From 39067778d72110c2d9f44c681d78c22c53d6c9da Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH] [roles/base/ntp] install ntpd. copy server config, if
 ntp_server is defined

---
 roles/base/ntp/defaults/main.yml              | 10 +++
 .../base/ntp/files/default/chrony.client.conf | 55 +++++++++++++
 .../base/ntp/files/default/chrony.server.conf | 30 ++++++++
 roles/base/ntp/files/default/chrony.service   | 77 +++++++++++++++++++
 roles/base/ntp/handlers/main.yml              | 13 ++++
 roles/base/ntp/tasks/main.yml                 | 58 ++++++++++++++
 6 files changed, 243 insertions(+)
 create mode 100644 roles/base/ntp/defaults/main.yml
 create mode 100644 roles/base/ntp/files/default/chrony.client.conf
 create mode 100644 roles/base/ntp/files/default/chrony.server.conf
 create mode 100644 roles/base/ntp/files/default/chrony.service
 create mode 100644 roles/base/ntp/handlers/main.yml
 create mode 100644 roles/base/ntp/tasks/main.yml

diff --git a/roles/base/ntp/defaults/main.yml b/roles/base/ntp/defaults/main.yml
new file mode 100644
index 0000000..14ff45d
--- /dev/null
+++ b/roles/base/ntp/defaults/main.yml
@@ -0,0 +1,10 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# If not overridden in inventory or as a parameter, this is the value that will be used
+#
+---
+ntpd_type: "client"
diff --git a/roles/base/ntp/files/default/chrony.client.conf b/roles/base/ntp/files/default/chrony.client.conf
new file mode 100644
index 0000000..7366e00
--- /dev/null
+++ b/roles/base/ntp/files/default/chrony.client.conf
@@ -0,0 +1,55 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+# Use Debian vendor zone.
+pool 2.debian.pool.ntp.org iburst
+
+# Use time sources from DHCP.
+sourcedir /run/chrony-dhcp
+
+# Use NTP sources found in /etc/chrony/sources.d.
+sourcedir /etc/chrony/sources.d
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC
diff --git a/roles/base/ntp/files/default/chrony.server.conf b/roles/base/ntp/files/default/chrony.server.conf
new file mode 100644
index 0000000..0bc051e
--- /dev/null
+++ b/roles/base/ntp/files/default/chrony.server.conf
@@ -0,0 +1,30 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+driftfile /var/lib/chrony/chrony.drift
+dumpdir /var/run/chrony
+
+leapsectz right/UTC
+maxupdateskew 200.0
+makestep 1.2 -1
+rtcsync
+
+cmdport 0
+
+server ptbtime1.ptb.de iburst
+server ptbtime2.ptb.de iburst
+server ntp11.metas.ch iburst
+server ntp12.metas.ch iburst
+server bevtime1.metrologie.at iburst
+server bevtime2.metrologie.at iburst
+local stratum 10
+
+allow
+
+#clientloglimit 1048576
+noclientlog
diff --git a/roles/base/ntp/files/default/chrony.service b/roles/base/ntp/files/default/chrony.service
new file mode 100644
index 0000000..ea5512e
--- /dev/null
+++ b/roles/base/ntp/files/default/chrony.service
@@ -0,0 +1,77 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+[Unit]
+Description=chrony, an NTP client/server
+Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
+Conflicts=openntpd.service ntp.service ntpsec.service
+Wants=time-sync.target
+Before=time-sync.target
+After=network.target
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=forking
+PIDFile=/run/chrony/chronyd.pid
+EnvironmentFile=-/etc/default/chrony
+User=_chrony
+# Daemon is started as root, but still sandboxed
+ExecStart=!/usr/sbin/chronyd $DAEMON_OPTS
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DeviceAllow=char-rtc rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+# Used for gps refclocks
+ReadWritePaths=/run
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
+
+ConfigurationDirectory=chrony
+RuntimeDirectory=chrony
+RuntimeDirectoryMode=0700
+# See dumpdir in chrony.conf(5)
+RuntimeDirectoryPreserve=restart
+StateDirectory=chrony
+StateDirectoryMode=0750
+LogsDirectory=chrony
+LogsDirectoryMode=0750
+
+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+NoNewPrivileges=no
+ReadWritePaths=-/var/spool
+RestrictAddressFamilies=AF_NETLINK
+
+Restart=always
+RestartSec=10
+Nice=-5
+
+[Install]
+Alias=chronyd.service
+WantedBy=multi-user.target
diff --git a/roles/base/ntp/handlers/main.yml b/roles/base/ntp/handlers/main.yml
new file mode 100644
index 0000000..565b0a8
--- /dev/null
+++ b/roles/base/ntp/handlers/main.yml
@@ -0,0 +1,13 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: restart chrony.service
+  systemd:
+    name: chrony.service
+    daemon_reload: yes
+    state: restarted
+  ignore_errors: yes
diff --git a/roles/base/ntp/tasks/main.yml b/roles/base/ntp/tasks/main.yml
new file mode 100644
index 0000000..10a73f8
--- /dev/null
+++ b/roles/base/ntp/tasks/main.yml
@@ -0,0 +1,58 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: install chrony
+  apt:
+    pkg:
+    - chrony
+    state: present
+    policy_rc_d: 101
+  tags: "online"
+  ignore_errors: "{{ignore_online_errors | bool}}"
+
+
+- name: copy config
+  copy:
+    src: "{{item}}"
+    dest: "/etc/chrony/chrony.conf"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/chrony.conf"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/chrony.conf"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/chrony.conf"
+    - "default/chrony.{{ntpd_type}}.conf"
+  notify: restart chrony.service
+
+
+- name: copy chrony.service to /etc/systemd/system/
+  copy:
+    src: "{{item}}"
+    dest: "/etc/systemd/system/chrony.service"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/chrony.service"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/chrony.service"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/chrony.service"
+    - "default/chrony.service"
+  notify: restart chrony.service
+
+
+- name: enable and start chrony.service
+  include_role: name="base/systemd/enable-and-start"
+  vars:
+    service_name: chrony.service
+
+
+- name: disable and mask systemd-timesyncd.service
+  systemd:
+    name: systemd-timesyncd.service
+    daemon_reload: yes
+    enabled: no
+    masked: yes
+  # may have been removed by ntp install. sometimes not.
+  ignore_errors: yes
-- 
2.43.0