chrony: Add role/PB for chrony

I continually struggle with machines' (physical and virtual, even the Roku devices!) clocks getting out of sync. I have been putting off fixing this because I wanted to set up a Windows-compatible NTP server (i.e. on the domain controllers, with Kerberos signing), but there's really no reason to wait for that to fix the clocks on all the non-Windows machines, especially since there are exactly 0 Windows machines on the network right now. The *chrony* role and corresponding `chrony.yml` playbook are generic, configured via the `chrony_pools`, `chrony_servers`, and `chrony_allow` variables. The values for these variables will configure the firewall to act as an NTP server, synchronizing with the NTP pool on the Internet, while all other machines will synchronize with it. This allows machines on networks without Internet access to keep their clocks in sync.
2024-01-09 18:13:42 -06:00 · 2024-01-09 18:13:42 -06:00 · c300dc1b6c
parent 4ba5f2ced0
commit c300dc1b6c
8 changed files with 125 additions and 0 deletions
--- a/chrony.yml
+++ b/chrony.yml
@ -0,0 +1,4 @@
+- hosts: chrony
+  roles:
+  - role: chrony
+    tags: chrony
--- a/group_vars/chrony.yml
+++ b/group_vars/chrony.yml
@ -0,0 +1,2 @@
+chrony_servers:
+- '{{ ansible_default_ipv4.gateway }}'
--- a/host_vars/gw1.pyrocufflink.blue/main.yml
+++ b/host_vars/gw1.pyrocufflink.blue/main.yml
@ -45,3 +45,15 @@ promtail_scrape_configs:
      source: message

 dnf_automatic_reboot: never
+
+chrony_pools:
+- 1.fedora.pool.ntp.org iburst
+- 2.fedora.pool.ntp.org iburst
+- 3.fedora.pool.ntp.org iburst
+- 4.fedora.pool.ntp.org iburst
+
+chrony_allow:
+- 172.30.0.0/16
+- 172.31.1.0/24
+- 172.24.100.0/24
+- 192.168.1.0/24
--- a/4
+++ b/4
@ -25,6 +25,10 @@ git0.pyrocufflink.blue

 [certbot]

+[chrony:children]
+kubelet
+pyrocufflink
+
 [collectd]

 [collectd:children]
--- a/hosts.gw
+++ b/hosts.gw
@ -1,6 +1,9 @@
 [burp-client]
 gw1.pyrocufflink.blue

+[chrony]
+gw1.pyrocufflink.blue
+
 [collectd]
 gw1.pyrocufflink.blue

--- a/roles/chrony/handlers/main.yml
+++ b/roles/chrony/handlers/main.yml
@ -0,0 +1,4 @@
+- name: restart chrony
+  service:
+    name: chronyd
+    state: restarted
--- a/roles/chrony/tasks/main.yml
+++ b/roles/chrony/tasks/main.yml
@ -0,0 +1,35 @@
+- name: ensure chrony is installed
+  package:
+    name: chrony
+    state: present
+  tags:
+  - install
+
+- name: ensure chrony is configured
+  template:
+    src: chrony.conf.j2
+    dest: /etc/chrony.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - restart chrony
+  tags:
+  - config
+
+- name: ensure chrony is enabled
+  service:
+    name: chronyd
+    enabled: true
+  tags:
+  - service
+
+- name: flush_handlers
+  meta: flush_handlers
+
+- name: ensure chrony is running
+  service:
+    name: chronyd
+    state: started
+  tags:
+  - service
--- a/roles/chrony/templates/chrony.conf.j2
+++ b/roles/chrony/templates/chrony.conf.j2
@ -0,0 +1,61 @@
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (https://www.pool.ntp.org/join.html).
+{% for pool in chrony_pools|d([]) %}
+pool {{ pool }}
+{% endfor %}
+{% for server in chrony_servers|d([]) %}
+server {{ server }}
+{% endfor %}
+
+# Use NTP servers from DHCP.
+sourcedir /run/chrony-dhcp
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+{% if chrony_allow|d %}
+{% for subnet in chrony_allow %}
+allow {{ subnet }}
+{% endfor %}
+{% else %}
+#allow 192.168.0.0/16
+{% endif %}
+
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Require authentication (nts or key option) for all NTP sources.
+#authselectmode require
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Insert/delete leap seconds by slewing instead of stepping.
+#leapsecmode slew
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking