From 4664a4c72f5cefce2b4efdf4b380b40f63a7d1d0 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 29 Mar 2022 09:24:56 +0200
Subject: [PATCH] net/chrony: add fallbackpeer and no cert check (#2774)

---
 net/chrony/Makefile                                  |  2 +-
 net/chrony/pkg-descr                                 |  5 +++++
 .../controllers/OPNsense/Chrony/forms/general.xml    | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Chrony/General.xml       |  9 ++++++++-
 .../service/templates/OPNsense/Chrony/chrony.conf    |  9 +++++++++
 5 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index d87cafe8e..05ef39bac 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index eb87118f7..f38222784 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -4,6 +4,11 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.5
+
+* Allow adding a fallback NTP when using NTS
+* Add option for nocerttimecheck if system starts with wrong time and only NTS allowed
+
 1.4
 
 * Adjust timeouts and retries for chronyc
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
index 691a2b3b9..3b6b358ff 100644
--- a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
@@ -17,6 +17,12 @@
         <type>checkbox</type>
         <help>Enable NTS in client mode. This will add another layer of security for peers when OPNsense is the client. Every server in Peers has to support NTS.</help>
     </field>
+    <field>
+        <id>general.ntsnocert</id>
+        <label>NTS Disable Certcheck</label>
+        <type>checkbox</type>
+        <help>If you run NTS mode you can enable this option in order to ignore wrong time in certificates for the first check. This helps if your system starts with wrong time.</help>
+    </field>
     <field>
         <id>general.peers</id>
         <label>NTP Peers</label>
@@ -25,6 +31,12 @@
         <allownew>true</allownew>
         <help>Set as many NTP peers you need.</help>
     </field>
+    <field>
+        <id>general.fallbackpeers</id>
+        <label>Fallback Peer</label>
+        <type>text</type>
+        <help>Set fallback peer if you use NTS and your system starts with wrong time. Best to only use this for internal trusted peers.</help>
+    </field>
     <field>
         <id>general.allowednetworks</id>
         <label>Allowed Networks</label>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
index 969b9fc17..c74a00cc4 100644
--- a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/chrony/general</mount>
     <description>Chrony configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -15,12 +15,19 @@
             <default>0</default>
             <Required>Y</Required>
         </ntsclient>
+        <ntsnocert type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </ntsnocert>
         <peers type="HostnameField">
             <default>0.opnsense.pool.ntp.org</default>
             <Required>Y</Required>
             <FieldSeparator>,</FieldSeparator>
             <asList>Y</asList>
         </peers>
+        <fallbackpeers type="HostnameField">
+            <Required>N</Required>
+        </fallbackpeers>
         <allowednetworks type="NetworkField">
             <Required>N</Required>
             <FieldSeparator>,</FieldSeparator>
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
index 6910ea4a4..91cc28792 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -11,6 +11,10 @@ ntstrustedcerts /etc/ssl/cert.pem
 nosystemcert
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.ntsnocert') and OPNsense.chrony.general.ntsnocert == '1' %}
+nocerttimecheck 1
+{%   endif %}
+
 {%   if not helpers.empty('OPNsense.chrony.general.peers') %}
 {%     for peer in OPNsense.chrony.general.peers.split(',') %}
 server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}nts{% endif %}
@@ -18,6 +22,11 @@ server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient
 {%     endfor %}
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.fallbackpeers') and OPNsense.chrony.general.fallbackpeers != '' %}
+authselectmode mix
+server {{ OPNsense.chrony.general.fallbackpeers }} 
+{%   endif %}
+
 {%   if not helpers.empty('OPNsense.chrony.general.allowednetworks') %}
 {%     for network in OPNsense.chrony.general.allowednetworks.split(',') %}
 allow {{ network }}