init

ansible/roles/ntp/chrony/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+- name: install chrony
+  ansible.builtin.apt:
+    name:
+      - chrony
+    state: present
+    update_cache: true
+
+# чтобы не было “двух клиентов времени” (минимально и без сложных проверок)
+- name: stop and disable systemd-timesyncd (if exists)
+  ansible.builtin.service:
+    name: systemd-timesyncd
+    state: stopped
+    enabled: false
+  ignore_errors: true
+
+- name: ensure /etc/chrony/sources.d exists
+  ansible.builtin.file:
+    path: /etc/chrony/sources.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: ensure /etc/chrony/conf.d exists
+  ansible.builtin.file:
+    path: /etc/chrony/conf.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: deploy /etc/chrony/chrony.conf
+  ansible.builtin.template:
+    src: chrony.conf.j2
+    dest: /etc/chrony/chrony.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart chrony
+
+- name: configure upstream sources
+  ansible.builtin.template:
+    src: 00-upstream.sources.j2
+    dest: /etc/chrony/sources.d/00-upstream.sources
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart chrony
+
+# server-mode: allow clients (опционально)
+- name: configure allowed client networks (optional)
+  ansible.builtin.template:
+    src: 00-allow.conf.j2
+    dest: /etc/chrony/conf.d/00-allow.conf
+    owner: root
+    group: root
+    mode: "0644"
+  when: chrony_allow_networks | length > 0
+  notify: restart chrony
+
+# если раньше был allow, а теперь роль как client — подчистим файл
+- name: remove allow config when not needed
+  ansible.builtin.file:
+    path: /etc/chrony/conf.d/00-allow.conf
+    state: absent
+  when: chrony_allow_networks | length == 0
+  notify: restart chrony
+
+- name: ensure chrony is enabled and started
+  ansible.builtin.service:
+    name: chrony
+    enabled: true
+    state: started