| blob | 84f79df52b0e92c515ffb4241d16ef75662a2681 |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 with lib;
10 let
12 inherit (pkgs) ntp;
14 cfg = config.services.ntp;
16 configFile = pkgs.writeText "ntp.conf" ''
17 driftfile /var/lib/ntp/ntp.drift
19 restrict default ${toString cfg.restrictDefault}
20 restrict -6 default ${toString cfg.restrictDefault}
21 restrict source ${toString cfg.restrictSource}
23 restrict 127.0.0.1
24 restrict -6 ::1
26 ${toString (map (server: "server " + server + " iburst\n") cfg.servers)}
28 ${cfg.extraConfig}
29 '';
31 ntpFlags = [
32 "-c"
33 "${configFile}"
34 "-u"
35 "ntp:ntp"
36 ] ++ cfg.extraFlags;
38 in
40 {
42 ###### interface
44 options = {
46 services.ntp = {
48 enable = mkOption {
49 type = types.bool;
50 default = false;
51 description = ''
52 Whether to synchronise your machine's time using ntpd, as a peer in
53 the NTP network.
55 Disables `systemd.timesyncd` if enabled.
56 '';
57 };
59 restrictDefault = mkOption {
60 type = types.listOf types.str;
61 description = ''
62 The restriction flags to be set by default.
64 The default flags prevent external hosts from using ntpd as a DDoS
65 reflector, setting system time, and querying OS/ntpd version. As
66 recommended in section 6.5.1.1.3, answer "No" of
67 https://support.ntp.org/Support/AccessRestrictions
68 '';
69 default = [
70 "limited"
71 "kod"
72 "nomodify"
73 "notrap"
74 "noquery"
75 "nopeer"
76 ];
77 };
79 restrictSource = mkOption {
80 type = types.listOf types.str;
81 description = ''
82 The restriction flags to be set on source.
84 The default flags allow peers to be added by ntpd from configured
85 pool(s), but not by other means.
86 '';
87 default = [
88 "limited"
89 "kod"
90 "nomodify"
91 "notrap"
92 "noquery"
93 ];
94 };
96 servers = mkOption {
97 default = config.networking.timeServers;
98 defaultText = literalExpression "config.networking.timeServers";
99 type = types.listOf types.str;
100 description = ''
101 The set of NTP servers from which to synchronise.
102 '';
103 };
105 extraConfig = mkOption {
106 type = types.lines;
107 default = "";
108 example = ''
109 fudge 127.127.1.0 stratum 10
110 '';
111 description = ''
112 Additional text appended to {file}`ntp.conf`.
113 '';
114 };
116 extraFlags = mkOption {
117 type = types.listOf types.str;
118 description = "Extra flags passed to the ntpd command.";
119 example = literalExpression ''[ "--interface=eth0" ]'';
120 default = [ ];
121 };
123 };
125 };
127 ###### implementation
129 config = mkIf config.services.ntp.enable {
130 meta.maintainers = with lib.maintainers; [ thoughtpolice ];
132 # Make tools such as ntpq available in the system path.
133 environment.systemPackages = [ pkgs.ntp ];
134 services.timesyncd.enable = mkForce false;
136 systemd.services.systemd-timedated.environment = {
137 SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service";
138 };
140 users.users.ntp = {
141 isSystemUser = true;
142 group = "ntp";
143 description = "NTP daemon user";
144 home = "/var/lib/ntp";
145 createHome = true;
146 };
147 users.groups.ntp = { };
149 systemd.services.ntpd = {
150 description = "NTP Daemon";
152 wantedBy = [ "multi-user.target" ];
153 wants = [ "time-sync.target" ];
154 before = [ "time-sync.target" ];
156 serviceConfig = {
157 ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}";
158 Type = "forking";
160 # Hardening options
161 PrivateDevices = true;
162 PrivateIPC = true;
163 PrivateTmp = true;
164 ProtectClock = false;
165 ProtectHome = true;
167 ProtectHostname = true;
168 ProtectKernelLogs = true;
169 ProtectKernelModules = true;
170 ProtectKernelTunables = true;
171 ProtectSystem = true;
173 RestrictNamespaces = true;
174 RestrictRealtime = true;
175 LockPersonality = true;
176 MemoryDenyWriteExecute = true;
177 AmbientCapabilities = [
178 "CAP_SYS_TIME"
179 ];
181 ProtectControlGroups = true;
182 ProtectProc = "invisible";
183 ProcSubset = "pid";
184 RestrictSUIDSGID = true;
185 };
186 };
188 };
190 }