From a43478e430ba9a4ff6fb81bf6ce9b1e165800da2 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sat, 7 Aug 2021 23:52:15 +0300
Subject: [PATCH] chrony: add broken NTS configuration

Ref: #94
---
 etc/chrony/conf.d/allow-yggdrasil.conf | 1 +
 etc/chrony/conf.d/nts-server.conf      | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 etc/chrony/conf.d/nts-server.conf

diff --git a/etc/chrony/conf.d/allow-yggdrasil.conf b/etc/chrony/conf.d/allow-yggdrasil.conf
index b5b7ac24..d5d3a1ac 100644
--- a/etc/chrony/conf.d/allow-yggdrasil.conf
+++ b/etc/chrony/conf.d/allow-yggdrasil.conf
@@ -2,4 +2,5 @@
 
 # Yggdrasil should protect from spoofing so this should be OK
 # ufw allow from 0200::/7 to any port 123 proto udp
+# NTS: ufw allow from 0200::/7 to any port 4460 proto udp
 allow 0200::/7
diff --git a/etc/chrony/conf.d/nts-server.conf b/etc/chrony/conf.d/nts-server.conf
new file mode 100644
index 00000000..9705be87
--- /dev/null
+++ b/etc/chrony/conf.d/nts-server.conf
@@ -0,0 +1,5 @@
+# Functioning as NTS server, these are usual TLS certificates from acme.sh
+# Note the port 4460
+ntsserverkey /etc/chrony/tls/etro.mikaela.info.key
+ntsservercert /etc/chrony/tls/etro.mikaela.info.crt
+