Chrony
Chrony is an NTP and NTS client and server implementation. This means it can synchronize the time of your local machine, as well as provide services to clients on the attached network segments.
NTP
This protocol is slowly being phased out due it security concerns, using a more secure method like NTS is recommended. To enable NTP, enable the chrony service and add whichever NTP servers you wish to use
{ config
, ...
};
{
services.chrony = {
enable = true;
servers = [ "ntp-example.com" ];
};
}
NTS
To enable NTS (Network Time Security), typically all that needs to be provided is a NTP server capable of NTS.
{ config
, ...
};
{
services.chrony = {
enable = true;
enableNTS = true;
servers = [ "nts-example.com" ];
};
}
You can verify that NTS is being used via observing the output of sudo chronyc -N authdata
and reading the value under mode, it should read NTS.
Troubleshooting
It is possible that a certificate may need to be manually provided. You can rely on the ACME service to acquire one, but make sure that the certificate group gets assigned to chrony
, or else the service will not be able to read the certificate and key after it drops its privileges.
{ config
, ...
};
let
acmePath = config.security.acme.certs."foo-example.com".directory;
in
{
security.acme.certs."foo-example.com" = {
group = "chrony";
# One of the following challenge method options will need to be provided
# to obtain a self signed cert
webroot = "";
s3bucket = '"";
dnsProvider = "";
listenHTTP = "";
};
services.chrony = {
enable = true;
enableNTS = true;
extraConfig = ''
[...]
ntsservercert ${acmePath}/fullchain.pem
ntsserverkey ${acmePath}/key.pem
'';
};
}