ntp --> chrony (#28)

ntp-rolle in archiv syntax when richtig typo on+off playbook Doku vars doku server doku firewall server an client aktualisiert playbook server playbook base mit ausnahme server in inventory ntp_server ohne server geht rollen angelegt Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#28 Co-Authored-By: mg <mg@noreply.git.mgrote.net> Co-Committed-By: mg <mg@noreply.git.mgrote.net>
2021-03-13 12:32:54 +01:00 · 2021-03-13 12:32:54 +01:00 · e37d354f2c
commit e37d354f2c
parent c46310b77a
23 changed files with 290 additions and 1 deletions
--- a/Archiv/mgrote.ntp/README.md
+++ b/Archiv/mgrote.ntp/README.md
--- a/Archiv/mgrote.ntp/defaults/main.yml
+++ b/Archiv/mgrote.ntp/defaults/main.yml
--- a/Archiv/mgrote.ntp/handlers/main.yml
+++ b/Archiv/mgrote.ntp/handlers/main.yml
--- a/Archiv/mgrote.ntp/tasks/main.yml
+++ b/Archiv/mgrote.ntp/tasks/main.yml
--- a/Archiv/mgrote.ntp/templates/ntp.conf.j2
+++ b/Archiv/mgrote.ntp/templates/ntp.conf.j2
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -5,6 +5,12 @@
    #------------------------------------------------------------------
    #-              This file is managed with ansible!                -
    #------------------------------------------------------------------
+  ### mgrote.ntp_chrony_server
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ntp-server.grote.lan
+      options: iburst #optionaler parameter
+  ntp_chrony_logging: false # logging an/aus
  ### mgrote.postfix
  postfix_absender_mailadresse: info@mgrote.net
  postfix_absender_passwort: "{{ lookup('keepass', 'postfix_absender_passwort', 'password') }}"
--- a/group_vars/ntpserver.yml
+++ b/group_vars/ntpserver.yml
@ -0,0 +1,30 @@
+---
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      to_port: 22
+      protocol: tcp
+      comment: 'ssh'
+      from_ip: 192.168.2.0/24
+    - rule: allow
+      to_port: 123
+      comment: 'ntp'
+      from_ip: 192.168.2.0/24
+  ### mgrote.ntp_chrony_server
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ptbtime1.ptb.de
+      options: iburst #optionaler parameter
+    - address: ptbtime2.ptb.de
+      options: iburst
+    - address: ptbtime3.ptb.de
+      options: iburst
+    - address: time3.google.com
+      options: iburst
+    - address: ntp0.fau.de
+      options: iburst
+  ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_logging: false # logging an/aus
+  ntp_chrony_subnet_allow: 192.168.2.0/24 # welche Netze dürfen den Server befragen
--- a/6
+++ b/6
@ -16,6 +16,10 @@ all:
      hosts:
        pihole2-test.grote.lan:
        pihole2.grote.lan:
+    ntpserver:
+      hosts:
+        ntp-server-test.grote.lan:
+        ntp-server.grote.lan:
    acng:
      hosts:
        acng.grote.lan:
@ -70,6 +74,7 @@ all:
        pve4.grote.lan:
        gitea.grote.lan:
        pihole2.grote.lan:
+        ntp-server.grote.lan:
    test:
      hosts:
        wireguard-test.grote.lan:
@ -84,3 +89,4 @@ all:
        pve4-test.grote.lan:
        gitea-test.grote.lan:
        pihole2-test.grote.lan:
+        ntp-server-test.grote.lan:
--- a/playbooks/base/3_base.yml
+++ b/playbooks/base/3_base.yml
@ -1,6 +1,8 @@
 ---
  - hosts: all
    roles:
-      - { role: mgrote.ntp, tags: "ntp" }
+      - { role: mgrote.ntp_chrony_client,
+          tags: "ntp",
+          when: "not 'ntpserver' in group_names" }
      - { role: mgrote.restic, tags: "restic" }
      - { role: ryandaniels.create_users, tags: "user", become: yes }
--- a/playbooks/on-off/deinstall_ntp.yml
+++ b/playbooks/on-off/deinstall_ntp.yml
@ -0,0 +1,18 @@
+---
+- hosts: all
+  tasks:
+    - name: ntp deinstallieren
+      become: yes
+      ansible.builtin.package:
+        name: ntp
+        state: absent
+    - name: config file
+      become: yes
+      file:
+        path: /etc/ntp.conf
+        state: absent
+    - name: config folder
+      become: yes
+      file:
+        path: /var/lib/ntp
+        state: absent
--- a/playbooks/service/ntp_server.yml
+++ b/playbooks/service/ntp_server.yml
@ -0,0 +1,4 @@
+---
+- hosts: ntpserver
+  roles:
+      - { role: mgrote.ntp_chrony_server, tags: "ntp" }
--- a/roles/mgrote.ntp_chrony_client/README.md
+++ b/roles/mgrote.ntp_chrony_client/README.md
@ -0,0 +1,12 @@
+## mgrote.ntp_chrony_client
+
+### Beschreibung
+Installiert chrony als client.
