net/chrony: add fallbackpeer and no cert check (#2774)

net/chrony/Makefile

@@ -1,5 +1,5 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

net/chrony/pkg-descr

@@ -4,6 +4,11 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.5
+
+* Allow adding a fallback NTP when using NTS
+* Add option for nocerttimecheck if system starts with wrong time and only NTS allowed
+
 1.4
 
 * Adjust timeouts and retries for chronyc

net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml

@@ -17,6 +17,12 @@
         <type>checkbox</type>
         <help>Enable NTS in client mode. This will add another layer of security for peers when OPNsense is the client. Every server in Peers has to support NTS.</help>
     </field>
+    <field>
+        <id>general.ntsnocert</id>
+        <label>NTS Disable Certcheck</label>
+        <type>checkbox</type>
+        <help>If you run NTS mode you can enable this option in order to ignore wrong time in certificates for the first check. This helps if your system starts with wrong time.</help>
+    </field>
     <field>
         <id>general.peers</id>
         <label>NTP Peers</label>
@@ -25,6 +31,12 @@
         <allownew>true</allownew>
         <help>Set as many NTP peers you need.</help>
     </field>
+    <field>
+        <id>general.fallbackpeers</id>
+        <label>Fallback Peer</label>
+        <type>text</type>
+        <help>Set fallback peer if you use NTS and your system starts with wrong time. Best to only use this for internal trusted peers.</help>
+    </field>
     <field>
         <id>general.allowednetworks</id>
         <label>Allowed Networks</label>

net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml

@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/chrony/general</mount>
     <description>Chrony configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -15,12 +15,19 @@
             <default>0</default>
             <Required>Y</Required>
         </ntsclient>
+        <ntsnocert type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </ntsnocert>
         <peers type="HostnameField">
             <default>0.opnsense.pool.ntp.org</default>
             <Required>Y</Required>
             <FieldSeparator>,</FieldSeparator>
             <asList>Y</asList>
         </peers>
+        <fallbackpeers type="HostnameField">
+            <Required>N</Required>
+        </fallbackpeers>
         <allowednetworks type="NetworkField">
             <Required>N</Required>
             <FieldSeparator>,</FieldSeparator>

net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf

@@ -11,6 +11,10 @@ ntstrustedcerts /etc/ssl/cert.pem
 nosystemcert
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.ntsnocert') and OPNsense.chrony.general.ntsnocert == '1' %}
+nocerttimecheck 1
+{%   endif %}
+
 {%   if not helpers.empty('OPNsense.chrony.general.peers') %}
 {%     for peer in OPNsense.chrony.general.peers.split(',') %}
 server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}nts{% endif %}
@@ -18,6 +22,11 @@ server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient
 {%     endfor %}
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.fallbackpeers') and OPNsense.chrony.general.fallbackpeers != '' %}
+authselectmode mix
+server {{ OPNsense.chrony.general.fallbackpeers }} 
+{%   endif %}
+
 {%   if not helpers.empty('OPNsense.chrony.general.allowednetworks') %}
 {%     for network in OPNsense.chrony.general.allowednetworks.split(',') %}
 allow {{ network }}