Merge 1ccfd774d5 into cb9a5d6d69

net/chrony/Makefile

@@ -1,6 +1,6 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.6
+PLUGIN_REVISION=	0
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

net/chrony/pkg-descr

@@ -4,6 +4,11 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.6
+
+* Add NTS server support (ntsservercert, ntsserverkey, ntsport)
+* Add confdir include for custom directives (/usr/local/etc/chrony.opnsense.d/)
+
 1.5
 
 * Allow adding a fallback NTP when using NTS

net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml

@@ -45,4 +45,26 @@
         <allownew>true</allownew>
         <help>Set the networks allowed to synchronize time with this server. If this value is not set it will also not listen to the port and just synchronize the time for itself.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>NTS Server</label>
+    </field>
+    <field>
+        <id>general.ntsservercert</id>
+        <label>NTS Server Certificate</label>
+        <type>text</type>
+        <help>Absolute path to the TLS certificate chain in PEM format for NTS server mode. The file should include any intermediate certificates needed by clients. Leave empty to disable NTS server.</help>
+    </field>
+    <field>
+        <id>general.ntsserverkey</id>
+        <label>NTS Server Key</label>
+        <type>text</type>
+        <help>Absolute path to the TLS private key in PEM format for NTS server mode.</help>
+    </field>
+    <field>
+        <id>general.ntsport</id>
+        <label>NTS-KE Port</label>
+        <type>text</type>
+        <help>TCP port for the NTS Key Establishment service (default: 4460). Leave empty to use the default.</help>
+    </field>
 </form>

net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml

@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/chrony/general</mount>
     <description>Chrony configuration</description>
-    <version>0.0.2</version>
+    <version>0.0.3</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -33,5 +33,18 @@
             <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </allowednetworks>
+        <ntsservercert type="TextField">
+            <Required>N</Required>
+            <Mask>/^(\/[a-zA-Z0-9._\-]+)+$/</Mask>
+            <ValidationMessage>Must be an absolute file path.</ValidationMessage>
+        </ntsservercert>
+        <ntsserverkey type="TextField">
+            <Required>N</Required>
+            <Mask>/^(\/[a-zA-Z0-9._\-]+)+$/</Mask>
+            <ValidationMessage>Must be an absolute file path.</ValidationMessage>
+        </ntsserverkey>
+        <ntsport type="PortField">
+            <Required>N</Required>
+        </ntsport>
     </items>
 </model>

net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh

@@ -3,3 +3,7 @@
 mkdir -p /var/db/chrony /var/lib/chrony /var/run/chrony
 chown -R chronyd:chronyd /var/db/chrony /var/lib/chrony /var/run/chrony
 chmod 750 /var/db/chrony /var/lib/chrony /var/run/chrony
+
+mkdir -p /usr/local/etc/chrony.opnsense.d
+chown root:chronyd /usr/local/etc/chrony.opnsense.d
+chmod 750 /usr/local/etc/chrony.opnsense.d

net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf

@@ -33,4 +33,14 @@ allow {{ network }}
 {%     endfor %}
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.ntsservercert') and not helpers.empty('OPNsense.chrony.general.ntsservercert') %}
+ntsservercert {{ OPNsense.chrony.general.ntsservercert }}
+ntsserverkey {{ OPNsense.chrony.general.ntsserverkey }}
+{%     if helpers.exists('OPNsense.chrony.general.ntsport') and not helpers.empty('OPNsense.chrony.general.ntsport') %}
+ntsport {{ OPNsense.chrony.general.ntsport }}
+{%     endif %}
+{%   endif %}
+
+include /usr/local/etc/chrony.opnsense.d/*.conf
+
 {% endif %}