mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-11-29 06:29:36 +01:00
etc/chrony: break chrony.conf into README.md & chrony.d/
This commit is contained in:
parent
52458cc8aa
commit
dced82b820
63
etc/chrony/README.md
Normal file
63
etc/chrony/README.md
Normal file
@ -0,0 +1,63 @@
|
||||
# Chrony config files
|
||||
|
||||
For some reason Debian package for Chrony doesn't include other config files
|
||||
so that has to be done by hand like
|
||||
|
||||
```
|
||||
confdir /etc/chrony/chrony.d
|
||||
```
|
||||
|
||||
## Windows
|
||||
|
||||
```
|
||||
choco install nettime
|
||||
```
|
||||
|
||||
## Other random notes
|
||||
|
||||
On pools, the default maxsources is 4 and pools would be resolved until
|
||||
there would be 4 names while the documentation for Telia and Snopyta says
|
||||
they have only 3. Cloudflare again resolves to two per IP version, so I
|
||||
assume that means 2.
|
||||
|
||||
## Commands of interest:
|
||||
|
||||
### Chrony itself
|
||||
|
||||
Note: -N uses names specified in config instead of reverse name lookupping
|
||||
then.
|
||||
|
||||
* `chrony -N activity` - what sources are doing
|
||||
* `chrony -N authdata` - can show that server uses NTS
|
||||
* `chrony -N ntpdata` - a lot of data on the servers
|
||||
* `chronyc offline` - offline mode
|
||||
* `chronyc online` - reconnects servers
|
||||
* `chrony -N sources` - used timeservers and their statuses
|
||||
* `chrony -N tracking` - local status (stratum and own clock etc.)
|
||||
|
||||
|
||||
### nmap
|
||||
|
||||
|
||||
Checking that something is an NTP server? Needs root:
|
||||
|
||||
```
|
||||
nmap -sU -p 123 --script=ntp-info 192.168.0.1
|
||||
```
|
||||
Checking that something has NTS?
|
||||
|
||||
```
|
||||
nmap -p 4460 -Pn ntp.example.net
|
||||
```
|
||||
|
||||
### Firewall configuration
|
||||
|
||||
In case local clients or peers are wanted,
|
||||
|
||||
```
|
||||
ufw allow from 192.168.0.0/16 to any port 123 proto udp
|
||||
ufw allow from fe80::/10 to any port 123 proto udp
|
||||
```
|
||||
|
||||
A bit wide `192.168.x.x`, but so is `conf.d/local-servers,conf` and
|
||||
`fe80://10` isn't ULA either.
