpd.nix delete mode 100644 nixos/modules/services/networking/openntpd.nix (limited to 'nixos/modules') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5b7f391ed5a5..fb8453f1d537 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -567,7 +567,6 @@ ./services/networking/bird.nix ./services/networking/bitlbee.nix ./services/networking/charybdis.nix - ./services/networking/chrony.nix ./services/networking/cjdns.nix ./services/networking/cntlm.nix ./services/networking/connman.nix @@ -650,14 +649,15 @@ ./services/networking/nntp-proxy.nix ./services/networking/nsd.nix ./services/networking/ntopng.nix - ./services/networking/ntpd.nix + ./services/networking/ntp/chrony.nix + ./services/networking/ntp/ntpd.nix + ./services/networking/ntp/openntpd.nix ./services/networking/nullidentdmod.nix ./services/networking/nylon.nix ./services/networking/ocserv.nix ./services/networking/ofono.nix ./services/networking/oidentd.nix ./services/networking/openfire.nix - ./services/networking/openntpd.nix ./services/networking/openvpn.nix ./services/networking/ostinato.nix ./services/networking/owamp.nix diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix deleted file mode 100644 index 77f702577000..000000000000 --- a/nixos/modules/services/networking/chrony.nix +++ /dev/null @@ -1,129 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.chrony; - - stateDir = "/var/lib/chrony"; - keyFile = "${stateDir}/chrony.keys"; - - configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} - - ${optionalString - (cfg.initstepslew.enabled && (cfg.servers != [])) - "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}" - } - - driftfile ${stateDir}/chrony.drift - keyfile ${keyFile} - - ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} - - ${cfg.extraConfig} - ''; - - chronyFlags = "-m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; -in -{ - options = { - services.chrony = { - enable = mkOption { - default = false; - description = '' - Whether to synchronise your machine's time using chrony. - Make sure you disable NTP if you enable this service. - ''; - }; - - servers = mkOption { - default = config.networking.timeServers; - description = '' - The set of NTP servers from which to synchronise. - ''; - }; - - initstepslew = mkOption { - default = { - enabled = true; - threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s) - servers = cfg.servers; - }; - description = '' - Allow chronyd to make a rapid measurement of the system clock error at - boot time, and to correct the system clock by stepping before normal - operation begins. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Extra configuration directives that should be added to - chrony.conf - ''; - }; - - extraFlags = mkOption { - default = []; - example = [ "-s" ]; - type = types.listOf types.str; - description = "Extra flags passed to the chronyd command."; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.chrony ]; - - users.groups = singleton - { name = "chrony"; - gid = config.ids.gids.chrony; - }; - - users.users = singleton - { name = "chrony"; - uid = config.ids.uids.chrony; - group = "chrony"; - description = "chrony daemon user"; - home = stateDir; - }; - - services.timesyncd.enable = mkForce false; - - systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; - - systemd.services.chronyd = - { description = "chrony NTP daemon"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "time-sync.target" ]; - before = [ "time-sync.target" ]; - after = [ "network.target" ]; - conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; - - path = [ pkgs.chrony ]; - - preStart = '' - mkdir -m 0755 -p ${stateDir} - touch ${keyFile} - chmod 0640 ${keyFile} - chown chrony:chrony ${stateDir} ${keyFile} - ''; - - unitConfig.ConditionCapability = "CAP_SYS_TIME"; - serviceConfig = - { Type = "forking"; - ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; - - ProtectHome = "yes"; - ProtectSystem = "full"; - PrivateTmp = "yes"; - - }; - - }; - }; -} diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix new file mode 100644 index 000000000000..77f702577000 --- /dev/null +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -0,0 +1,129 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.chrony; + + stateDir = "/var/lib/chrony"; + keyFile = "${stateDir}/chrony.keys"; + + configFile = pkgs.writeText "chrony.conf" '' + ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} + + ${optionalString + (cfg.initstepslew.enabled && (cfg.servers != [])) + "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}" + } + + driftfile ${stateDir}/chrony.drift + keyfile ${keyFile} + + ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} + + ${cfg.extraConfig} + ''; + + chronyFlags = "-m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; +in +{ + options = { + services.chrony = { + enable = mkOption { + default = false; + description = '' + Whether to synchronise your machine's time using chrony. + Make sure you disable NTP if you enable this service. + ''; + }; + + servers = mkOption { + default = config.networking.timeServers; + description = '' + The set of NTP servers from which to synchronise. + ''; + }; + + initstepslew = mkOption { + default = { + enabled = true; + threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s) + servers = cfg.servers; + }; + description = '' + Allow chronyd to make a rapid measurement of the system clock error at + boot time, and to correct the system clock by stepping before normal + operation begins. