nixos/ntpd: fix permissions error when creating drift file

SFrijters · thoughtpolice · commit 31942f20f462 · 2024-12-22T16:20:31.000-06:00
This fixes "frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied".

Creating a directory via StateDirectory makes that directory /var/lib/ntp owned by root:root.
However, when running ntpd we change to user ntp (see ntpFlags), so the process cannot
actually use that directory.

Actually creating a home directory for the user at that location solves that problem.
diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix
@@ -142,6 +142,7 @@ in
       group = "ntp";
       description = "NTP daemon user";
       home = "/var/lib/ntp";
+      createHome = true;
     };
     users.groups.ntp = { };
 
@@ -155,7 +156,6 @@ in
       serviceConfig = {
         ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}";
         Type = "forking";
-        StateDirectory = "ntp";
 
         # Hardening options
         PrivateDevices = true;
diff --git a/nixos/tests/ntpd.nix b/nixos/tests/ntpd.nix
@@ -20,6 +20,8 @@ import ./make-test-python.nix (
       machine.wait_for_console_text('Listen normally on 10 eth*')
       machine.succeed('systemctl is-active ntpd.service')
       machine.succeed('ntpq -p')
+      # ntp user must be able to create drift files
+      machine.succeed('su -s /bin/sh -c "touch /var/lib/ntp/ntp.drift" ntp')
     '';
   }
 )

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ import ./make-test-python.nix (`
`20`	`20`	`machine.wait_for_console_text('Listen normally on 10 eth*')`
`21`	`21`	`machine.succeed('systemctl is-active ntpd.service')`
`22`	`22`	`machine.succeed('ntpq -p')`
	`23`	`+ # ntp user must be able to create drift files`
	`24`	`+ machine.succeed('su -s /bin/sh -c "touch /var/lib/ntp/ntp.drift" ntp')`
`23`	`25`	`'';`
`24`	`26`	`}`
`25`	`27`	`)`