Efraim Flashner writes: > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'configure-flags to > set openntpd daemon's user and protected path. Add a custom phase to not > try to create said directory at install time. > * gnu/services/networking.scm (): New record type. > (openntpd-shepherd-service, openntpd-service-activation): New procedures. > (openntpd-service-type): New variable. > * doc/guix.texi (Networking Services): Add openntpd documentation. > --- > doc/guix.texi | 11 ++++++ > gnu/packages/ntp.scm | 12 ++++++ > gnu/services/networking.scm | 92 ++++++++++++++++++++++++++++++++++++++++++++- > 3 files changed, 114 insertions(+), 1 deletion(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index 2a6825682..f0a7dd958 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -10498,6 +10498,17 @@ make an initial adjustment of more than 1,000 seconds. > List of host names used as the default NTP servers. > @end defvr > > +@cindex Openntpd > +@deffn {Scheme Procedure} openntpd-service [#:openntpd @var{openntpd}] @ > + [#:servers @var{%ntp-servers}] @ > + [#:allow-large-adjustment? #f] > +Return a service that runs the daemon from @var{openntpd}, the > +@uref{http://www.openntpd.org, OpenNTPD package}. The daemon will > +keep the system clock synchronized with that of @var{servers}. > +@var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to > +make an initial adjustment of more than 180 seconds." > +@end deffn > + > @cindex inetd > @deffn {Scheme variable} inetd-service-type > This service runs the @command{inetd} (@pxref{inetd invocation,,, > diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm > index d270f513d..619b9f998 100644 > --- a/gnu/packages/ntp.scm > +++ b/gnu/packages/ntp.scm > @@ -107,6 +107,18 @@ computers over a network.") > (base32 > "0fn12i4kzsi0zkr4qp3dp9bycmirnfapajqvdfx02zhr4hanj0kv")))) > (build-system gnu-build-system) > + (arguments > + '(#:configure-flags '("--with-privsep-user=ntpd" > + "--with-privsep-path=/var/lib/openntpd" > + "--localstatedir=/var/lib/openntpd") Do we have to change localstatedir? Would it work to create /var/run/ntpd.sock and chown it? Or is this the common way of deployment? No strong opinion though. > + #:phases > + (modify-phases %standard-phases > + (add-after 'unpack 'modify-install-locations > + (lambda _ > + ;; Don't try to create /var/lib/openntpd/run or /var/lib/openntpd/db > + (substitute* "src/Makefile.in" > + (("DESTDIR\\)\\$\\(localstatedir") "TMPDIR")) > + #t))))) > (inputs > `(("libressl" ,libressl))) ; enable TLS time constraints. See ntpd.conf(5). > (home-page "http://www.openntpd.org/") > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index b0c23aafc..82762738f 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm > @@ -1,7 +1,7 @@ > ;;; GNU Guix --- Functional package management for GNU > ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès > ;;; Copyright © 2015 Mark H Weaver > -;;; Copyright © 2016 Efraim Flashner > +;;; Copyright © 2016, 2017 Efraim Flashner > ;;; Copyright © 2016 John Darrington > ;;; Copyright © 2017 Clément Lassieur > ;;; Copyright © 2017 Thomas Danckaert > @@ -62,6 +62,11 @@ > ntp-service > ntp-service-type > > + openntpd-configuration > + openntpd-configuration? > + openntpd-service > + openntpd-service-type > + > inetd-configuration > inetd-entry > inetd-service-type > @@ -447,6 +452,91 @@ make an initial adjustment of more than 1,000 seconds." > (allow-large-adjustment? > allow-large-adjustment?)))) > > +(define-record-type* > + openntpd-configuration make-openntpd-configuration > + openntpd-configuration? > + (openntpd openntpd-configuration-openntpd > + (default openntpd)) > + (servers openntpd-configuration-servers) > + (allow-large-adjustment? openntpd-allow-large-adjustment? > + (default #f))) ; upstream default > + > +(define openntpd-shepherd-service > + (match-lambda > + (($ openntpd servers allow-large-adjustment?) > + (let () > + (define config > + (string-append (string-join (map (cut string-append "server " <>) > + servers) > + "\n") > + " > +# Only listen on localhost > +listen on 127.0.0.1 > +listen on ::1 > + > +# Query the 'Date' from trusted HTTPS servers via TLS. > +constraint from www.gnu.org\n")) It would be good if these options are configurable. A user may want to use a different constraint server, or none at all, and maybe also expose this as an SNTP service. IIRC constraints can also be specified multiple times, so maybe add #:listen-on and #:constraints ? It would also be great to have a system test that at least verifies that the default configuration is okay. Testing NTP functionality may be trickier. > + > + (define ntpd.conf > + (plain-file "ntpd.conf" config)) > + > + (list (shepherd-service > + (provision '(openntpd)) > + (documentation "Run the Network Time Protocol (NTP) daemon.") > + (requirement '(user-processes networking)) > + (start #~(make-forkexec-constructor > + (list (string-append #$openntpd "/sbin/ntpd") > + "-f" #$ntpd.conf > + #$@(if allow-large-adjustment? > + '("-s") > + '())))) > + (stop #~(make-kill-destructor)))))))) > + > +(define (openntpd-service-activation config) > + "Return the activation gexp for CONFIG." > + (with-imported-modules '((guix build utils)) > + #~(begin > + (use-modules (guix build utils)) > + (define %user > + (getpw "ntpd")) > + > + (let ((directory "/var/lib/openntpd")) > + (mkdir-p directory) > + ;; and for the socket > + (mkdir-p (string-append directory "/db")) > + (mkdir-p (string-append directory "/run")) > + (chown directory (passwd:uid %user) (passwd:gid %user)) > + (chmod directory #o755))))) > + > +(define openntpd-service-type > + (service-type (name 'openntpd) > + (extensions > + (list (service-extension shepherd-root-service-type > + openntpd-shepherd-service) > + (service-extension account-service-type > + (const %ntp-accounts)) > + (service-extension activation-service-type > + openntpd-service-activation))) > + (description > + "Run the @command{ntpd}, the Network Time Protocol (NTP) > +daemon of the @uref{http://www.ntp.org, Network Time Foundation}, as > +implemented by OpenNTPD. The daemon will keep the system clock synchronized > +with that of the given servers."))) > + > +(define* (openntpd-service #:key (openntpd openntpd) > + (servers %ntp-servers) > + allow-large-adjustment?) > + "Return a service that runs the daemon from @var{openntpd}, the > +@uref{http://www.openntpd.org, OpenNTPD package}. The daemon will > +keep the system clock synchronized with that of @var{servers}. > +@var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to > +make an initial adjustment of more than 180 seconds." > + (service openntpd-service-type > + (openntpd-configuration (openntpd openntpd) > + (servers servers) > + (allow-large-adjustment? > + allow-large-adjustment?)))) > + > > ;;; > ;;; Inetd. > -- > 2.15.0