+
+### Funktioniert auf
+- [x] Ubuntu (>=18.04)
+- [ ] Debian
+- [x] ProxMox 6.1
+
+### Variablen + Defaults
+see [defaults](./defaults/main.yml)
--- a/roles/mgrote.ntp_chrony_client/defaults/main.yml
+++ b/roles/mgrote.ntp_chrony_client/defaults/main.yml
@ -0,0 +1,9 @@
+---
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ptbtime1.ptb.de
+      options: iburst #optionaler parameter
+  ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_logging: false
--- a/roles/mgrote.ntp_chrony_client/handlers/main.yml
+++ b/roles/mgrote.ntp_chrony_client/handlers/main.yml
@ -0,0 +1,6 @@
+  - name: restart_chrony
+    become: yes
+    systemd:
+      name: chrony
+      enabled: yes
+      state: restarted
--- a/roles/mgrote.ntp_chrony_client/tasks/main.yml
+++ b/roles/mgrote.ntp_chrony_client/tasks/main.yml
@ -0,0 +1,34 @@
+---
+  - name: install chrony packages
+    become: yes
+    ansible.builtin.package:
+      name:
+        - chrony
+      state: present
+
+  - name: copy chrony config
+    become: yes
+    ansible.builtin.template:
+      src: chrony.conf.j2
+      dest: /etc/chrony/chrony.conf
+    notify: restart_chrony
+
+  - name: copy logrotate config
+    become: yes
+    ansible.builtin.template:
+      src: logrotate_chrony
+      dest: /etc/logrotate.d/chrony
+
+  - name: Create chrony driftfile folder
+    become: yes
+    file:
+      state: directory
+      path: "{{ ntp_chrony_driftfile_directory }}"
+      mode: 0644
+      owner: "{{ ntp_chrony_user }}"
+      group: "{{ ntp_chrony_group }}"
+
+  - name: set timezone to {{ ntp_chrony_timezone }}
+    become: yes
+    ansible.builtin.timezone:
+      name: "{{ ntp_chrony_timezone }}"
--- a/roles/mgrote.ntp_chrony_client/templates/chrony.conf.j2
+++ b/roles/mgrote.ntp_chrony_client/templates/chrony.conf.j2
@ -0,0 +1,29 @@
+{{ file_header | default () }}
+# servers
+{% for item in ntp_chrony_servers %}
+server {{ item.address }} {{ item.options |default() }}
+{% endfor %}
+
+# keys
+keyfile /etc/chrony/chrony.keys
+
+# driftfile
+driftfile {{ ntp_chrony_driftfile_directory }}/chrony.drift
+
+
+{% if ntp_chrony_logging is sameas true %}
+# Logging
+log tracking measurements statistics
+logdir /var/log/chrony
+{% endif %}
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
--- a/roles/mgrote.ntp_chrony_client/templates/logrotate_chrony
+++ b/roles/mgrote.ntp_chrony_client/templates/logrotate_chrony
@ -0,0 +1,15 @@
+/var/log/chrony/*.log {
+    missingok
+    nocreate
+    rotate 4
+    weekly
+    compress
+    missingok
+    notifempty
+    dateext
+    dateyesterday
+    sharedscripts
+    postrotate
+        /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
+    endscript
+}
--- a/roles/mgrote.ntp_chrony_server/README.md
+++ b/roles/mgrote.ntp_chrony_server/README.md
@ -0,0 +1,13 @@
+## mgrote.ntp_chrony_server
+
+### Beschreibung
+Installiert chrony als ntp-server.