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration directives that should be added to + chrony.conf + ''; + }; + + extraFlags = mkOption { + default = []; + example = [ "-s" ]; + type = types.listOf types.str; + description = "Extra flags passed to the chronyd command."; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.chrony ]; + + users.groups = singleton + { name = "chrony"; + gid = config.ids.gids.chrony; + }; + + users.users = singleton + { name = "chrony"; + uid = config.ids.uids.chrony; + group = "chrony"; + description = "chrony daemon user"; + home = stateDir; + }; + + services.timesyncd.enable = mkForce false; + + systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; + + systemd.services.chronyd = + { description = "chrony NTP daemon"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "network.target" ]; + conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; + + path = [ pkgs.chrony ]; + + preStart = '' + mkdir -m 0755 -p ${stateDir} + touch ${keyFile} + chmod 0640 ${keyFile} + chown chrony:chrony ${stateDir} ${keyFile} + ''; + + unitConfig.ConditionCapability = "CAP_SYS_TIME"; + serviceConfig = + { Type = "forking"; + ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; + + ProtectHome = "yes"; + ProtectSystem = "full"; + PrivateTmp = "yes"; + + }; + + }; + }; +} diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix new file mode 100644 index 000000000000..588d1c6edb07 --- /dev/null +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) ntp; + + cfg = config.services.ntp; + + stateDir = "/var/lib/ntp"; + + ntpUser = "ntp"; + + configFile = pkgs.writeText "ntp.conf" '' + driftfile ${stateDir}/ntp.drift + + restrict default ${toString cfg.restrictDefault} + restrict -6 default ${toString cfg.restrictDefault} + restrict source ${toString cfg.restrictSource} + + restrict 127.0.0.1 + restrict -6 ::1 + + ${toString (map (server: "server " + server + " iburst\n") cfg.servers)} + ''; + + ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup ${toString cfg.extraFlags}"; + +in + +{ + + ###### interface + + options = { + + services.ntp = { + + enable = mkOption { + default = false; + description = '' + Whether to synchronise your machine's time using ntpd, as a peer in + the NTP network. + + + Disables systemd.timesyncd if enabled. + ''; + }; + + restrictDefault = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set by default. + + + The default flags prevent external hosts from using ntpd as a DDoS + reflector, setting system time, and querying OS/ntpd version. As + recommended in section 6.5.1.1.3, answer "No" of + http://support.ntp.org/bin/view/Support/AccessRestrictions + ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ]; + }; + + restrictSource = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set on source. + + + The default flags allow peers to be added by ntpd from configured + pool(s), but not by other means. + ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" ]; + }; + + servers = mkOption { + default = config.networking.timeServers; + description = '' + The set of NTP servers from which to synchronise. + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + description = "Extra flags passed to the ntpd command."; + example = literalExample ''[ "--interface=eth0" ]''; + default = []; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.ntp.enable { + + # Make tools such as ntpq available in the system path. + environment.systemPackages = [ pkgs.ntp ]; + services.timesyncd.enable = mkForce false; + + systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; }; + + users.users = singleton + { name = ntpUser; + uid = config.ids.uids.ntp; + description = "NTP daemon user"; + home = stateDir; + }; + + systemd.services.ntpd = + { description = "NTP Daemon"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + + preStart = + '' + mkdir -m 0755 -p ${stateDir} + chown ${ntpUser} ${stateDir} + ''; + + serviceConfig = { + ExecStart = "@${ntp}/bin/ntpd ntpd -g ${ntpFlags}"; + Type = "forking"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/ntp/openntpd.nix b/nixos/modules/services/networking/ntp/openntpd.nix new file mode 100644 index 000000000000..f3920aa80646 --- /dev/null +++ b/nixos/modules/services/networking/ntp/openntpd.nix @@ -0,0 +1,82 @@ +{ pkgs, lib, config, options, ... }: + +with lib; + +let + cfg = config.services.openntpd; + + package = pkgs.openntpd_nixos; + + configFile = '' + ${concatStringsSep "\n" (map (s: "server ${s}") cfg.servers)} + ${cfg.extraConfig} + ''; + + pidFile = "/run/openntpd.pid"; + +in +{ + ###### interface + + options.services.openntpd = { + enable = mkEnableOption "OpenNTP time synchronization server"; + + servers = mkOption { + default = config.services.ntp.servers; + type = types.listOf types.str; + inherit (options.services.ntp.servers) description; + }; + + extraConfig = mkOption { + type = with types; lines; + default = ""; + example = '' + listen on 127.0.0.1 + listen on ::1 + ''; + description = '' + Additional text appended to openntpd.conf. + ''; + }; + + extraOptions = mkOption { + type = with types; separatedString " "; + default = ""; + example = "-s"; + description = '' + Extra options used when launching openntpd. