nixos/ntpd: cleanup; add tests (#349633) (15aad9d3) · Commits · nix / nixpkgs

nixos/modules/services/networking/ntp/ntpd.nix

+78 −35

Original line number	Diff line number	Diff line
		{ config, lib, pkgs, ... }:
		{
		config,
		lib,
		pkgs,
		...
		}:

		with lib;

		@@ -8,10 +13,8 @@ let

		cfg = config.services.ntp;

		stateDir = "/var/lib/ntp";

		configFile = pkgs.writeText "ntp.conf" ''
		driftfile ${stateDir}/ntp.drift
		driftfile /var/lib/ntp/ntp.drift

		restrict default ${toString cfg.restrictDefault}
		restrict -6 default ${toString cfg.restrictDefault}
		@@ -25,7 +28,12 @@ let
		${cfg.extraConfig}
		'';

		ntpFlags = [ "-c" "${configFile}" "-u" "ntp:ntp" ] ++ cfg.extraFlags;
		ntpFlags = [
		"-c"
		"${configFile}"
		"-u"
		"ntp:ntp"
		] ++ cfg.extraFlags;

		in

		@@ -58,7 +66,14 @@ in
		recommended in section 6.5.1.1.3, answer "No" of
		https://support.ntp.org/Support/AccessRestrictions
		'';
		default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ];
		default = [
		"limited"
		"kod"
		"nomodify"
		"notrap"
		"noquery"
		"nopeer"
		];
		};

		restrictSource = mkOption {
		@@ -69,7 +84,13 @@ in
		The default flags allow peers to be added by ntpd from configured
		pool(s), but not by other means.
		'';
		default = [ "limited" "kod" "nomodify" "notrap" "noquery" ];
		default = [
		"limited"
		"kod"
		"nomodify"
		"notrap"
		"noquery"
		];
		};

		servers = mkOption {
		@@ -103,7 +124,6 @@ in

		};


		###### implementation

		config = mkIf config.services.ntp.enable {
		@@ -113,32 +133,55 @@ in
		environment.systemPackages = [ pkgs.ntp ];
		services.timesyncd.enable = mkForce false;

		systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; };
		systemd.services.systemd-timedated.environment = {
		SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service";
		};

		users.users.ntp =
		{ isSystemUser = true;
		users.users.ntp = {
		isSystemUser = true;
		group = "ntp";
		description = "NTP daemon user";
		home = stateDir;
		home = "/var/lib/ntp";
		};
		users.groups.ntp = { };

		systemd.services.ntpd =
		{ description = "NTP Daemon";
		systemd.services.ntpd = {
		description = "NTP Daemon";

		wantedBy = [ "multi-user.target" ];
		wants = [ "time-sync.target" ];
		before = [ "time-sync.target" ];

		preStart =
		''
		mkdir -m 0755 -p ${stateDir}
		chown ntp ${stateDir}
		'';

		serviceConfig = {
		ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}";
		Type = "forking";
		StateDirectory = "ntp";

		# Hardening options
		PrivateDevices = true;
		PrivateIPC = true;
		PrivateTmp = true;
		ProtectClock = false;
		ProtectHome = true;

		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectSystem = true;

		RestrictNamespaces = true;
		RestrictRealtime = true;
		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		AmbientCapabilities = [
		"CAP_SYS_TIME"
		];

		ProtectControlGroups = true;
		ProtectProc = "invisible";
		ProcSubset = "pid";
		RestrictSUIDSGID = true;
		};
		};

nixos/tests/all-tests.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -715,6 +715,7 @@ in {
		nsd = handleTest ./nsd.nix {};
		ntfy-sh = handleTest ./ntfy-sh.nix {};
		ntfy-sh-migration = handleTest ./ntfy-sh-migration.nix {};
		ntpd = handleTest ./ntpd.nix {};
		ntpd-rs = handleTest ./ntpd-rs.nix {};
		nvidia-container-toolkit = runTest ./nvidia-container-toolkit.nix;
		nvmetcfg = handleTest ./nvmetcfg.nix {};

nixos/tests/ntpd.nix

0 → 100644

+25 −0

Original line number	Diff line number	Diff line
		import ./make-test-python.nix (
		{ lib, ... }:
		{
		name = "ntpd";

		meta = {
		maintainers = with lib.maintainers; [ pyrox0 ];
		};

		nodes.machine = {
		services.ntp = {
		enable = true;
		};
		};

		testScript = ''
		start_all()

		machine.wait_for_unit('ntpd.service')
		machine.wait_for_console_text('Listen normally on 10 eth*')
		machine.succeed('systemctl is-active ntpd.service')
		machine.succeed('ntpq -p')
		'';
		}
		)