From 6046ff399552cc3755709a44b7d44a0535af9e4d Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 15:58:46 +0300
Subject: [PATCH] kyra(hardening): ntps-rs init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/services/ntpd-rs.nix | 42 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 kyra/services/ntpd-rs.nix

diff --git a/kyra/services/ntpd-rs.nix b/kyra/services/ntpd-rs.nix
new file mode 100644
index 0000000..a76b759
--- /dev/null
+++ b/kyra/services/ntpd-rs.nix
@@ -0,0 +1,42 @@
+_: {
+  services = {
+    ntpd-rs = {
+      enable = true;
+      metrics = {
+        enable = true;
+      };
+
+      settings = {
+        source = [
+          {
+            mode = "nts";
+            address = "time.cloudflare.com";
+          }
+
+          {
+            mode = "nts";
+            address = "nts.ntp.se";
+          }
+        ];
+
+        server = [
+          {
+            listen = "[::]:123";
+          }
+        ];
+
+        nts-ke-server = [
+          {
+            listen = "[::]:4460";
+            certificate-chain-path = "/var/lib/acme/ntp.hand7s.org/fullchain.pem";
+            private-key-path = "/var/lib/acme/ntp.hand7s.org/key.pem";
+          }
+        ];
+
+        synchronization = {
+          minimum-agreeing-sources = 2;
+        };
+      };
+    };
+  };
+}