chrony: improve configuration

Extend configuration of NTP sources in UCI:
- Add nts option to enable NTS
- Add disabled option to allow inactive sources

Add nts section to UCI with:
- rtccheck option to disable certificate time checks on systems that
  don't have an RTC to avoid the chicken-and-egg problem (it is less
  secure, but still should be better than no NTS at all)
- systemcerts option to disable system certificates
- trustedcerts option to specify path to trusted certificates

Save NTS keys and cookies by default to avoid unnecessary NTS-KE
sessions when restarted or switching back to an already used NTS source.
Also, save the drift to stabilize the clock after chronyd restart.

Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>

net/chrony/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=chrony
 PKG_VERSION:=4.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.tuxfamily.org/chrony/

net/chrony/files/chrony.conf

@@ -10,5 +10,11 @@ logchange 0.5
 # Don't log client accesses
 noclientlog
 
-# set the system clock else the kernel will always stay in UNSYNC state
+# Mark the system clock as synchronized
 rtcsync
+
+# Record the clock's drift
+driftfile /var/run/chrony/drift
+
+# Save NTS keys and cookies
+ntsdumpdir /var/run/chrony

net/chrony/files/chrony.config

@@ -5,6 +5,7 @@ config pool
 
 config dhcp_ntp_server
 	option iburst 'yes'
+	option disabled 'no'
 
 config allow
 	option interface 'lan'
@@ -12,3 +13,7 @@ config allow
 config makestep
 	option threshold '1.0'
 	option limit '3'
+
+config nts
+	option rtccheck 'yes'
+	option systemcerts 'yes'

net/chrony/files/chronyd.init

@@ -6,21 +6,26 @@ USE_PROCD=1
 PROG=/usr/sbin/chronyd
 CONFIGFILE=/etc/chrony/chrony.conf
 INCLUDEFILE=/var/etc/chrony.d/10-uci.conf
+RTCDEVICE=/dev/rtc0
 
 handle_source() {
-	local cfg=$1 sourcetype=$2 hostname minpoll maxpoll iburst
+	local cfg=$1 sourcetype=$2 disabled hostname minpoll maxpoll iburst nts
 
+	config_get_bool disabled "$cfg" disabled 0
+	[ "$disabled" = "1" ] && return
 	hostname=$NTP_SOURCE_HOSTNAME
 	[ -z "$hostname" ] && config_get hostname "$cfg" hostname
 	[ -z "$hostname" ] && return
 	config_get minpoll "$cfg" minpoll
 	config_get maxpoll "$cfg" maxpoll
 	config_get_bool iburst "$cfg" iburst 0
+	config_get_bool nts "$cfg" nts 0
 	echo $(
 		echo $sourcetype $hostname
 		[ -n "$minpoll" ] && echo minpoll $minpoll
 		[ -n "$maxpoll" ] && echo maxpoll $maxpoll
 		[ "$iburst" = "1" ] && echo iburst
+		[ "$nts" = "1" ] && echo nts
 	)
 }
 
@@ -53,6 +58,18 @@ handle_makestep() {
 	echo makestep $threshold $limit
 }
 
+handle_nts() {
+	local cfg=$1 threshold limit
+
+	config_get_bool rtccheck "$cfg" rtccheck 0
+	config_get_bool systemcerts "$cfg" systemcerts 1
+	config_get trustedcerts "$cfg" trustedcerts
+	# Disable certificate time checks if no RTC is present
+	[ "$rtccheck" = "1" ] && ! [ -c $RTCDEVICE ] && echo nocerttimecheck 1
+	[ "$systemcerts" = "0" ] && echo nosystemcert
+	[ -n "$trustedcerts" ] && echo ntstrustedcerts "$trustedcerts"
+}
+
 start_service() {
 	. /lib/functions/network.sh
 
@@ -71,5 +88,6 @@ start_service() {
 		config_foreach handle_source peer peer
 		config_foreach handle_allow allow
 		config_foreach handle_makestep makestep
+		config_foreach handle_nts nts
 	) > $INCLUDEFILE
 }