+
+
+### Funktioniert auf
+- [x] Ubuntu (>=18.04)
+- [ ] Debian
+- [ ] ProxMox 6.1
+
+### Variablen + Defaults
+see [defaults](./defaults/main.yml)
--- a/roles/mgrote.ntp_chrony_server/defaults/main.yml
+++ b/roles/mgrote.ntp_chrony_server/defaults/main.yml
@ -0,0 +1,18 @@
+---
+  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
+  ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
+  ntp_chrony_servers: # welche Server sollen befragt werden
+    - address: ptbtime1.ptb.de
+      options: iburst #optionaler parameter
+    - address: ptbtime2.ptb.de
+      options: iburst
+    - address: ptbtime3.ptb.de
+      options: iburst
+    - address: time3.google.com
+      options: iburst
+    - address: ntp0.fau.de
+      options: iburst
+  ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
+  ntp_chrony_logging: false # logging an/aus
+  ntp_chrony_subnet_allow: 192.168.2.0/24 # welche Netze dürfen den Server befragen
--- a/roles/mgrote.ntp_chrony_server/handlers/main.yml
+++ b/roles/mgrote.ntp_chrony_server/handlers/main.yml
@ -0,0 +1,6 @@
+  - name: restart_chrony
+    become: yes
+    systemd:
+      name: chrony
+      enabled: yes
+      state: restarted
--- a/roles/mgrote.ntp_chrony_server/tasks/main.yml
+++ b/roles/mgrote.ntp_chrony_server/tasks/main.yml
@ -0,0 +1,34 @@
+---
+  - name: install chrony packages
+    become: yes
+    ansible.builtin.package:
+      name:
+        - chrony
+      state: present
+
+  - name: copy chrony config
+    become: yes
+    ansible.builtin.template:
+      src: chrony.conf.j2
+      dest: /etc/chrony/chrony.conf
+    notify: restart_chrony
+
+  - name: copy logrotate config
+    become: yes
+    ansible.builtin.template:
+      src: logrotate_chrony
+      dest: /etc/logrotate.d/chrony
+
+  - name: Create chrony driftfile folder
+    become: yes
+    file:
+      state: directory
+      path: "{{ ntp_chrony_driftfile_directory }}"
+      mode: 0644
+      owner: "{{ ntp_chrony_user }}"
+      group: "{{ ntp_chrony_group }}"
+
+  - name: set timezone to {{ ntp_chrony_timezone }}
+    become: yes
+    ansible.builtin.timezone:
+      name: "{{ ntp_chrony_timezone }}"
--- a/roles/mgrote.ntp_chrony_server/templates/chrony.conf.j2
+++ b/roles/mgrote.ntp_chrony_server/templates/chrony.conf.j2
@ -0,0 +1,32 @@
+{{ file_header | default () }}
+# servers
+{% for item in ntp_chrony_servers %}
+server {{ item.address }} {{ item.options |default() }}
+{% endfor %}
+
+# keys
+keyfile /etc/chrony/chrony.keys
+
+# driftfile
+driftfile {{ ntp_chrony_driftfile_directory }}/chrony.drift
+
+
+{% if ntp_chrony_logging is sameas true %}
+# Logging
+log tracking measurements statistics
+logdir /var/log/chrony
+{% endif %}
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# chrony as ntp server
+allow {{ ntp_chrony_subnet_allow }}
--- a/roles/mgrote.ntp_chrony_server/templates/logrotate_chrony
+++ b/roles/mgrote.ntp_chrony_server/templates/logrotate_chrony
@ -0,0 +1,15 @@
+/var/log/chrony/*.log {
+    missingok
+    nocreate
+    rotate 4
+    weekly
+    compress
+    missingok
+    notifempty
+    dateext
+    dateyesterday
+    sharedscripts
+    postrotate
+        /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
+    endscript
+}