{
  pkgs,
  lib,
  config,
  ...
}:
{
  services.chrony = {
    enable = true;
    # MaintenanceWarning:
    # when supported, initstepslew may have to be replaced by:
    # waitsync 60 0.01 100 1
    # See https://chrony-project.org/doc/4.7/chrony.conf.html
    initstepslew = {
      enabled = true;
      threshold = 1000;
    };
    enableRTCTrimming = true;
    servers = config.networking.timeServers;
    serverOption = lib.mkDefault "iburst";
    extraConfig = ''
      rtconutc
      makestep 1 -1
      maxdistance 10000000000000
    '';
  };
  systemd.services.chronyd = {
    # ExplanationNote: disable DNSSEC in systemd-resolved
    # to resolve NTP server names.
    environment.SYSTEMD_NSS_RESOLVE_VALIDATE = "0";
  };
  networking.nftables.ruleset = ''
    table inet filter {
      chain output-net {
        udp dport ntp skuid ${toString config.users.users.chrony.name} counter accept comment "chrony: NTP"
      }
    }
  '';
}