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + services.timesyncd.enable = mkForce false; + + # Add ntpctl to the environment for status checking + environment.systemPackages = [ package ]; + + environment.etc."ntpd.conf".text = configFile; + + users.users = singleton { + name = "ntp"; + uid = config.ids.uids.ntp; + description = "OpenNTP daemon user"; + home = "/var/empty"; + }; + + systemd.services.openntpd = { + description = "OpenNTP Server"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "dnsmasq.service" "bind.service" "network-online.target" ]; + serviceConfig = { + ExecStart = "${package}/sbin/ntpd -p ${pidFile} ${cfg.extraOptions}"; + Type = "forking"; + PIDFile = pidFile; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix deleted file mode 100644 index 588d1c6edb07..000000000000 --- a/nixos/modules/services/networking/ntpd.nix +++ /dev/null @@ -1,134 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - inherit (pkgs) ntp; - - cfg = config.services.ntp; - - stateDir = "/var/lib/ntp"; - - ntpUser = "ntp"; - - configFile = pkgs.writeText "ntp.conf" '' - driftfile ${stateDir}/ntp.drift - - restrict default ${toString cfg.restrictDefault} - restrict -6 default ${toString cfg.restrictDefault} - restrict source ${toString cfg.restrictSource} - - restrict 127.0.0.1 - restrict -6 ::1 - - ${toString (map (server: "server " + server + " iburst\n") cfg.servers)} - ''; - - ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup ${toString cfg.extraFlags}"; - -in - -{ - - ###### interface - - options = { - - services.ntp = { - - enable = mkOption { - default = false; - description = '' - Whether to synchronise your machine's time using ntpd, as a peer in - the NTP network. - - - Disables systemd.timesyncd if enabled. - ''; - }; - - restrictDefault = mkOption { - type = types.listOf types.str; - description = '' - The restriction flags to be set by default. - - - The default flags prevent external hosts from using ntpd as a DDoS - reflector, setting system time, and querying OS/ntpd version. As - recommended in section 6.5.1.1.3, answer "No" of - http://support.ntp.org/bin/view/Support/AccessRestrictions - ''; - default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ]; - }; - - restrictSource = mkOption { - type = types.listOf types.str; - description = '' - The restriction flags to be set on source. - - - The default flags allow peers to be added by ntpd from configured - pool(s), but not by other means. - ''; - default = [ "limited" "kod" "nomodify" "notrap" "noquery" ]; - }; - - servers = mkOption { - default = config.networking.timeServers; - description = '' - The set of NTP servers from which to synchronise. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - description = "Extra flags passed to the ntpd command."; - example = literalExample ''[ "--interface=eth0" ]''; - default = []; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.ntp.enable { - - # Make tools such as ntpq available in the system path. - environment.systemPackages = [ pkgs.ntp ]; - services.timesyncd.enable = mkForce false; - - systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; }; - - users.users = singleton - { name = ntpUser; - uid = config.ids.uids.ntp; - description = "NTP daemon user"; - home = stateDir; - }; - - systemd.services.ntpd = - { description = "NTP Daemon"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "time-sync.target" ]; - before = [ "time-sync.target" ]; - - preStart = - '' - mkdir -m 0755 -p ${stateDir} - chown ${ntpUser} ${stateDir} - ''; - - serviceConfig = { - ExecStart = "@${ntp}/bin/ntpd ntpd -g ${ntpFlags}"; - Type = "forking"; - }; - }; - - }; - -} diff --git a/nixos/modules/services/networking/openntpd.nix b/nixos/modules/services/networking/openntpd.nix deleted file mode 100644 index f3920aa80646..000000000000 --- a/nixos/modules/services/networking/openntpd.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ pkgs, lib, config, options, ... }: - -with lib; - -let - cfg = config.services.openntpd; - - package = pkgs.openntpd_nixos; - - configFile = '' - ${concatStringsSep "\n" (map (s: "server ${s}") cfg.servers)} - ${cfg.extraConfig} - ''; - - pidFile = "/run/openntpd.pid"; - -in -{ - ###### interface - - options.services.openntpd = { - enable = mkEnableOption "OpenNTP time synchronization server"; - - servers = mkOption { - default = config.services.ntp.servers; - type = types.listOf types.str; - inherit (options.services.ntp.servers) description; - }; - - extraConfig = mkOption { - type = with types; lines; - default = ""; - example = '' - listen on 127.0.0.1 - listen on ::1 - ''; - description = '' - Additional text appended to openntpd.conf. - ''; - }; - - extraOptions = mkOption { - type = with types; separatedString " "; - default = ""; - example = "-s"; - description = '' - Extra options used when launching openntpd. - ''; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - services.timesyncd.enable = mkForce false; - - # Add ntpctl to the environment for status checking - environment.systemPackages = [ package ]; - - environment.etc."ntpd.conf".text = configFile; - - users.users = singleton { - name = "ntp"; - uid = config.ids.uids.ntp; - description = "OpenNTP daemon user"; - home = "/var/empty"; - }; - - systemd.services.openntpd = { - description = "OpenNTP Server"; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" "time-sync.target" ]; - before = [ "time-sync.target" ]; - after = [ "dnsmasq.service" "bind.service" "network-online.target" ]; - serviceConfig = { - ExecStart = "${package}/sbin/ntpd -p ${pidFile} ${cfg.extraOptions}"; - Type = "forking"; - PIDFile = pidFile; - }; - }; - }; -} -- cgit 1.4.1