From c300dc1b6cce53e0f206df670059e0d22f1d394b Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 9 Jan 2024 18:13:42 -0600 Subject: [PATCH] chrony: Add role/PB for chrony I continually struggle with machines' (physical and virtual, even the Roku devices!) clocks getting out of sync. I have been putting off fixing this because I wanted to set up a Windows-compatible NTP server (i.e. on the domain controllers, with Kerberos signing), but there's really no reason to wait for that to fix the clocks on all the non-Windows machines, especially since there are exactly 0 Windows machines on the network right now. The *chrony* role and corresponding `chrony.yml` playbook are generic, configured via the `chrony_pools`, `chrony_servers`, and `chrony_allow` variables. The values for these variables will configure the firewall to act as an NTP server, synchronizing with the NTP pool on the Internet, while all other machines will synchronize with it. This allows machines on networks without Internet access to keep their clocks in sync. --- chrony.yml | 4 ++ group_vars/chrony.yml | 2 + host_vars/gw1.pyrocufflink.blue/main.yml | 12 +++++ hosts | 4 ++ hosts.gw | 3 ++ roles/chrony/handlers/main.yml | 4 ++ roles/chrony/tasks/main.yml | 35 ++++++++++++++ roles/chrony/templates/chrony.conf.j2 | 61 ++++++++++++++++++++++++ 8 files changed, 125 insertions(+) create mode 100644 chrony.yml create mode 100644 group_vars/chrony.yml create mode 100644 roles/chrony/handlers/main.yml create mode 100644 roles/chrony/tasks/main.yml create mode 100644 roles/chrony/templates/chrony.conf.j2 diff --git a/chrony.yml b/chrony.yml new file mode 100644 index 0000000..3b8ceaa --- /dev/null +++ b/chrony.yml @@ -0,0 +1,4 @@ +- hosts: chrony + roles: + - role: chrony + tags: chrony diff --git a/group_vars/chrony.yml b/group_vars/chrony.yml new file mode 100644 index 0000000..090df8f --- /dev/null +++ b/group_vars/chrony.yml @@ -0,0 +1,2 @@ +chrony_servers: +- '{{ ansible_default_ipv4.gateway }}' diff --git a/host_vars/gw1.pyrocufflink.blue/main.yml b/host_vars/gw1.pyrocufflink.blue/main.yml index 7da82d3..4c68e0c 100644 --- a/host_vars/gw1.pyrocufflink.blue/main.yml +++ b/host_vars/gw1.pyrocufflink.blue/main.yml @@ -45,3 +45,15 @@ promtail_scrape_configs: source: message dnf_automatic_reboot: never + +chrony_pools: +- 1.fedora.pool.ntp.org iburst +- 2.fedora.pool.ntp.org iburst +- 3.fedora.pool.ntp.org iburst +- 4.fedora.pool.ntp.org iburst + +chrony_allow: +- 172.30.0.0/16 +- 172.31.1.0/24 +- 172.24.100.0/24 +- 192.168.1.0/24 diff --git a/hosts b/hosts index ee3dcf6..fd6b5fe 100644 --- a/hosts +++ b/hosts @@ -25,6 +25,10 @@ git0.pyrocufflink.blue [certbot] +[chrony:children] +kubelet +pyrocufflink + [collectd] [collectd:children] diff --git a/hosts.gw b/hosts.gw index b8d77be..a289f38 100644 --- a/hosts.gw +++ b/hosts.gw @@ -1,6 +1,9 @@ [burp-client] gw1.pyrocufflink.blue +[chrony] +gw1.pyrocufflink.blue + [collectd] gw1.pyrocufflink.blue diff --git a/roles/chrony/handlers/main.yml b/roles/chrony/handlers/main.yml new file mode 100644 index 0000000..44f2109 --- /dev/null +++ b/roles/chrony/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart chrony + service: + name: chronyd + state: restarted diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yml new file mode 100644 index 0000000..0399bde --- /dev/null +++ b/roles/chrony/tasks/main.yml @@ -0,0 +1,35 @@ +- name: ensure chrony is installed + package: + name: chrony + state: present + tags: + - install + +- name: ensure chrony is configured + template: + src: chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: u=rw,go=r + notify: + - restart chrony + tags: + - config + +- name: ensure chrony is enabled + service: + name: chronyd + enabled: true + tags: + - service + +- name: flush_handlers + meta: flush_handlers + +- name: ensure chrony is running + service: + name: chronyd + state: started + tags: + - service diff --git a/roles/chrony/templates/chrony.conf.j2 b/roles/chrony/templates/chrony.conf.j2 new file mode 100644 index 0000000..1cb3686 --- /dev/null +++ b/roles/chrony/templates/chrony.conf.j2 @@ -0,0 +1,61 @@ +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (https://www.pool.ntp.org/join.html). +{% for pool in chrony_pools|d([]) %} +pool {{ pool }} +{% endfor %} +{% for server in chrony_servers|d([]) %} +server {{ server }} +{% endfor %} + +# Use NTP servers from DHCP. +sourcedir /run/chrony-dhcp + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync + +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * + +# Increase the minimum number of selectable sources required to adjust +# the system clock. +#minsources 2 + +# Allow NTP client access from local network. +{% if chrony_allow|d %} +{% for subnet in chrony_allow %} +allow {{ subnet }} +{% endfor %} +{% else %} +#allow 192.168.0.0/16 +{% endif %} + +# Serve time even if not synchronized to a time source. +#local stratum 10 + +# Require authentication (nts or key option) for all NTP sources. +#authselectmode require + +# Specify file containing keys for NTP authentication. +keyfile /etc/chrony.keys + +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + +# Insert/delete leap seconds by slewing instead of stepping. +#leapsecmode slew + +# Get TAI-UTC offset and leap seconds from the system tz database. +leapsectz right/UTC + +# Specify directory for log files. +logdir /var/log/chrony + +# Select which information is logged. +#log measurements statistics tracking