From 5c50c36a6996c896477e0db5507f802bca298a59 Mon Sep 17 00:00:00 2001 From: Derek Page Date: Sun, 13 Dec 2020 22:49:57 -0500 Subject: [PATCH 1/3] issue-183 - add chrony server/client playbooks --- .../group_vars/chronyclients/main.yml | 3 ++ .../group_vars/chronyservers/main.yml | 4 ++ ansible/inventories/production/hosts.ini | 6 +++ ansible/playbooks/handlers/main.yml | 6 +++ ansible/playbooks/init-rocky-chrony.yml | 11 ++++++ ansible/playbooks/tasks/chrony.yml | 26 +++++++++++++ .../playbooks/templates/etc/chrony.conf.j2 | 37 +++++++++++++++++++ ansible/playbooks/vars/chrony.yml | 34 +++++++++++++++++ 8 files changed, 127 insertions(+) create mode 100644 ansible/inventories/production/group_vars/chronyclients/main.yml create mode 100644 ansible/inventories/production/group_vars/chronyservers/main.yml create mode 100644 ansible/playbooks/init-rocky-chrony.yml create mode 100644 ansible/playbooks/tasks/chrony.yml create mode 100644 ansible/playbooks/templates/etc/chrony.conf.j2 create mode 100644 ansible/playbooks/vars/chrony.yml diff --git a/ansible/inventories/production/group_vars/chronyclients/main.yml b/ansible/inventories/production/group_vars/chronyclients/main.yml new file mode 100644 index 0000000..fbae2d9 --- /dev/null +++ b/ansible/inventories/production/group_vars/chronyclients/main.yml @@ -0,0 +1,3 @@ +--- + +chrony_timeservers = ["chrony001.rockylinux.com", "chrony002.rockylinux.com"] diff --git a/ansible/inventories/production/group_vars/chronyservers/main.yml b/ansible/inventories/production/group_vars/chronyservers/main.yml new file mode 100644 index 0000000..d398e01 --- /dev/null +++ b/ansible/inventories/production/group_vars/chronyservers/main.yml @@ -0,0 +1,4 @@ +--- + +chrony_server = true +chrony_allow_cidr = "10.0.0.0/16" diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini index b37625b..a2c65e2 100644 --- a/ansible/inventories/production/hosts.ini +++ b/ansible/inventories/production/hosts.ini @@ -22,3 +22,9 @@ build-a-box ansible_host=10.100.1.112 [ipsilon] idp001 ansible_host=10.100.x.x +[chronyservers] +chronyd001 ansiblehost=10.100.3.110 +chronyd002 ansiblehost=10.200.3.111 + +[chronyclients] +build-abox asnsiblehost=10.100.x.x diff --git a/ansible/playbooks/handlers/main.yml b/ansible/playbooks/handlers/main.yml index f4ea20b..7d297d3 100644 --- a/ansible/playbooks/handlers/main.yml +++ b/ansible/playbooks/handlers/main.yml @@ -16,3 +16,9 @@ - name: regenerate_auditd_rules command: /sbin/augenrules + +- name: reload_chrony + systemd: + name: "{{ chrony_service_name }}" + state: restarted + listen: "chrony service restart" diff --git a/ansible/playbooks/init-rocky-chrony.yml b/ansible/playbooks/init-rocky-chrony.yml new file mode 100644 index 0000000..c79c54f --- /dev/null +++ b/ansible/playbooks/init-rocky-chrony.yml @@ -0,0 +1,11 @@ +--- +# Sets Up Chrony Server/Client +# Created: @derekmpage +# Kudos: @danielkubat @Darkbat91 +- name: Rocky Chrony Runbook + hosts: all + become: true + + tasks: + - name: Configure Chrony + import_tasks: tasks/chrony.yml diff --git a/ansible/playbooks/tasks/chrony.yml b/ansible/playbooks/tasks/chrony.yml new file mode 100644 index 0000000..0fa28fd --- /dev/null +++ b/ansible/playbooks/tasks/chrony.yml @@ -0,0 +1,26 @@ +--- +- name: Install chrony packages + yum: + name: "{{ chrony_packages }}" + state: present + +- name: Fix permissions for chrony home directory + file: + path: "{{ chrony_homedir }}" + mode: 0750 + state: directory + +- name: Deploy configuration + template: + src: chrony.conf.j2 + dest: "{{ chrony_config_file }}" + owner: "{{ chrony_owner }}" + group: "{{ chrony_group }}" + mode: "{{ chrony_mode }}" + notify: "chrony service restart" + +- name: Manage the state of service + systemd: + name: "{{ chrony_service_name }}" + state: "{{ chrony_service_state }}" + enabled: "{{ chrony_service_enabled }}" diff --git a/ansible/playbooks/templates/etc/chrony.conf.j2 b/ansible/playbooks/templates/etc/chrony.conf.j2 new file mode 100644 index 0000000..b3384c3 --- /dev/null +++ b/ansible/playbooks/templates/etc/chrony.conf.j2 @@ -0,0 +1,37 @@ +# Remote servers for client association. +{% for s in chrony_timeservers %} +server {{ s }} iburst {% if loop.first %}prefer{% endif %} +{% endfor %} + +# Ignore stratum in source selection. +stratumweight 0 + +# Record the rate at which the system clock gains/losses time. +driftfile {{ chrony_homedir }}/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1.0 second. +makestep 1.0 3 + +# If chrony_server=true allow clients to connect +{% if chrony_server is sameas true %} +allow {{ chrony_allow_cidr }} +bindaddress 0.0.0.0 +{% else %} +# Else If Client Deny NTP client access. +deny all +{% endif %} + +# Allow cmdaccess for localhost only (monitoring sometimes requires this to be opened to mgmt interface) +bindcmdaddress 127.0.0.1 +bindcmdaddress ::1 +cmdallow + +# Send a message to syslog if a clock adjustment is larger than 0.5 seconds. +logchange 0.5 + +# Specify directory for log files. +logdir {{ chrony_logdir }} + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync diff --git a/ansible/playbooks/vars/chrony.yml b/ansible/playbooks/vars/chrony.yml new file mode 100644 index 0000000..b80983d --- /dev/null +++ b/ansible/playbooks/vars/chrony.yml @@ -0,0 +1,34 @@ +--- +# default permissions +chrony_owner: root +chrony_group: root +chrony_mode: 0644 + +# packages to install +chrony_packages: + - chrony + +# configuration files +chrony_config_file: /etc/chrony.conf + +# chrony user homedir +chrony_homedir: /var/lib/chrony + +# service definition +chrony_service_name: chronyd + +# log file +chrony_log_file: /var/log/chrony + +# service state +chrony_service_state: started +chrony_service_enabled: yes + +# default internet timeservers to use +chrony_timeservers: [] + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + +# is chrony ntp server - allows client connections +chrony_server: false From faf9e6fd48bbe1f7037959735322c74f0ff9ea7f Mon Sep 17 00:00:00 2001 From: Derek Page Date: Sun, 13 Dec 2020 23:04:42 -0500 Subject: [PATCH 2/3] issue-183 - make lint happy --- ansible/playbooks/handlers/main.yml | 2 +- ansible/playbooks/init-rocky-chrony.yml | 2 +- ansible/playbooks/vars/chrony.yml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/playbooks/handlers/main.yml b/ansible/playbooks/handlers/main.yml index 7d297d3..1193165 100644 --- a/ansible/playbooks/handlers/main.yml +++ b/ansible/playbooks/handlers/main.yml @@ -17,7 +17,7 @@ - name: regenerate_auditd_rules command: /sbin/augenrules -- name: reload_chrony +- name: reload_chrony systemd: name: "{{ chrony_service_name }}" state: restarted diff --git a/ansible/playbooks/init-rocky-chrony.yml b/ansible/playbooks/init-rocky-chrony.yml index c79c54f..c2870c8 100644 --- a/ansible/playbooks/init-rocky-chrony.yml +++ b/ansible/playbooks/init-rocky-chrony.yml @@ -2,7 +2,7 @@ # Sets Up Chrony Server/Client # Created: @derekmpage # Kudos: @danielkubat @Darkbat91 -- name: Rocky Chrony Runbook +- name: Rocky Chrony Runbook hosts: all become: true diff --git a/ansible/playbooks/vars/chrony.yml b/ansible/playbooks/vars/chrony.yml index b80983d..c3d6e77 100644 --- a/ansible/playbooks/vars/chrony.yml +++ b/ansible/playbooks/vars/chrony.yml @@ -25,9 +25,9 @@ chrony_service_state: started chrony_service_enabled: yes # default internet timeservers to use -chrony_timeservers: [] - - 0.pool.ntp.org - - 1.pool.ntp.org +chrony_timeservers: + - 0.pool.ntp.org + - 1.pool.ntp.org - 2.pool.ntp.org # is chrony ntp server - allows client connections From 9caf9ced6b2748b53b5a7ccd72a9e59ee4a91731 Mon Sep 17 00:00:00 2001 From: Derek Page Date: Sun, 13 Dec 2020 23:09:20 -0500 Subject: [PATCH 3/3] issue-183 - make lint happy --- ansible/playbooks/vars/chrony.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/playbooks/vars/chrony.yml b/ansible/playbooks/vars/chrony.yml index c3d6e77..781b1f3 100644 --- a/ansible/playbooks/vars/chrony.yml +++ b/ansible/playbooks/vars/chrony.yml @@ -26,9 +26,9 @@ chrony_service_enabled: yes # default internet timeservers to use chrony_timeservers: - - 0.pool.ntp.org - - 1.pool.ntp.org - - 2.pool.ntp.org + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org # is chrony ntp server - allows client connections chrony_server: false