ntpd-rs

Memory-safe implementation of IETF time standards including NTPv5 and NTS

Declared in: projects/ntpd-rs/default.nix

1. Install Nix
   Debian

   Bash

   $ apt install --yes curl git jq nix

   Ubuntu

   Bash

   $ apt install --yes curl git jq nix

   Arch

   Bash

   $ pacman --sync --refresh --noconfirm curl git jq nix

2. Download a configuration file

   # default.nix
   {
     ngipkgs ? import (fetchTarball "https://github.com/ngi-nix/ngipkgs/tarball/main") { },
   }:
   ngipkgs.demo-vm (
     { lib, ... }:
   
     {
       services.timesyncd.enable = lib.mkForce false;
   
       services.ntpd-rs = {
         enable = true;
         useNetworkingTimeServers = false;
   
         settings = {
           synchronization.minimum-agreeing-sources = 1;
           source = [
             {
               mode = "server";
               address = "time.cloudflare.com";
             }
           ];
         };
       };
     }
   )
   

   Download
3. Enable binary substituters

   Bash

   $ export NIX_CONFIG='substituters = https://cache.nixos.org/ https://ngi.cachix.org/
   trusted-public-keys = cache.nixos.org-1:6nchdd59x431o0gwypbmraurkbj16zpmqfgspcdshjy= ngi.cachix.org-1:n+cal72roc3qqulxihpv+tw5t42whxmmhpragkrsrow='

4. Build and run a virtual machine
   Debian Sid/Trixie

   Bash

   $ nix-build ./default.nix && ./result

   Ubuntu 25.04

   Bash

   $ nix-build ./default.nix && ./result

   Ubuntu 24.04

   Bash

   $ rev=$(nix-instantiate --eval --attr sources.nixpkgs.rev https://github.com/ngi-nix/ngipkgs/archive/master.tar.gz | jq --raw-output)

   $ nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz --packages nix --run "nix-build ./default.nix && ./result"

   Arch

   Bash

   $ nix-build ./default.nix && ./result

5. Usage Instructions

   1. To use ntpd-rs, you need to first disable systemd-timesyncd (the default NTP client on NixOS).

   2. Then pick your time sources and configure them as described in the documentation.

   3. The default synchronization.minimum-agreeing-sources is 3, override it to a lower value if have fewer sources. If you start ntpd-rs in client mode and having less sources than the configured value, the service will exit with an error. To check the synchronization status, use ntp-ctl status.

{ lib, ... }:

{
  services.timesyncd.enable = lib.mkForce false;

  services.ntpd-rs = {
    enable = true;
    useNetworkingTimeServers = false;

    settings = {
      synchronization.minimum-agreeing-sources = 1;
      source = [
        {
          mode = "server";
          address = "time.cloudflare.com";
        }
      ];
    };
  };
}

# example extracted from official NixOS test
# https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/ntpd-rs.nix
{
  networking.firewall = {
    allowedTCPPorts = [ 9975 ];
    allowedUDPPorts = [ 123 ];
  };

  services.ntpd-rs = {
    enable = true;
    metrics.enable = true;
    settings = {
      observability.metrics-exporter-listen = "[::]:9975";
      server = [ { listen = "[::]:123"; } ];
    };
  };
}

{ lib, ... }:

{
  services.timesyncd.enable = lib.mkForce false;

  services.ntpd-rs = {
    enable = true;
    useNetworkingTimeServers = false;

    settings.source = (
      map
        (s: {
          mode = "nts";
          address = s;
        })
        [
          "brazil.time.system76.com"
          "ohio.time.system76.com"
          "oregon.time.system76.com"
          "paris.time.system76.com"
          "virginia.time.system76.com"
        ]
    );
  };
}

This project is funded by NLnet through these subgrants:

Entrust

ntpd-rs

Related links:

• ntpd-rs documentation
• Project Pendulum