nixos/ntpd: fix permissions error when creating drift file

This fixes "frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied". Creating a directory via StateDirectory makes that directory /var/lib/ntp owned by root:root. However, when running ntpd we change to user ntp (see ntpFlags), so the process cannot actually use that directory. Actually creating a home directory for the user at that location solves that problem.
2024-12-21 11:17:28 +01:00 · 2024-12-21 11:17:28 +01:00 · 31942f20f4
commit 31942f20f4
parent 6055456974
2 changed files with 3 additions and 1 deletions
--- a/nixos/modules/services/networking/ntp/ntpd.nix
+++ b/nixos/modules/services/networking/ntp/ntpd.nix
@ -142,6 +142,7 @@ in
      group = "ntp";
      description = "NTP daemon user";
      home = "/var/lib/ntp";
+      createHome = true;
    };
    users.groups.ntp = { };

@ -155,7 +156,6 @@ in
      serviceConfig = {
        ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}";
        Type = "forking";
-        StateDirectory = "ntp";

        # Hardening options
        PrivateDevices = true;
--- a/nixos/tests/ntpd.nix
+++ b/nixos/tests/ntpd.nix
@ -20,6 +20,8 @@ import ./make-test-python.nix (
      machine.wait_for_console_text('Listen normally on 10 eth*')
      machine.succeed('systemctl is-active ntpd.service')
      machine.succeed('ntpq -p')
+      # ntp user must be able to create drift files
+      machine.succeed('su -s /bin/sh -c "touch /var/lib/ntp/ntp.drift" ntp')
    '';
  }
 )