nixos/modules/services/networking/tlsdated.nix at release-16.03-start · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tlsdated.nix
at release-16.03-start 2.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  inherit (pkgs) coreutils tlsdate;
  7
  8  cfg = config.services.tlsdated;
  9in
 10
 11{
 12
 13  ###### interface
 14
 15  options = {
 16
 17    services.tlsdated = {
 18
 19      enable = mkOption {
 20        type = types.bool;
 21        default = false;
 22        description = ''
 23          Enable tlsdated daemon.
 24        '';
 25      };
 26
 27      extraOptions = mkOption {
 28        type = types.string;
 29        default = "";
 30        description = ''
 31          Additional command line arguments to pass to tlsdated.
 32        '';
 33      };
 34
 35      sources = mkOption {
 36        type = types.listOf (types.submodule {
 37          options = {
 38            host = mkOption {
 39              type = types.string;
 40              description = ''
 41                Remote hostname.
 42              '';
 43            };
 44            port = mkOption {
 45              type = types.int;
 46              description = ''
 47                Remote port.
 48              '';
 49            };
 50            proxy = mkOption {
 51              type = types.nullOr types.string;
 52              default = null;
 53              description = ''
 54                The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed:
 55
 56                 http://127.0.0.1:8118
 57                 socks4a://127.0.0.1:9050
 58                 socks5://127.0.0.1:9050
 59
 60                The proxy support should not leak DNS requests and is suitable for use with Tor.
 61              '';
 62            };
 63          };
 64        });
 65        default = [
 66          {
 67            host = "encrypted.google.com";
 68            port = 443;
 69            proxy = null;
 70          }
 71        ];
 72        description = ''
 73          You can list one or more sources to fetch time from.
 74        '';
 75      };
 76
 77    };
 78
 79  };
 80
 81  ###### implementation
 82
 83  config = mkIf cfg.enable {
 84
 85    # Make tools such as tlsdate available in the system path
 86    environment.systemPackages = [ tlsdate ];
 87
 88    systemd.services.tlsdated = {
 89      description = "tlsdated daemon";
 90      wantedBy = [ "multi-user.target" ];
 91      serviceConfig = {
 92        # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we
 93        # hard-code base-path to /tmp and use PrivateTmp.
 94        ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" ''
 95          base-path /tmp
 96
 97          ${concatMapStrings (src: ''
 98          source
 99              host    ${src.host}
100              port    ${toString src.port}
101              proxy   ${if src.proxy == null then "none" else src.proxy}
102          end
103          '') cfg.sources}
104        ''} ${cfg.extraOptions}";
105        PrivateTmp = "yes";
106      };
107    };
108
109  };
110
111}