From e37d354f2c1db1466cd9ab9fda4da1818859e1a0 Mon Sep 17 00:00:00 2001
From: mg <mg@noreply.git.mgrote.net>
Date: Sat, 13 Mar 2021 12:32:54 +0100
Subject: [PATCH] ntp --> chrony (#28)

ntp-rolle in archiv

syntax when richtig

typo

on+off playbook

Doku

vars

doku server

doku

firewall

server an

client aktualisiert

playbook server

playbook base mit ausnahme

server in inventory

ntp_server ohne server geht

rollen angelegt

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/28
Co-Authored-By: mg <mg@noreply.git.mgrote.net>
Co-Committed-By: mg <mg@noreply.git.mgrote.net>
---
 {roles => Archiv}/mgrote.ntp/README.md        |  0
 .../mgrote.ntp/defaults/main.yml              |  0
 .../mgrote.ntp/handlers/main.yml              |  0
 {roles => Archiv}/mgrote.ntp/tasks/main.yml   |  0
 .../mgrote.ntp/templates/ntp.conf.j2          |  0
 group_vars/all.yml                            |  6 ++++
 group_vars/ntpserver.yml                      | 30 ++++++++++++++++
 inventory                                     |  6 ++++
 playbooks/base/3_base.yml                     |  4 ++-
 playbooks/on-off/deinstall_ntp.yml            | 18 ++++++++++
 playbooks/service/ntp_server.yml              |  4 +++
 roles/mgrote.ntp_chrony_client/README.md      | 12 +++++++
 .../defaults/main.yml                         |  9 +++++
 .../handlers/main.yml                         |  6 ++++
 roles/mgrote.ntp_chrony_client/tasks/main.yml | 34 +++++++++++++++++++
 .../templates/chrony.conf.j2                  | 29 ++++++++++++++++
 .../templates/logrotate_chrony                | 15 ++++++++
 roles/mgrote.ntp_chrony_server/README.md      | 13 +++++++
 .../defaults/main.yml                         | 18 ++++++++++
 .../handlers/main.yml                         |  6 ++++
 roles/mgrote.ntp_chrony_server/tasks/main.yml | 34 +++++++++++++++++++
 .../templates/chrony.conf.j2                  | 32 +++++++++++++++++
 .../templates/logrotate_chrony                | 15 ++++++++
 23 files changed, 290 insertions(+), 1 deletion(-)
 rename {roles => Archiv}/mgrote.ntp/README.md (100%)
 rename {roles => Archiv}/mgrote.ntp/defaults/main.yml (100%)
 rename {roles => Archiv}/mgrote.ntp/handlers/main.yml (100%)
 rename {roles => Archiv}/mgrote.ntp/tasks/main.yml (100%)
 rename {roles => Archiv}/mgrote.ntp/templates/ntp.conf.j2 (100%)
 create mode 100644 group_vars/ntpserver.yml
 create mode 100644 playbooks/on-off/deinstall_ntp.yml
 create mode 100644 playbooks/service/ntp_server.yml
 create mode 100644 roles/mgrote.ntp_chrony_client/README.md
 create mode 100644 roles/mgrote.ntp_chrony_client/defaults/main.yml
 create mode 100644 roles/mgrote.ntp_chrony_client/handlers/main.yml
 create mode 100644 roles/mgrote.ntp_chrony_client/tasks/main.yml
 create mode 100644 roles/mgrote.ntp_chrony_client/templates/chrony.conf.j2
 create mode 100644 roles/mgrote.ntp_chrony_client/templates/logrotate_chrony
 create mode 100644 roles/mgrote.ntp_chrony_server/README.md
 create mode 100644 roles/mgrote.ntp_chrony_server/defaults/main.yml
 create mode 100644 roles/mgrote.ntp_chrony_server/handlers/main.yml
 create mode 100644 roles/mgrote.ntp_chrony_server/tasks/main.yml
 create mode 100644 roles/mgrote.ntp_chrony_server/templates/chrony.conf.j2
 create mode 100644 roles/mgrote.ntp_chrony_server/templates/logrotate_chrony