|
@ -1,61 +1,4 @@
|
||||
# Just a quick note on what I change on chrony, which is the servers.
|
||||
# DO NOT ACTUALLY PUT THIS FILE IN PRODUCTION, GREP COPY-PASTE INSTEAD?
|
||||
|
||||
# Checking that something is an NTP server? Needs root
|
||||
# nmap -sU -p 123 --script=ntp-info 192.168.0.1
|
||||
# Checking that something has NTS?
|
||||
# nmap -p 4460 -Pn ntp.example.net
|
||||
|
||||
# Windows? choco install nettime
|
||||
|
||||
## NTS servers
|
||||
# Cloudflare NTS, anycast, works probably anywhere. No leap second smearing.
|
||||
# Maybe `prefer` it due to anycast and NTS which seems very rare and also
|
||||
# working with VPNs unlike country-local servers?
|
||||
#pool time.cloudflare.com maxsources 2 iburst nts
|
||||
|
||||
## NTP servers
|
||||
|
||||
# Local NTP servers, see allow lines in the bottom
|
||||
#server LOCALMACHINE.local iburst auto_offline prefer
|
||||
# Or alternatively reciprocaully TODO: how do `key` options work? This
|
||||
# apparently should only be done in trusted LAN.
|
||||
# xleave is probably best to be used with other local Chronys, I somehow
|
||||
# doubt potential router NTP might have it.
|
||||
#peer LOCALMACHINE.local auto_offline xleave prefer
|
||||
|
||||
# Public official Finnish time server, I am very surprised if there is leap
|
||||
# smearing
|
||||
#server time.mikes.fi iburst
|
||||
|
||||
# Elisa NTP servers, no idea on smearing, I hope not
|
||||
#server ntp1.kolumbus.fi iburst
|
||||
#server ntp2.kolumbus.fi iburst
|
||||
#server ntp.saunalahti.fi iburst
|
||||
|
||||
# DNA & Moi NTP server, no idea on smearing, I hope not
|
||||
#server ntp.dnainternet.fi iburst
|
||||
|
||||
# Telia NTP servers, no idea on smearing, I hope not
|
||||
#pool ntp.inet.fi iburst maxsources 3
|
||||
|
||||
# Snopyta NTP servers, no idea on smearing, I hope not
|
||||
#pool ntp.snopyta.org iburst maxsources 3
|
||||
|
||||
# As more than one timeserver (that don't smear leap seconds) are good, keep
|
||||
# the provided vendor address intact/uncommented. Or maybe don't as per
|
||||
# their request on their website and I have enough timeservers. However
|
||||
# works well with always-on-VPN-use.
|
||||
#pool pool.ntp.org iburst
|
||||
|
||||
# On pools, the default maxsources is 4 and pools would be resolved until
|
||||
# there would be 4 names while the documentation for Telia and Snopyta says
|
||||
# they have only 3.
|
||||
|
||||
# Allowing access from LAN:
|
||||
#allow 192.168
|
||||
#allow fe80::/10
|
||||
|
||||
# Commands of interest:
|
||||
# chrony -N authdata
|
||||
# chrony -N sources
|
||||
# For some reason Debian doesn't ship this line by default, so it needs to
|
||||
# be added by user and after that hopefully not conflict with package
|
||||
# manager
|
||||
confdir /etc/chrony/chrony.d
|
||||
|
2
etc/chrony/chrony.d/dna-moi.conf
Normal file
2
etc/chrony/chrony.d/dna-moi.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# DNA & Moi NTP server, no idea on smearing, I hope not
|
||||
server ntp.dnainternet.fi iburst
|
4
etc/chrony/chrony.d/elisa.conf
Normal file
4
etc/chrony/chrony.d/elisa.conf
Normal file
@ -0,0 +1,4 @@
|
||||
# Elisa NTP servers, no idea on smearing, I hope not
|
||||
server ntp1.kolumbus.fi iburst
|
||||
server ntp2.kolumbus.fi iburst
|
||||
server ntp.saunalahti.fi iburst
|
7
etc/chrony/chrony.d/finland.conf
Normal file
7
etc/chrony/chrony.d/finland.conf
Normal file
@ -0,0 +1,7 @@
|
||||
# Public official Finnish time server, I am very surprised if there is leap
|
||||
# smearing
|
||||
server time.mikes.fi iburst
|
||||
|
||||
# Snopyta NTP servers, no idea on smearing, I hope not. 2/3 are in Finland
|
||||
# even if they may not belong to this file.
|
||||
pool ntp.snopyta.org iburst maxsources 3
|
14
etc/chrony/chrony.d/local-servers.conf
Normal file
14
etc/chrony/chrony.d/local-servers.conf
Normal file
@ -0,0 +1,14 @@
|
||||
# Checking that something is an NTP server? Needs root
|
||||
# nmap -sU -p 123 --script=ntp-info 192.168.0.1
|
||||
|
||||
#server LOCALMACHINE.local iburst auto_offline prefer
|
||||
|
||||
# Or alternatively reciprocally TODO: how do `key` options work? This
|
||||
# apparently should only be done in trusted LAN.
|
||||
# xleave is probably best to be used with other local Chronys, I somehow
|
||||
# doubt potential router NTP might have it.
|
||||
#peer LOCALMACHINE.local auto_offline xleave prefer
|
||||
|
||||
# Allowing access from LAN:
|
||||
#allow 192.168
|
||||
#allow fe80::/10
|
5
etc/chrony/chrony.d/nts-servers.conf
Normal file
5
etc/chrony/chrony.d/nts-servers.conf
Normal file
@ -0,0 +1,5 @@
|
||||
# This line should be added if it's not in main chrony.conf
|
||||
#ntsdumpdir /var/lib/chrony
|
||||
|
||||
# Cloudflare NTS, anycast, works probably anywhere. No leap second smearing.
|
||||
pool time.cloudflare.com maxsources 2 iburst nts
|
2
etc/chrony/chrony.d/telia.conf
Normal file
2
etc/chrony/chrony.d/telia.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Telia NTP servers, no idea on smearing, I hope not
|
||||
pool ntp.inet.fi iburst maxsources 3
|
Loading…
Reference in New Issue
Block a user