init

ansible/roles/ntp/chrony/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart chrony
+  ansible.builtin.service:
+    name: chrony
+    state: restarted

ansible/roles/ntp/chrony/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+- name: install chrony
+  ansible.builtin.apt:
+    name:
+      - chrony
+    state: present
+    update_cache: true
+
+# чтобы не было “двух клиентов времени” (минимально и без сложных проверок)
+- name: stop and disable systemd-timesyncd (if exists)
+  ansible.builtin.service:
+    name: systemd-timesyncd
+    state: stopped
+    enabled: false
+  ignore_errors: true
+
+- name: ensure /etc/chrony/sources.d exists
+  ansible.builtin.file:
+    path: /etc/chrony/sources.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: ensure /etc/chrony/conf.d exists
+  ansible.builtin.file:
+    path: /etc/chrony/conf.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: deploy /etc/chrony/chrony.conf
+  ansible.builtin.template:
+    src: chrony.conf.j2
+    dest: /etc/chrony/chrony.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart chrony
+
+- name: configure upstream sources
+  ansible.builtin.template:
+    src: 00-upstream.sources.j2
+    dest: /etc/chrony/sources.d/00-upstream.sources
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart chrony
+
+# server-mode: allow clients (опционально)
+- name: configure allowed client networks (optional)
+  ansible.builtin.template:
+    src: 00-allow.conf.j2
+    dest: /etc/chrony/conf.d/00-allow.conf
+    owner: root
+    group: root
+    mode: "0644"
+  when: chrony_allow_networks | length > 0
+  notify: restart chrony
+
+# если раньше был allow, а теперь роль как client — подчистим файл
+- name: remove allow config when not needed
+  ansible.builtin.file:
+    path: /etc/chrony/conf.d/00-allow.conf
+    state: absent
+  when: chrony_allow_networks | length == 0
+  notify: restart chrony
+
+- name: ensure chrony is enabled and started
+  ansible.builtin.service:
+    name: chrony
+    enabled: true
+    state: started

ansible/roles/ntp/chrony/templates/00-allow.conf.j2

@@ -0,0 +1,5 @@
+# Managed by Ansible: allow NTP clients (server)
+deny all
+{% for net in chrony_allow_networks %}
+allow {{ net }}
+{% endfor %}

ansible/roles/ntp/chrony/templates/00-upstream.sources.j2

@@ -0,0 +1,4 @@
+# Managed by Ansible: upstream NTP sources
+{% for s in chrony_upstream_sources %}
+server {{ s }} iburst
+{% endfor %}

ansible/roles/ntp/chrony/templates/chrony.conf.j2

@@ -0,0 +1,47 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Use Debian vendor zone.
+# pool 2.debian.pool.ntp.org iburst
+
+# Use time sources from DHCP.
+# sourcedir /run/chrony-dhcp
+
+# Use NTP sources found in /etc/chrony/sources.d.
+sourcedir /etc/chrony/sources.d
+
+# This directive specifies the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specifies the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapseclist /usr/share/zoneinfo/leap-seconds.list
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d