aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xroles/space_server/files/certbot-chrony.sh13
-rw-r--r--roles/space_server/files/chrony.conf4
-rw-r--r--roles/space_server/tasks/chrony.yml8
-rw-r--r--roles/space_server/templates/nftables.conf.j22
4 files changed, 27 insertions, 0 deletions
diff --git a/roles/space_server/files/certbot-chrony.sh b/roles/space_server/files/certbot-chrony.sh
new file mode 100755
index 0000000..ff48207
--- /dev/null
+++ b/roles/space_server/files/certbot-chrony.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+case "$RENEWED_LINEAGE" in
+*/space.labitat.dk)
+ install -m640 -o root -g chrony "$RENEWED_LINEAGE/fullchain.pem" /etc/chrony.cert
+ install -m640 -o root -g chrony "$RENEWED_LINEAGE/privkey.pem" /etc/chrony.key
+ systemctl restart chronyd.service
+ ;;
+esac
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/chrony.conf b/roles/space_server/files/chrony.conf
index cab1ce4..a26568d 100644
--- a/roles/space_server/files/chrony.conf
+++ b/roles/space_server/files/chrony.conf
@@ -33,6 +33,10 @@ allow 185.38.175.0/24
allow 10.42.0.0/16
allow 2a01:4262:1ab::/48
+# NTS server certificate and key
+ntsservercert /etc/chrony.cert
+ntsserverkey /etc/chrony.key
+
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
diff --git a/roles/space_server/tasks/chrony.yml b/roles/space_server/tasks/chrony.yml
index 633e2f2..ba5191c 100644
--- a/roles/space_server/tasks/chrony.yml
+++ b/roles/space_server/tasks/chrony.yml
@@ -24,6 +24,14 @@
group: root
mode: 0644
+- name: Add certbot deploy hook
+ copy:
+ dest: '/etc/letsencrypt/renewal-hooks/deploy/chrony.sh'
+ src: 'certbot-chrony.sh'
+ owner: root
+ group: root
+ mode: 0755
+
- name: Enable chronyd service
systemd:
name: chronyd.service
diff --git a/roles/space_server/templates/nftables.conf.j2 b/roles/space_server/templates/nftables.conf.j2
index b01ba96..6567315 100644
--- a/roles/space_server/templates/nftables.conf.j2
+++ b/roles/space_server/templates/nftables.conf.j2
@@ -107,6 +107,7 @@ table ip filter {
# ntp
udp dport 123 ip saddr { $int_net4, $ext_net4 } accept
+ tcp dport 4460 ip saddr { $int_net4, $ext_net4 } accept
# avahi
ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
@@ -205,6 +206,7 @@ table ip6 filter {
# ntp
udp dport 123 ip6 saddr $ext_net6 accept
+ tcp dport 4460 ip6 saddr $ext_net6 accept
# avahi
ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-08 18:01:33 +0000