Chrony

From NixOS Wiki
Jump to: navigation, search

Chrony is an NTP and NTS client and server implementation. This means it can synchronize the time of your local machine, as well as provide services to clients on the attached network segments.

NTP

This protocol is slowly being phased out due it security concerns, using a more secure method like NTS is recommended. To enable NTP, enable the chrony service and add whichever NTP servers you wish to use 

{ config
, ...
};
{
  services.chrony = {
    enable = true;
    servers = [ "ntp-example.com" ];
  };
}

NTS

To enable NTS (Network Time Security), typically all that needs to be provided is a NTP server capable of NTS. 

{ config
, ...
};
{
  services.chrony = {
    enable = true;
    enableNTS = true;
    servers = [ "nts-example.com" ];
  };
}

You can verify that NTS is being used via observing the output of sudo chronyc -N authdata and reading the value under mode, it should read NTS.

Troubleshooting

It is possible that a certificate may need to be manually provided. You can rely on the ACME service to acquire one, but make sure that the certificate group gets assigned to chrony, or else the service will not be able to read the certificate and key after it drops its privileges. 

{ config
, ...
};
let
  acmePath = config.security.acme.certs."foo-example.com".directory;
in
{
  security.acme.certs."foo-example.com" = {
    group = "chrony";
    # One of the following challenge method options will need to be provided
    # to obtain a self signed cert
    webroot = "";
    s3bucket = '"";
    dnsProvider = "";
    listenHTTP = "";
  };

   services.chrony = {
     enable = true;
     enableNTS = true;
     extraConfig = ''
      [...]
      ntsservercert ${acmePath}/fullchain.pem
      ntsserverkey ${acmePath}/key.pem
    '';
  };
}
Retrieved from "https://nixos.wiki/index.php?title=Chrony&oldid=12896"