diff --git a/roles/mgrote.ntp/README.md b/Archiv/mgrote.ntp/README.md
similarity index 100%
rename from roles/mgrote.ntp/README.md
rename to Archiv/mgrote.ntp/README.md
diff --git a/roles/mgrote.ntp/defaults/main.yml b/Archiv/mgrote.ntp/defaults/main.yml
similarity index 100%
rename from roles/mgrote.ntp/defaults/main.yml
rename to Archiv/mgrote.ntp/defaults/main.yml
diff --git a/roles/mgrote.ntp/handlers/main.yml b/Archiv/mgrote.ntp/handlers/main.yml
similarity index 100%
rename from roles/mgrote.ntp/handlers/main.yml
rename to Archiv/mgrote.ntp/handlers/main.yml
diff --git a/roles/mgrote.ntp/tasks/main.yml b/Archiv/mgrote.ntp/tasks/main.yml
similarity index 100%
rename from roles/mgrote.ntp/tasks/main.yml
rename to Archiv/mgrote.ntp/tasks/main.yml
diff --git a/roles/mgrote.ntp/templates/ntp.conf.j2 b/Archiv/mgrote.ntp/templates/ntp.conf.j2
similarity index 100%
rename from roles/mgrote.ntp/templates/ntp.conf.j2
rename to Archiv/mgrote.ntp/templates/ntp.conf.j2
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 86f61cde..dd0f5b0b 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -5,6 +5,12 @@
     #------------------------------------------------------------------
     #-              This file is managed with ansible!                -
     #------------------------------------------------------------------
+  ### mgrote.ntp_chrony_server
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ntp-server.grote.lan
+      options: iburst #optionaler parameter
+  ntp_chrony_logging: false # logging an/aus
   ### mgrote.postfix
   postfix_absender_mailadresse: info@mgrote.net
   postfix_absender_passwort: "{{ lookup('keepass', 'postfix_absender_passwort', 'password') }}"
diff --git a/group_vars/ntpserver.yml b/group_vars/ntpserver.yml
new file mode 100644
index 00000000..407e2713
--- /dev/null
+++ b/group_vars/ntpserver.yml
@@ -0,0 +1,30 @@
+---
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      to_port: 22
+      protocol: tcp
+      comment: 'ssh'
+      from_ip: 192.168.2.0/24
+    - rule: allow
+      to_port: 123
+      comment: 'ntp'
+      from_ip: 192.168.2.0/24
+  ### mgrote.ntp_chrony_server
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ptbtime1.ptb.de
+      options: iburst #optionaler parameter
+    - address: ptbtime2.ptb.de
+      options: iburst
+    - address: ptbtime3.ptb.de
+      options: iburst
+    - address: time3.google.com
+      options: iburst
+    - address: ntp0.fau.de
+      options: iburst
+  ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_logging: false # logging an/aus
+  ntp_chrony_subnet_allow: 192.168.2.0/24 # welche Netze dürfen den Server befragen
diff --git a/inventory b/inventory
index 80959034..79ff1874 100644
--- a/inventory
+++ b/inventory
@@ -16,6 +16,10 @@ all:
       hosts:
         pihole2-test.grote.lan:
         pihole2.grote.lan:
+    ntpserver:
+      hosts:
+        ntp-server-test.grote.lan:
+        ntp-server.grote.lan:
     acng:
       hosts:
         acng.grote.lan:
@@ -70,6 +74,7 @@ all:
         pve4.grote.lan:
         gitea.grote.lan:
         pihole2.grote.lan:
+        ntp-server.grote.lan:
     test:
       hosts:
         wireguard-test.grote.lan:
@@ -84,3 +89,4 @@ all:
         pve4-test.grote.lan:
         gitea-test.grote.lan:
         pihole2-test.grote.lan:
+        ntp-server-test.grote.lan:
diff --git a/playbooks/base/3_base.yml b/playbooks/base/3_base.yml
index 08a3802d..a7abec1d 100644
--- a/playbooks/base/3_base.yml
+++ b/playbooks/base/3_base.yml
@@ -1,6 +1,8 @@
 ---
   - hosts: all
     roles:
-      - { role: mgrote.ntp, tags: "ntp" }
+      - { role: mgrote.ntp_chrony_client,
+          tags: "ntp",
+          when: "not 'ntpserver' in group_names" }
       - { role: mgrote.restic, tags: "restic" }
       - { role: ryandaniels.create_users, tags: "user", become: yes }
diff --git a/playbooks/on-off/deinstall_ntp.yml b/playbooks/on-off/deinstall_ntp.yml
new file mode 100644
index 00000000..16b8312d
--- /dev/null
+++ b/playbooks/on-off/deinstall_ntp.yml
@@ -0,0 +1,18 @@
+---
+- hosts: all
+  tasks:
+    - name: ntp deinstallieren
+      become: yes
