shinobu: Add NTP server

This also changes the firewall rules for the IoT network to no longer
accept connections to ntp.org pool hosts over 123/UDP. All clients
should use the local NTP server.

flake.lock

@@ -85,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705659542,
-        "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=",
+        "lastModified": 1706981411,
+        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9",
+        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706080884,
-        "narHash": "sha256-qhxisCrSraN5YWVb0lNCFH8ovqnCw5W9ldac4Dzr0Nw=",
+        "lastModified": 1707919853,
+        "narHash": "sha256-qxmBGDzutuJ/tsX4gp+Mr7fjxOZBbeT9ixhS5o4iFOw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6b28ab2d798c1c84e24053d95f4ee1dd9d81e2fb",
+        "rev": "043ba285c6dc20f36441d48525402bcb9743c498",
         "type": "github"
       },
       "original": {
@@ -215,11 +215,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1705757126,
-        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
+        "lastModified": 1707297608,
+        "narHash": "sha256-ADjo/5VySGlvtCW3qR+vdFF4xM9kJFlRDqcC9ZGI8EA=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
+        "rev": "0db2e67ee49910adfa13010e7f012149660af7f0",
         "type": "github"
       },
       "original": {
@@ -231,11 +231,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1706085157,
-        "narHash": "sha256-0pTbYwn9qubaZLtuN0Ouj0neEfrir1wSNyH8gL1BzB0=",
+        "lastModified": 1707842204,
+        "narHash": "sha256-M+HAq1qWQBi/gywaMZwX0odU+Qb/XeqVeANGKRBDOwU=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "e756ff62c2e9db4f7c197bc1849a02024a7bfb2e",
+        "rev": "f1b2f71c86a5b1941d20608db0b1e88a07d31303",
         "type": "github"
       },
       "original": {
@@ -247,11 +247,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705916986,
-        "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=",
+        "lastModified": 1707786466,
+        "narHash": "sha256-yLPfrmW87M2qt+8bAmwopJawa+MJLh3M9rUbXtpUc1o=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8",
+        "rev": "01885a071465e223f8f68971f864b15829988504",
         "type": "github"
       },
       "original": {
@@ -306,27 +306,27 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1705033721,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
+        "lastModified": 1707603439,
+        "narHash": "sha256-LodBVZ3+ehJP2azM5oj+JrhfNAAzmTJ/OwAIOn0RfZ0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
+        "rev": "d8cd80616c8800feec0cab64331d7c3d5a1a6d98",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1705856552,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "lastModified": 1707863367,
+        "narHash": "sha256-LdBbCSSP7VHaHA4KXcPGKqkvsowT2+7W4jlEHJj6rPg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "35ff7e87ee05199a8003f438ec11a174bcbd98ea",
         "type": "github"
       },
       "original": {
@@ -453,11 +453,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1705805983,
-        "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=",
+        "lastModified": 1707842202,
+        "narHash": "sha256-3dTBbCzHJBinwhsisGJHW1HLBsLbj91+a5ZDXt7ttW0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "ae171b54e76ced88d506245249609f8c87305752",
+        "rev": "48afd3264ec52bee85231a7122612e2c5202fa74",
         "type": "github"
       },
       "original": {

machines/shinobu/configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -9,6 +9,7 @@
     ../../modules
 
     ./services/co2_exporter.nix
+    ./services/ntp.nix
     ./services/router
     ./services/snmp-exporter.nix
     ./services/wordclock-dimmer.nix

machines/shinobu/services/ntp.nix

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{
+  services.ntp = {
+    enable = true;
+  };
+
+  networking.firewall.allowedUDPPorts = [ 123 ];
+}

machines/shinobu/services/router/dnsmasq.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -41,16 +41,16 @@ in
         cfg.vlan);
       dhcp-option = lib.flatten (lib.mapAttrsToList
         (name: { subnet, ... }: [
+          # Gateway
           "tag:br-${name},option:router,${subnet.v4.gateway}"
           "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
+
+          # NTP server (runs on gateway)
+          "tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
+          "tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
         ])
         cfg.vlan);
 
-      nftset = [
-        "/pool.ntp.org/4#inet#filter#iot_ntp4"
-        "/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
-      ];
-
       server = [
         "127.0.0.1#5053"
       ];

machines/shinobu/services/router/rules.nft

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -7,16 +7,6 @@ define PHYSICAL_WAN = "enp1s0"
 define NAT_WAN_IFACES = { $PHYSICAL_WAN }
 
 table inet filter {
-	# These two sets are dynamically managed by dnsmasq
-	set iot_ntp4 {
-		type ipv4_addr
-		comment "IPv4 addresses of resolved NTP servers"
-	}
-	set iot_ntp6 {
-		type ipv6_addr
-		comment "IPv6 addresses of resolved NTP servers"
-	}
-
 	chain forward {
 		type filter hook forward priority filter; policy drop
 
@@ -31,8 +21,6 @@ table inet filter {
 		iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
 		iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
 
-		iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
-		iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
 		iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
 	}
 }

modules/mailserver/postfix.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later