Chrony Timeserver with NTS support.
This repository is based on docker-ntp by Chris Turra but uses Hashicorp Nomad instead of Docker Compose to deploy the secure timeserver.
git clone https://github.com/mpolinowski/nomad-nts-chrony
Note: The
docker-compose
file expects the repository to be in/opt/chrony-nts
.
Run the build script (you need to have docker installed):
./build.sh
Run certbot
to create the TLS certificate for your domain:
apt install certbot python3-certbot-nginx
certbot certonly --standalone
Use Docker Compose to run the container and mount/bind the TLS certificate:
version: '3.9'
services:
chrony:
build: .
image: cturra/ntp:latest
container_name: chrony
restart: unless-stopped
volumes:
- type: bind
source: /etc/letsencrypt/live/my.server.domain/fullchain.pem
target: /opt/fullchain.pem
- type: bind
source: /etc/letsencrypt/live/my.server.domain/privkey.pem
target: /opt/privkey.pem
ports:
- 123:123/udp
- 4460:4460/tcp
environment:
- NTP_SERVERS=0.de.pool.ntp.org,time.cloudflare.com,time1.google.com
- LOG_LEVEL=1
- NTP_SERVERS: Upstream NTP server to use.
- LOG_LEVEL: Levels can to specified: 0 (informational), 1 (warning), 2 (non-fatal error), and 3 (fatal error).
Test if the server is working:
docker compose up -d chrony
docker compose logs chrony
apt install sntp
sntp time.instar.com
docker exec chrony chronyc tracking
docker exec chrony chronyc sources
docker exec chrony chronyc sourcestats
docker exec -ti chrony chronyd -Q -t 3 'server my.server.com iburst nts maxsamples 1'
docker exec -ti chrony chronyc serverstats
Check NTS-KE connections accepted
and Authenticated NTP packets
:
NTP packets received : 3
NTP packets dropped : 0
Command packets received : 27
Command packets dropped : 0
Client log records dropped : 0
NTS-KE connections accepted: 1
NTS-KE connections dropped : 0
Authenticated NTP packets : 1
Interleaved NTP packets : 0
NTP timestamps held : 0
NTP timestamp span : 0