[bug#29483] [PATCH] services: Add openntpd service.

[Efraim Flashner <efraim@flashner.co.il>]

* gnu/packages/ntp.scm (openntpd)[arguments]: Add 'configure-flags to
set openntpd daemon's user and protected path. Add a custom phase to not
try to create said directory at install time.
* gnu/services/networking.scm (<openntpd-configuration>): New record type.
(openntpd-shepherd-service, openntpd-service-activation): New procedures.
(openntpd-service-type): New variable.
* doc/guix.texi (Networking Services): Add openntpd documentation.
---
 doc/guix.texi               | 11 ++++++
 gnu/packages/ntp.scm        | 12 ++++++
 gnu/services/networking.scm | 92 ++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 2a6825682..f0a7dd958 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -10498,6 +10498,17 @@ make an initial adjustment of more than 1,000 seconds.
 List of host names used as the default NTP servers.
 @end defvr
 
+@cindex Openntpd
+@deffn {Scheme Procedure} openntpd-service [#:openntpd @var{openntpd}] @
+  [#:servers @var{%ntp-servers}] @
+  [#:allow-large-adjustment? #f]
+Return a service that runs the daemon from @var{openntpd}, the
+@uref{http://www.openntpd.org, OpenNTPD package}.  The daemon will
+keep the system clock synchronized with that of @var{servers}.
+@var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
+make an initial adjustment of more than 180 seconds."
+@end deffn
+
 @cindex inetd
 @deffn {Scheme variable} inetd-service-type
 This service runs the @command{inetd} (@pxref{inetd invocation,,,
diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm
index d270f513d..619b9f998 100644
--- a/gnu/packages/ntp.scm
+++ b/gnu/packages/ntp.scm
@@ -107,6 +107,18 @@ computers over a network.")
                (base32
                 "0fn12i4kzsi0zkr4qp3dp9bycmirnfapajqvdfx02zhr4hanj0kv"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags '("--with-privsep-user=ntpd"
+                           "--with-privsep-path=/var/lib/openntpd"
+                           "--localstatedir=/var/lib/openntpd")
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'modify-install-locations
+           (lambda _
+             ;; Don't try to create /var/lib/openntpd/run or /var/lib/openntpd/db
+             (substitute* "src/Makefile.in"
+               (("DESTDIR\\)\\$\\(localstatedir") "TMPDIR"))
+             #t)))))
     (inputs
      `(("libressl" ,libressl))) ; enable TLS time constraints. See ntpd.conf(5).
     (home-page "http://www.openntpd.org/")
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index b0c23aafc..82762738f 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
@@ -62,6 +62,11 @@
             ntp-service
             ntp-service-type
 
+            openntpd-configuration
+            openntpd-configuration?
+            openntpd-service
+            openntpd-service-type
+
             inetd-configuration
             inetd-entry
             inetd-service-type
@@ -447,6 +452,91 @@ make an initial adjustment of more than 1,000 seconds."
                               (allow-large-adjustment?
                                allow-large-adjustment?))))
 
+(define-record-type* <openntpd-configuration>
+  openntpd-configuration make-openntpd-configuration
+  openntpd-configuration?
+  (openntpd                openntpd-configuration-openntpd
+                           (default openntpd))
+  (servers                 openntpd-configuration-servers)
+  (allow-large-adjustment? openntpd-allow-large-adjustment?
+                           (default #f))) ; upstream default
+
+(define openntpd-shepherd-service
+  (match-lambda
+    (($ <openntpd-configuration> openntpd servers allow-large-adjustment?)
+     (let ()
+       (define config
+         (string-append (string-join (map (cut string-append "server " <>)
+                                          servers)
+                                     "\n")
+                        "
+# Only listen on localhost
+listen on 127.0.0.1
+listen on ::1
+
+# Query the 'Date' from trusted HTTPS servers via TLS.
+constraint from www.gnu.org\n"))
+
+       (define ntpd.conf
+         (plain-file "ntpd.conf" config))
+
+       (list (shepherd-service
+              (provision '(openntpd))
+              (documentation "Run the Network Time Protocol (NTP) daemon.")
+              (requirement '(user-processes networking))
+              (start #~(make-forkexec-constructor
+                        (list (string-append #$openntpd "/sbin/ntpd")
+                              "-f" #$ntpd.conf
+                              #$@(if allow-large-adjustment?
+                                     '("-s")
+                                     '()))))
+              (stop #~(make-kill-destructor))))))))
+
+(define (openntpd-service-activation config)
+  "Return the activation gexp for CONFIG."
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        (define %user
+          (getpw "ntpd"))
+
+        (let ((directory "/var/lib/openntpd"))
+          (mkdir-p directory)
+          ;; and for the socket
+          (mkdir-p (string-append directory "/db"))
+          (mkdir-p (string-append directory "/run"))
+          (chown directory (passwd:uid %user) (passwd:gid %user))
+          (chmod directory #o755)))))
+
+(define openntpd-service-type
+  (service-type (name 'openntpd)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          openntpd-shepherd-service)
+                       (service-extension account-service-type
+                                          (const %ntp-accounts))
+                       (service-extension activation-service-type
+                                          openntpd-service-activation)))
+                (description
+                 "Run the @command{ntpd}, the Network Time Protocol (NTP)
+daemon of the @uref{http://www.ntp.org, Network Time Foundation}, as
+implemented by OpenNTPD.  The daemon will keep the system clock synchronized
+with that of the given servers.")))
+
+(define* (openntpd-service #:key (openntpd openntpd)
+                           (servers %ntp-servers)
+                           allow-large-adjustment?)
+  "Return a service that runs the daemon from @var{openntpd}, the
+@uref{http://www.openntpd.org, OpenNTPD package}.  The daemon will
+keep the system clock synchronized with that of @var{servers}.
+@var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
+make an initial adjustment of more than 180 seconds."
+  (service openntpd-service-type
+           (openntpd-configuration (openntpd openntpd)
+                              (servers servers)
+                              (allow-large-adjustment?
+                               allow-large-adjustment?))))
+
 \f
 ;;;
 ;;; Inetd.
-- 
2.15.0