space_server: chrony: Enable NTS server

author: Emil Renner Berthing <esmil@labitat.dk> 2023-03-26 01:45:32 +0100
committer: Emil Renner Berthing <esmil@labitat.dk> 2023-03-26 01:56:01 +0100
commit: 29d8c3184cbdf9104bd15757cfb73f6be356a44f (patch)
tree: 35f6a5b43ae053b2452c44debc70b12c02830a81 /roles
parent: 9b3563156ef6cb5cc6d3c4bed2fc9c23adf3a165 (diff)
download: labitat-ansible-29d8c3184cbdf9104bd15757cfb73f6be356a44f.tar.gz
labitat-ansible-29d8c3184cbdf9104bd15757cfb73f6be356a44f.tar.xz
labitat-ansible-29d8c3184cbdf9104bd15757cfb73f6be356a44f.zip
4 files changed, 27 insertions, 0 deletions
diff --git a/roles/space_server/files/certbot-chrony.sh b/roles/space_server/files/certbot-chrony.sh
new file mode 100755
index 0000000..ff48207
--- /dev/null
+++ b/roles/space_server/files/certbot-chrony.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+case "$RENEWED_LINEAGE" in
+*/space.labitat.dk)
+  install -m640 -o root -g chrony "$RENEWED_LINEAGE/fullchain.pem" /etc/chrony.cert
+  install -m640 -o root -g chrony "$RENEWED_LINEAGE/privkey.pem" /etc/chrony.key
+  systemctl restart chronyd.service
+  ;;
+esac
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/chrony.conf b/roles/space_server/files/chrony.conf
index cab1ce4..a26568d 100644
--- a/roles/space_server/files/chrony.conf
+++ b/roles/space_server/files/chrony.conf
@@ -33,6 +33,10 @@ allow 185.38.175.0/24
 allow 10.42.0.0/16
 allow 2a01:4262:1ab::/48
 
+# NTS server certificate and key
+ntsservercert /etc/chrony.cert
+ntsserverkey  /etc/chrony.key
+
 # Allow the system clock to be stepped in the first three updates
 # if its offset is larger than 1 second.
 makestep 1.0 3
diff --git a/roles/space_server/tasks/chrony.yml b/roles/space_server/tasks/chrony.yml
index 633e2f2..ba5191c 100644
--- a/roles/space_server/tasks/chrony.yml
+++ b/roles/space_server/tasks/chrony.yml
@@ -24,6 +24,14 @@
     group: root
     mode: 0644
 
+- name: Add certbot deploy hook
+  copy:
+    dest: '/etc/letsencrypt/renewal-hooks/deploy/chrony.sh'
+    src: 'certbot-chrony.sh'
+    owner: root
+    group: root
+    mode: 0755
+
 - name: Enable chronyd service
   systemd:
     name: chronyd.service
diff --git a/roles/space_server/templates/nftables.conf.j2 b/roles/space_server/templates/nftables.conf.j2
index b01ba96..6567315 100644
--- a/roles/space_server/templates/nftables.conf.j2
+++ b/roles/space_server/templates/nftables.conf.j2
@@ -107,6 +107,7 @@ table ip filter {
 
 		# ntp
 		udp dport 123 ip saddr { $int_net4, $ext_net4 } accept
+		tcp dport 4460 ip saddr { $int_net4, $ext_net4 } accept
 
 		# avahi
 		ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
@@ -205,6 +206,7 @@ table ip6 filter {
 
 		# ntp
 		udp dport 123 ip6 saddr $ext_net6 accept
+		tcp dport 4460 ip6 saddr $ext_net6 accept
 
 		# avahi
 		ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
author	Emil Renner Berthing <esmil@labitat.dk>	2023-03-26 01:45:32 +0100
committer	Emil Renner Berthing <esmil@labitat.dk>	2023-03-26 01:56:01 +0100
commit	29d8c3184cbdf9104bd15757cfb73f6be356a44f (patch)
tree	35f6a5b43ae053b2452c44debc70b12c02830a81 /roles
parent	9b3563156ef6cb5cc6d3c4bed2fc9c23adf3a165 (diff)
download	labitat-ansible-29d8c3184cbdf9104bd15757cfb73f6be356a44f.tar.gz labitat-ansible-29d8c3184cbdf9104bd15757cfb73f6be356a44f.tar.xz labitat-ansible-29d8c3184cbdf9104bd15757cfb73f6be356a44f.zip