nixos/profiles/chrony.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   ...
   6 }:
   7 {
   8   services.chrony = {
   9     enable = true;
  10     # MaintenanceWarning:
  11     # when supported, initstepslew may have to be replaced by:
  12     # waitsync 60 0.01 100 1
  13     # See https://chrony-project.org/doc/4.7/chrony.conf.html
  14     initstepslew = {
  15       enabled = true;
  16       threshold = 1000;
  17     };
  18     enableRTCTrimming = true;
  19     servers = config.networking.timeServers;
  20     serverOption = lib.mkDefault "iburst";
  21     extraConfig = ''
  22       rtconutc
  23       makestep 1 -1
  24       maxdistance 10000000000000
  25     '';
  26   };
  27   systemd.services.chronyd = {
  28     # ExplanationNote: disable DNSSEC in systemd-resolved
  29     # to resolve NTP server names.
  30     environment.SYSTEMD_NSS_RESOLVE_VALIDATE = "0";
  31   };
  32   networking.nftables.ruleset = ''
  33     table inet filter {
  34       chain output-net {
  35         udp dport ntp skuid ${toString config.users.users.chrony.name} counter accept comment "chrony: NTP"
  36       }
  37     }
  38   '';
  39 }