diff --git a/chrony.yml b/chrony.yml new file mode 100644 index 0000000..3b8ceaa --- /dev/null +++ b/chrony.yml @@ -0,0 +1,4 @@ +- hosts: chrony + roles: + - role: chrony + tags: chrony diff --git a/group_vars/chrony.yml b/group_vars/chrony.yml new file mode 100644 index 0000000..090df8f --- /dev/null +++ b/group_vars/chrony.yml @@ -0,0 +1,2 @@ +chrony_servers: +- '{{ ansible_default_ipv4.gateway }}' diff --git a/host_vars/gw1.pyrocufflink.blue/main.yml b/host_vars/gw1.pyrocufflink.blue/main.yml index 7da82d3..4c68e0c 100644 --- a/host_vars/gw1.pyrocufflink.blue/main.yml +++ b/host_vars/gw1.pyrocufflink.blue/main.yml @@ -45,3 +45,15 @@ promtail_scrape_configs: source: message dnf_automatic_reboot: never + +chrony_pools: +- 1.fedora.pool.ntp.org iburst +- 2.fedora.pool.ntp.org iburst +- 3.fedora.pool.ntp.org iburst +- 4.fedora.pool.ntp.org iburst + +chrony_allow: +- 172.30.0.0/16 +- 172.31.1.0/24 +- 172.24.100.0/24 +- 192.168.1.0/24 diff --git a/hosts b/hosts index ee3dcf6..fd6b5fe 100644 --- a/hosts +++ b/hosts @@ -25,6 +25,10 @@ git0.pyrocufflink.blue [certbot] +[chrony:children] +kubelet +pyrocufflink + [collectd] [collectd:children] diff --git a/hosts.gw b/hosts.gw index b8d77be..a289f38 100644 --- a/hosts.gw +++ b/hosts.gw @@ -1,6 +1,9 @@ [burp-client] gw1.pyrocufflink.blue +[chrony] +gw1.pyrocufflink.blue + [collectd] gw1.pyrocufflink.blue diff --git a/roles/chrony/handlers/main.yml b/roles/chrony/handlers/main.yml new file mode 100644 index 0000000..44f2109 --- /dev/null +++ b/roles/chrony/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart chrony + service: + name: chronyd + state: restarted diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yml new file mode 100644 index 0000000..0399bde --- /dev/null +++ b/roles/chrony/tasks/main.yml @@ -0,0 +1,35 @@ +- name: ensure chrony is installed + package: + name: chrony + state: present + tags: + - install + +- name: ensure chrony is configured + template: + src: chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: u=rw,go=r + notify: + - restart chrony + tags: + - config + +- name: ensure chrony is enabled + service: + name: chronyd + enabled: true + tags: + - service + +- name: flush_handlers + meta: flush_handlers + +- name: ensure chrony is running + service: + name: chronyd + state: started + tags: + - service diff --git a/roles/chrony/templates/chrony.conf.j2 b/roles/chrony/templates/chrony.conf.j2 new file mode 100644 index 0000000..1cb3686 --- /dev/null +++ b/roles/chrony/templates/chrony.conf.j2 @@ -0,0 +1,61 @@ +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (https://www.pool.ntp.org/join.html). +{% for pool in chrony_pools|d([]) %} +pool {{ pool }} +{% endfor %} +{% for server in chrony_servers|d([]) %} +server {{ server }} +{% endfor %} + +# Use NTP servers from DHCP. +sourcedir /run/chrony-dhcp + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync + +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * + +# Increase the minimum number of selectable sources required to adjust +# the system clock. +#minsources 2 + +# Allow NTP client access from local network. +{% if chrony_allow|d %} +{% for subnet in chrony_allow %} +allow {{ subnet }} +{% endfor %} +{% else %} +#allow 192.168.0.0/16 +{% endif %} + +# Serve time even if not synchronized to a time source. +#local stratum 10 + +# Require authentication (nts or key option) for all NTP sources. +#authselectmode require + +# Specify file containing keys for NTP authentication. +keyfile /etc/chrony.keys + +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + +# Insert/delete leap seconds by slewing instead of stepping. +#leapsecmode slew + +# Get TAI-UTC offset and leap seconds from the system tz database. +leapsectz right/UTC + +# Specify directory for log files. +logdir /var/log/chrony + +# Select which information is logged. +#log measurements statistics tracking