upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-05-28 04:34:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

add proper NTS support

Browse source
This commit is contained in:
Matthew Otto 2026-01-06 11:08:36 -06:00
parent 32e8b9e9a5
commit 7043f2d644
4 changed files with 39 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/dialogPeer.xml
View file

@ -61,4 +61,15 @@
<type>text</type>
<help>The maximum interval between requests sent to the server as a power of 2 in seconds.</help>
</field>
<field>
<id>peer.nts</id>
<label>NTS</label>
<type>checkbox</type>
<help>Enable NTS authentication.</help>
<grid_view>
<width>6em</width>
<type>boolean</type>
<formatter>boolean</formatter>
</grid_view>
</field>
</form>

12
net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
View file

@ -31,22 +31,10 @@
<allownew>true</allownew>
<help>Set the networks allowed to synchronize time with this server. If this value is not set it will also not listen to the port and just synchronize the time for itself.</help>
</field>
<field>
<id>general.ntsclient</id>
<label>NTS Client Support</label>
<type>checkbox</type>
<help>Enable NTS in client mode. This will add another layer of security for peers when OPNsense is the client. Every server in Peers has to support NTS.</help>
</field>
<field>
<id>general.ntsnocert</id>
<label>NTS Disable Certcheck</label>
<type>checkbox</type>
<help>If you run NTS mode you can enable this option in order to ignore wrong time in certificates for the first check. This helps if your system starts with wrong time.</help>
</field>
<field>
<id>general.fallbackpeers</id>
<label>Fallback Peer</label>
<type>text</type>
<help>Set fallback peer if you use NTS and your system starts with wrong time. Best to only use this for internal trusted peers.</help>
</field>
</form>

57
net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
View file

@ -7,6 +7,29 @@
<Default>0</Default>
<Required>Y</Required>
</enabled>
<localstratum type="IntegerField">
<MinimumValue>1</MinimumValue>
<MaximumValue>15</MaximumValue>
<Required>N</Required>
<ValidationMessage>Local stratum must be within 1-15.</ValidationMessage>
</localstratum>
<orphanmode type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</orphanmode>
<port type="PortField">
<Default>123</Default>
<Required>Y</Required>
</port>
<allowednetworks type="NetworkField">
<Required>N</Required>
<FieldSeparator>,</FieldSeparator>
<AsList>Y</AsList>
</allowednetworks>
<ntsnocert type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</ntsnocert>
<peers>
<peer type="ArrayField">
<pool type="BooleanField">
@ -41,37 +64,11 @@
<Required>N</Required>
<ValidationMessage>maxpoll value must be between -6 and 24.</ValidationMessage>
</maxpoll>
<nts type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</nts>
</peer>
</peers>
<localstratum type="IntegerField">
<MinimumValue>1</MinimumValue>
<MaximumValue>15</MaximumValue>
<Required>N</Required>
<ValidationMessage>Local stratum must be within 1-15.</ValidationMessage>
</localstratum>
<orphanmode type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</orphanmode>
<port type="PortField">
<Default>123</Default>
<Required>Y</Required>
</port>
<allowednetworks type="NetworkField">
<Required>N</Required>
<FieldSeparator>,</FieldSeparator>
<AsList>Y</AsList>
</allowednetworks>
<ntsclient type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</ntsclient>
<ntsnocert type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</ntsnocert>
<fallbackpeers type="HostnameField">
<Required>N</Required>
</fallbackpeers>
</items>
</model>

11
net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
View file

@ -13,16 +13,11 @@ allow {{ network }}
{% set peers = [peers] %}
{% endif %}
{% for peer in peers %}
{% if peer.pool == '1' %}pool {% else %}server {% endif %}{{peer.address}}{% if peer.prefer == '1' %} prefer{% endif %}{% if peer.iburst == '1' %} iburst{% endif %}{% if peer.xleave == '1' %} xleave{% endif %}{% if peer.minpoll is defined and peer.minpoll != '' %} minpoll {{ peer.minpoll }}{% endif %}{% if peer.maxpoll is defined and peer.maxpoll != '' %} maxpoll {{ peer.maxpoll }}{% endif %}
{% if peer.pool == '1' %}pool {% else %}server {% endif %}{{peer.address}}{% if peer.prefer == '1' %} prefer{% endif %}{% if peer.iburst == '1' %} iburst{% endif %}{% if peer.xleave == '1' %} xleave{% endif %}{% if peer.minpoll is defined and peer.minpoll != '' %} minpoll {{ peer.minpoll }}{% endif %}{% if peer.maxpoll is defined and peer.maxpoll != '' %} maxpoll {{ peer.maxpoll }}{% endif %}{% if peer.nts == '1' %} nts{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.chrony.general.fallbackpeers') and OPNsense.chrony.general.fallbackpeers != '' %}
authselectmode mix
server {{ OPNsense.chrony.general.fallbackpeers }}
{% endif %}
{% if not helpers.empty('OPNsense.chrony.general.localstratum') %}
local stratum {{ OPNsense.chrony.general.localstratum }} {% if helpers.exists('OPNsense.chrony.general.orphanmode') and OPNsense.chrony.general.orphanmode == '1' %}orphan{% endif %}
@ -31,11 +26,7 @@ driftfile /var/db/chrony/drift
pidfile /var/run/chrony/chronyd.pid
makestep 1 3
{% if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}
ntsdumpdir /var/lib/chrony
ntstrustedcerts /usr/local/etc/ssl/cert.pem
nosystemcert
{% endif %}
{% if helpers.exists('OPNsense.chrony.general.ntsnocert') and OPNsense.chrony.general.ntsnocert == '1' %}
nocerttimecheck 1