{ lib, ... }:

{
  services.chrony = {
    enable = true;

    servers = [
      "ptbtime1.ptb.de"
      "ptbtime2.ptb.de"
      "time.cloudflare.com"
      "ntp1.hetzner.de"
    ];

    extraConfig = ''
      bindaddress 0.0.0.0
      port 123
      allow
    '';
  };

  systemd.services.chronyd = {
    after = lib.mkForce [ "network-online.target" "nss-lookup.target" ];
  };

  networking.firewall.interfaces."end0" = {
    allowedUDPPorts = [ 123 ];
    allowedTCPPorts = [ 123 ];
  };
}