etc/chrony: break chrony.conf into README.md & chrony.d/

etc/chrony/README.md

@@ -0,0 +1,63 @@
+# Chrony config files
+
+For some reason Debian package for Chrony doesn't include other config files
+so that has to be done by hand like
+
+```
+confdir /etc/chrony/chrony.d
+```
+
+## Windows
+
+```
+choco install nettime
+```
+
+## Other random notes
+
+On pools, the default maxsources is 4 and pools would be resolved until
+there would be 4 names while the documentation for Telia and Snopyta says
+they have only 3. Cloudflare again resolves to two per IP version, so I
+assume that means 2.
+
+## Commands of interest:
+
+### Chrony itself
+
+Note: -N uses names specified in config instead of reverse name lookupping
+then.
+
+* `chrony -N activity` - what sources are doing
+* `chrony -N authdata` - can show that server uses NTS
+* `chrony -N ntpdata`  - a lot of data on the servers
+* `chronyc offline`    - offline mode
+* `chronyc online`     - reconnects servers
+* `chrony -N sources`  - used timeservers and their statuses
+* `chrony -N tracking` - local status (stratum and own clock etc.)
+
+
+### nmap
+
+
+Checking that something is an NTP server? Needs root:
+
+```
+nmap -sU -p 123 --script=ntp-info 192.168.0.1
+```
+Checking that something has NTS?
+
+```
+nmap -p 4460 -Pn ntp.example.net
+```
+
+### Firewall configuration
+
+In case local clients or peers are wanted,
+
+```
+ufw allow from 192.168.0.0/16 to any port 123 proto udp
+ufw allow from fe80::/10 to any port 123 proto udp
+```
+
+A bit wide `192.168.x.x`, but so is `conf.d/local-servers,conf` and
+`fe80://10` isn't ULA either.

etc/chrony/chrony.conf

@@ -1,61 +1,4 @@
-# Just a quick note on what I change on chrony, which is the servers.
+# For some reason Debian doesn't ship this line by default, so it needs to
-# DO NOT ACTUALLY PUT THIS FILE IN PRODUCTION, GREP COPY-PASTE INSTEAD?
+# be added by user and after that hopefully not conflict with package
-
+# manager
-# Checking that something is an NTP server? Needs root
+confdir /etc/chrony/chrony.d
-#  nmap -sU -p 123 --script=ntp-info 192.168.0.1
-# Checking that something has NTS?
-#  nmap -p 4460 -Pn ntp.example.net
-
-# Windows? choco install nettime
-
-## NTS servers
-# Cloudflare NTS, anycast, works probably anywhere. No leap second smearing.
-# Maybe `prefer` it due to anycast and NTS which seems very rare and also
-# working with VPNs unlike country-local servers?
-#pool time.cloudflare.com maxsources 2 iburst nts
-
-## NTP servers
-
-# Local NTP servers, see allow lines in the bottom
-#server LOCALMACHINE.local iburst auto_offline prefer
-# Or alternatively reciprocaully TODO: how do `key` options work? This
-#  apparently should only be done in trusted LAN.
-# xleave is probably best to be used with other local Chronys, I somehow
-#  doubt potential router NTP might have it.
-#peer LOCALMACHINE.local auto_offline xleave prefer
-
-# Public official Finnish time server, I am very surprised if there is leap
-# smearing
-#server time.mikes.fi iburst
-
-# Elisa NTP servers, no idea on smearing, I hope not
-#server ntp1.kolumbus.fi iburst
-#server ntp2.kolumbus.fi iburst
-#server ntp.saunalahti.fi iburst
-
-# DNA & Moi NTP server, no idea on smearing, I hope not
-#server ntp.dnainternet.fi iburst
-
-# Telia NTP servers, no idea on smearing, I hope not
-#pool ntp.inet.fi iburst maxsources 3
-
-# Snopyta NTP servers, no idea on smearing, I hope not
-#pool ntp.snopyta.org iburst maxsources 3
-
-# As more than one timeserver (that don't smear leap seconds) are good, keep
-# the provided vendor address intact/uncommented. Or maybe don't as per
-# their request on their website and I have enough timeservers. However
-# works well with always-on-VPN-use.
-#pool pool.ntp.org iburst
-
-# On pools, the default maxsources is 4 and pools would be resolved until
-# there would be 4 names while the documentation for Telia and Snopyta says
-# they have only 3.
-
-# Allowing access from LAN:
-#allow 192.168
-#allow fe80::/10
-
-# Commands of interest:
-#     chrony -N authdata
-#     chrony -N sources

etc/chrony/chrony.d/dna-moi.conf

@@ -0,0 +1,2 @@
+# DNA & Moi NTP server, no idea on smearing, I hope not
+server ntp.dnainternet.fi iburst

etc/chrony/chrony.d/elisa.conf

@@ -0,0 +1,4 @@
+# Elisa NTP servers, no idea on smearing, I hope not
+server ntp1.kolumbus.fi iburst
+server ntp2.kolumbus.fi iburst
+server ntp.saunalahti.fi iburst

etc/chrony/chrony.d/finland.conf

@@ -0,0 +1,7 @@
+# Public official Finnish time server, I am very surprised if there is leap
+# smearing
+server time.mikes.fi iburst
+
+# Snopyta NTP servers, no idea on smearing, I hope not. 2/3 are in Finland
+# even if they may not belong to this file.
+pool ntp.snopyta.org iburst maxsources 3

etc/chrony/chrony.d/local-servers.conf

@@ -0,0 +1,14 @@
+# Checking that something is an NTP server? Needs root
+#  nmap -sU -p 123 --script=ntp-info 192.168.0.1
+
+#server LOCALMACHINE.local iburst auto_offline prefer
+
+# Or alternatively reciprocally TODO: how do `key` options work? This
+#  apparently should only be done in trusted LAN.
+# xleave is probably best to be used with other local Chronys, I somehow
+#  doubt potential router NTP might have it.
+#peer LOCALMACHINE.local auto_offline xleave prefer
+
+# Allowing access from LAN:
+#allow 192.168
+#allow fe80::/10

etc/chrony/chrony.d/nts-servers.conf

@@ -0,0 +1,5 @@
+# This line should be added if it's not in main chrony.conf
+#ntsdumpdir /var/lib/chrony
+
+# Cloudflare NTS, anycast, works probably anywhere. No leap second smearing.
+pool time.cloudflare.com maxsources 2 iburst nts

etc/chrony/chrony.d/telia.conf

@@ -0,0 +1,2 @@
+# Telia NTP servers, no idea on smearing, I hope not
+pool ntp.inet.fi iburst maxsources 3