+      ansible.builtin.package:
+        name: ntp
+        state: absent
+    - name: config file
+      become: yes
+      file:
+        path: /etc/ntp.conf
+        state: absent
+    - name: config folder
+      become: yes
+      file:
+        path: /var/lib/ntp
+        state: absent
diff --git a/playbooks/service/ntp_server.yml b/playbooks/service/ntp_server.yml
new file mode 100644
index 00000000..1b0c564a
--- /dev/null
+++ b/playbooks/service/ntp_server.yml
@@ -0,0 +1,4 @@
+---
+- hosts: ntpserver
+  roles:
+      - { role: mgrote.ntp_chrony_server, tags: "ntp" }
diff --git a/roles/mgrote.ntp_chrony_client/README.md b/roles/mgrote.ntp_chrony_client/README.md
new file mode 100644
index 00000000..84d68646
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_client/README.md
@@ -0,0 +1,12 @@
+## mgrote.ntp_chrony_client
+
+### Beschreibung
+Installiert chrony als client.
+
+### Funktioniert auf
+- [x] Ubuntu (>=18.04)
+- [ ] Debian
+- [x] ProxMox 6.1
+
+### Variablen + Defaults
+see [defaults](./defaults/main.yml)
diff --git a/roles/mgrote.ntp_chrony_client/defaults/main.yml b/roles/mgrote.ntp_chrony_client/defaults/main.yml
new file mode 100644
index 00000000..77b7c1c0
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_client/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ptbtime1.ptb.de
+      options: iburst #optionaler parameter
+  ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_logging: false
diff --git a/roles/mgrote.ntp_chrony_client/handlers/main.yml b/roles/mgrote.ntp_chrony_client/handlers/main.yml
new file mode 100644
index 00000000..f62bf2d0
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_client/handlers/main.yml
@@ -0,0 +1,6 @@
+  - name: restart_chrony
+    become: yes
+    systemd:
+      name: chrony
+      enabled: yes
+      state: restarted
diff --git a/roles/mgrote.ntp_chrony_client/tasks/main.yml b/roles/mgrote.ntp_chrony_client/tasks/main.yml
new file mode 100644
index 00000000..824c9471
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_client/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+  - name: install chrony packages
+    become: yes
+    ansible.builtin.package:
+      name:
+        - chrony
+      state: present
+
+  - name: copy chrony config
+    become: yes
+    ansible.builtin.template:
+      src: chrony.conf.j2
+      dest: /etc/chrony/chrony.conf
+    notify: restart_chrony
+
+  - name: copy logrotate config
+    become: yes
+    ansible.builtin.template:
+      src: logrotate_chrony
+      dest: /etc/logrotate.d/chrony
+
+  - name: Create chrony driftfile folder
+    become: yes
+    file:
+      state: directory
+      path: "{{ ntp_chrony_driftfile_directory }}"
+      mode: 0644
+      owner: "{{ ntp_chrony_user }}"
+      group: "{{ ntp_chrony_group }}"
+
+  - name: set timezone to {{ ntp_chrony_timezone }}
+    become: yes
+    ansible.builtin.timezone:
+      name: "{{ ntp_chrony_timezone }}"
diff --git a/roles/mgrote.ntp_chrony_client/templates/chrony.conf.j2 b/roles/mgrote.ntp_chrony_client/templates/chrony.conf.j2
new file mode 100644
index 00000000..86b2f23b
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_client/templates/chrony.conf.j2
@@ -0,0 +1,29 @@
+{{ file_header | default () }}
+# servers
+{% for item in ntp_chrony_servers %}
+server {{ item.address }} {{ item.options |default() }}
+{% endfor %}
+
+# keys
+keyfile /etc/chrony/chrony.keys
+
+# driftfile
+driftfile {{ ntp_chrony_driftfile_directory }}/chrony.drift
+
+
+{% if ntp_chrony_logging is sameas true %}
+# Logging
+log tracking measurements statistics
+logdir /var/log/chrony
+{% endif %}
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
diff --git a/roles/mgrote.ntp_chrony_client/templates/logrotate_chrony b/roles/mgrote.ntp_chrony_client/templates/logrotate_chrony
new file mode 100644
index 00000000..6c413ffb
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_client/templates/logrotate_chrony
@@ -0,0 +1,15 @@
+/var/log/chrony/*.log {
+    missingok
+    nocreate
+    rotate 4
+    weekly
+    compress
+    missingok
+    notifempty
+    dateext
+    dateyesterday
+    sharedscripts
