nixos/modules/services/networking/tlsdated.nix at 15.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tlsdated.nix
at 15.09-beta 2.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  inherit (pkgs) coreutils tlsdate;
  7
  8  cfg = config.services.tlsdated;
  9in
 10
 11{
 12
 13  ###### interface
 14
 15  options = {
 16
 17    services.tlsdated = {
 18
 19      enable = mkOption {
 20        type = types.bool;
 21        default = false;
 22        description = ''
 23          Enable tlsdated daemon.
 24        '';
 25      };
 26
 27      extraOptions = mkOption {
 28        type = types.string;
 29        description = ''
 30          Additional command line arguments to pass to tlsdated.
 31        '';
 32      };
 33
 34      sources = mkOption {
 35        type = types.listOf (types.submodule {
 36          options = {
 37            host = mkOption {
 38              type = types.string;
 39              description = ''
 40                Remote hostname.
 41              '';
 42            };
 43            port = mkOption {
 44              type = types.int;
 45              description = ''
 46                Remote port.
 47              '';
 48            };
 49            proxy = mkOption {
 50              type = types.nullOr types.string;
 51              default = null;
 52              description = ''
 53                The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed:
 54
 55                 http://127.0.0.1:8118
 56                 socks4a://127.0.0.1:9050
 57                 socks5://127.0.0.1:9050
 58
 59                The proxy support should not leak DNS requests and is suitable for use with Tor.
 60              '';
 61            };
 62          };
 63        });
 64        default = [
 65          {
 66            host = "www.ptb.de";
 67            port = 443;
 68            proxy = null;
 69          }
 70        ];
 71        description = ''
 72          You can list one or more sources to fetch time from.
 73        '';
 74      };
 75
 76    };
 77
 78  };
 79
 80  ###### implementation
 81
 82  config = mkIf cfg.enable {
 83
 84    # Make tools such as tlsdate available in the system path
 85    environment.systemPackages = [ tlsdate ];
 86
 87    systemd.services.tlsdated = {
 88      description = "tlsdated daemon";
 89      wantedBy = [ "multi-user.target" ];
 90      serviceConfig = {
 91        # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we
 92        # hard-code base-path to /tmp and use PrivateTmp.
 93        ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" ''
 94          base-path /tmp
 95
 96          ${concatMapStrings (src: ''
 97          source
 98              host    ${src.host}
 99              port    ${toString src.port}
100              proxy   ${if src.proxy == null then "none" else src.proxy}
101          end
102          '') cfg.sources}
103        ''} ${cfg.extraOptions}";
104        PrivateTmp = "yes";
105      };
106    };
107
108  };
109
110}