nixos/chrony: clean up, rework to be a little closer to upstream
Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem so that Chrony flaws are mitigated, should they occur. Moving to ProtectSystem=full however, requires moving the chrony key files under /var/lib/chrony -- which should be fine, anyway. This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring that chronyd will only be launched in an environment where such a capability can be granted. Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
parent
6ebad0821f
commit
0ce90d58cc
@ -3,12 +3,10 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.chrony;
|
||||
|
||||
stateDir = "/var/lib/chrony";
|
||||
|
||||
keyFile = "/etc/chrony.keys";
|
||||
|
||||
cfg = config.services.chrony;
|
||||
keyFile = "${stateDir}/chrony.keys";
|
||||
|
||||
configFile = pkgs.writeText "chrony.conf" ''
|
||||
${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
|
||||
@ -19,7 +17,6 @@ let
|
||||
}
|
||||
|
||||
driftfile ${stateDir}/chrony.drift
|
||||
|
||||
keyfile ${keyFile}
|
||||
|
||||
${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
|
||||
@ -27,18 +24,11 @@ let
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
|
||||
chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}";
|
||||
|
||||
chronyFlags = "-m -u chrony -f ${configFile} ${toString cfg.extraFlags}";
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
services.chrony = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
@ -83,15 +73,9 @@ in
|
||||
description = "Extra flags passed to the chronyd command.";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# Make chronyc available in the system path
|
||||
environment.systemPackages = [ pkgs.chrony ];
|
||||
|
||||
users.groups = singleton
|
||||
@ -120,8 +104,7 @@ in
|
||||
|
||||
path = [ pkgs.chrony ];
|
||||
|
||||
preStart =
|
||||
''
|
||||
preStart = ''
|
||||
mkdir -m 0755 -p ${stateDir}
|
||||
touch ${keyFile}
|
||||
chmod 0640 ${keyFile}
|
||||
@ -129,10 +112,15 @@ in
|
||||
'';
|
||||
|
||||
serviceConfig =
|
||||
{ ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
|
||||
};
|
||||
};
|
||||
{ Type = "forking";
|
||||
ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
|
||||
|
||||
};
|
||||
ProtectHome = "yes";
|
||||
ProtectSystem = "full";
|
||||
PrivateTmp = "yes";
|
||||
|
||||
ConditionCapability = "CAP_SYS_TIME";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user