space_server: chrony: Enable NTS server

2 files changed, 17 insertions, 0 deletions

diff --git a/roles/space_server/files/certbot-chrony.sh b/roles/space_server/files/certbot-chrony.sh
new file mode 100755
index 0000000..ff48207
--- /dev/null
+++ b/roles/space_server/files/certbot-chrony.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+case "$RENEWED_LINEAGE" in
+*/space.labitat.dk)
+  install -m640 -o root -g chrony "$RENEWED_LINEAGE/fullchain.pem" /etc/chrony.cert
+  install -m640 -o root -g chrony "$RENEWED_LINEAGE/privkey.pem" /etc/chrony.key
+  systemctl restart chronyd.service
+  ;;
+esac
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/chrony.conf b/roles/space_server/files/chrony.conf
index cab1ce4..a26568d 100644
--- a/roles/space_server/files/chrony.conf
+++ b/roles/space_server/files/chrony.conf
@@ -33,6 +33,10 @@ allow 185.38.175.0/24
 allow 10.42.0.0/16
 allow 2a01:4262:1ab::/48
 
+# NTS server certificate and key
+ntsservercert /etc/chrony.cert
+ntsserverkey  /etc/chrony.key
+
 # Allow the system clock to be stepped in the first three updates
 # if its offset is larger than 1 second.
 makestep 1.0 3