nixos: Add tlsdated service

2014-12-20 16:10:28 +01:00 · 2014-12-20 16:10:28 +01:00 · 3fdd925063
commit 3fdd925063
parent 263a179946
2 changed files with 111 additions and 0 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -290,6 +290,7 @@
  ./services/networking/tcpcrypt.nix
  ./services/networking/teamspeak3.nix
  ./services/networking/tftpd.nix
+  ./services/networking/tlsdated.nix
  ./services/networking/tox-bootstrapd.nix
  ./services/networking/unbound.nix
  ./services/networking/unifi.nix
--- a/nixos/modules/services/networking/tlsdated.nix
+++ b/nixos/modules/services/networking/tlsdated.nix
@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (pkgs) coreutils tlsdate;
+
+  cfg = config.services.tlsdated;
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.tlsdated = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable tlsdated daemon.
+        '';
+      };
+
+      extraOptions = mkOption {
+        type = types.string;
+        description = ''
+          Additional command line arguments to pass to tlsdated.
+        '';
+      };
+
+      sources = mkOption {
+        type = types.listOf (types.submodule {
+          options = {
+            host = mkOption {
+              type = types.string;
+              description = ''
+                Remote hostname.
+              '';
+            };
+            port = mkOption {
+              type = types.int;
+              description = ''
+                Remote port.
+              '';
+            };
+            proxy = mkOption {
+              type = types.nullOr types.string;
+              default = null;
+              description = ''
+                The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed:
+
+                 http://127.0.0.1:8118
+                 socks4a://127.0.0.1:9050
+                 socks5://127.0.0.1:9050
+
+                The proxy support should not leak DNS requests and is suitable for use with Tor.
+              '';
+            };
+          };
+        });
+        default = [
+          {
+            host = "www.ptb.de";
+            port = 443;
+            proxy = null;
+          }
+        ];
+        description = ''
+          You can list one or more sources to fetch time from.
+        '';
+      };
+
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    # Make tools such as tlsdate available in the system path
+    environment.systemPackages = [ tlsdate ];
+
+    systemd.services.tlsdated = {
+      description = "tlsdated daemon";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we
+        # hard-code base-path to /tmp and use PrivateTmp.
+        ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" ''
+          base-path /tmp
+
+          ${concatMapStrings (src: ''
+          source
+              host    ${src.host}
+              port    ${toString src.port}
+              proxy   ${if src.proxy == null then "none" else src.proxy}
+          end
+          '') cfg.sources}
+        ''} ${cfg.extraOptions}";
+        PrivateTmp = "yes";
+      };
+    };
+
+  };
+
+}