+    postrotate
+        /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
+    endscript
+}
diff --git a/roles/mgrote.ntp_chrony_server/README.md b/roles/mgrote.ntp_chrony_server/README.md
new file mode 100644
index 00000000..10060cbc
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_server/README.md
@@ -0,0 +1,13 @@
+## mgrote.ntp_chrony_server
+
+### Beschreibung
+Installiert chrony als ntp-server.
+
+
+### Funktioniert auf
+- [x] Ubuntu (>=18.04)
+- [ ] Debian
+- [ ] ProxMox 6.1
+
+### Variablen + Defaults
+see [defaults](./defaults/main.yml)
diff --git a/roles/mgrote.ntp_chrony_server/defaults/main.yml b/roles/mgrote.ntp_chrony_server/defaults/main.yml
new file mode 100644
index 00000000..b443e1d9
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_server/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ptbtime1.ptb.de
+      options: iburst #optionaler parameter
+    - address: ptbtime2.ptb.de
+      options: iburst
+    - address: ptbtime3.ptb.de
+      options: iburst
+    - address: time3.google.com
+      options: iburst
+    - address: ntp0.fau.de
+      options: iburst
+  ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_logging: false # logging an/aus
+  ntp_chrony_subnet_allow: 192.168.2.0/24 # welche Netze dürfen den Server befragen
diff --git a/roles/mgrote.ntp_chrony_server/handlers/main.yml b/roles/mgrote.ntp_chrony_server/handlers/main.yml
new file mode 100644
index 00000000..f62bf2d0
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_server/handlers/main.yml
@@ -0,0 +1,6 @@
+  - name: restart_chrony
+    become: yes
+    systemd:
+      name: chrony
+      enabled: yes
+      state: restarted
diff --git a/roles/mgrote.ntp_chrony_server/tasks/main.yml b/roles/mgrote.ntp_chrony_server/tasks/main.yml
new file mode 100644
index 00000000..824c9471
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_server/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+  - name: install chrony packages
+    become: yes
+    ansible.builtin.package:
+      name:
+        - chrony
+      state: present
+
+  - name: copy chrony config
+    become: yes
+    ansible.builtin.template:
+      src: chrony.conf.j2
+      dest: /etc/chrony/chrony.conf
+    notify: restart_chrony
+
+  - name: copy logrotate config
+    become: yes
+    ansible.builtin.template:
+      src: logrotate_chrony
+      dest: /etc/logrotate.d/chrony
+
+  - name: Create chrony driftfile folder
+    become: yes
+    file:
+      state: directory
+      path: "{{ ntp_chrony_driftfile_directory }}"
+      mode: 0644
+      owner: "{{ ntp_chrony_user }}"
+      group: "{{ ntp_chrony_group }}"
+
+  - name: set timezone to {{ ntp_chrony_timezone }}
+    become: yes
+    ansible.builtin.timezone:
+      name: "{{ ntp_chrony_timezone }}"
diff --git a/roles/mgrote.ntp_chrony_server/templates/chrony.conf.j2 b/roles/mgrote.ntp_chrony_server/templates/chrony.conf.j2
new file mode 100644
index 00000000..edb61b8f
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_server/templates/chrony.conf.j2
@@ -0,0 +1,32 @@
+{{ file_header | default () }}
+# servers
+{% for item in ntp_chrony_servers %}
+server {{ item.address }} {{ item.options |default() }}
+{% endfor %}
+
+# keys
+keyfile /etc/chrony/chrony.keys
+
+# driftfile
+driftfile {{ ntp_chrony_driftfile_directory }}/chrony.drift
+
+
+{% if ntp_chrony_logging is sameas true %}
+# Logging
+log tracking measurements statistics
+logdir /var/log/chrony
+{% endif %}
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# chrony as ntp server
+allow {{ ntp_chrony_subnet_allow }}
diff --git a/roles/mgrote.ntp_chrony_server/templates/logrotate_chrony b/roles/mgrote.ntp_chrony_server/templates/logrotate_chrony
new file mode 100644
index 00000000..6c413ffb
--- /dev/null
+++ b/roles/mgrote.ntp_chrony_server/templates/logrotate_chrony
@@ -0,0 +1,15 @@
+/var/log/chrony/*.log {
+    missingok
+    nocreate
+    rotate 4
+    weekly
+    compress
+    missingok
+    notifempty
+    dateext
+    dateyesterday
+    sharedscripts
+    postrotate
+        /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
+    endscript
+}