puppet: Configure chrony to use AWS-local NTP sources.

This prevents hosts from spewing traffic to random hosts across the Internet.
2022-03-25 12:16:13 -07:00 · 2022-03-25 12:16:13 -07:00 · f6d27562fa
parent 5e128e7cad
commit f6d27562fa
3 changed files with 40 additions and 0 deletions
--- a/puppet/zulip/manifests/profile/base.pp
+++ b/puppet/zulip/manifests/profile/base.pp
@ -61,6 +61,7 @@ class zulip::profile::base {
    }
  }
  package { 'ntp': ensure => 'purged', before => Package['chrony'] }
+  service { 'chrony': ensure => 'running', require => Package['chrony'] }
  package { $base_packages: ensure => 'installed' }

  group { 'zulip':
--- a/puppet/zulip_ops/files/chrony.conf
+++ b/puppet/zulip_ops/files/chrony.conf
@ -0,0 +1,31 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# This will use the AWS local atomic clocks as a datasource; see
+# https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/
+server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@ -154,6 +154,14 @@ class zulip_ops::profile::base {
      mode   => '0755',
      source => 'puppet:///modules/zulip_ops/zulip-ec2-configure-interfaces_if-up.d.sh',
    }
+
+    file { '/etc/chrony/chrony.conf':
+      ensure  => file,
+      mode    => '0644',
+      source  => 'puppet:///modules/zulip_ops/chrony.conf',
+      require => Package['chrony'],
+      notify  => Service['chrony'],
+    }
  }

  group { 'nagios':