feat: NTP-Server (Chrony) — vollständig

Stub raus, vollständige Implementierung analog Unbound/Squid: * Migration 0015: ntp_settings (single-row mit listen_addresses, allow_acl, serve_clients, makestep, rtcsync) + ntp_pools (kind pool|server, address, iburst/prefer, minpoll/maxpoll). Default 4 deutsche pool.ntp.org-Server seeded. * Models DNSSettings/NTPPool, services/ntp Repo, handlers/ntp.go REST /api/v1/ntp/{settings,pools} mit Auto-Restart nach Mutation. * internal/chrony/chrony.cfg.tpl + chrony.go: Renderer schreibt /etc/chrony/conf.d/edgeguard.conf direkt (analog unbound — distro chrony.conf included conf.d automatisch). Listen-bind nur wenn serve_clients=true; sonst port 0 (= Client-only). * main.go: ntpRepo + chronyReloader injiziert. * render.go: chrony als sechste generator. * postinst: - chrony als hard Depends im control file. - Conf-Datei /etc/chrony/conf.d/edgeguard.conf wird als edgeguard:edgeguard 0644 angelegt. - Sudoers für systemctl reload + restart chrony. * Auto-FW-Rule-Generator: udp/123 wenn serve_clients=true und listen_addresses non-loopback enthält. * Frontend /ntp: PageHeader + Quellen-Tab + Settings-Tab. Listen- Addresses als Multi-Select aus Kernel-IPs (analog DNS). * Sidebar-Eintrag unter Network. * i18n DE/EN für ntp.* Block. chrony.service hat kein 'reload' — Renderer ruft RestartService auf. Verified: 4 default-pool-server connected (chronyc sources zeigt sie nach erstem render). Version 1.0.40. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 06:58:54 +02:00
parent 2556a93b34
commit e4d83d226e
20 changed files with 1005 additions and 8 deletions
--- a/management-ui/src/i18n/locales/de/common.json
+++ b/management-ui/src/i18n/locales/de/common.json
@@ -15,6 +15,7 @@
    "wireguard": "WireGuard",
    "forwardProxy": "Forward-Proxy",
    "dns": "DNS",
+    "ntp": "Zeit (NTP)",
    "firewall": "Firewall",
    "cluster": "Cluster",
    "settings": "Einstellungen",
@@ -400,6 +401,44 @@
      "wg": "WireGuard"
    }
  },
+  "ntp": {
+    "title": "Zeitserver (Chrony)",
+    "intro": "Chrony als Time-Sync-Daemon (NTP). Quellen oben, Listen-/Serve-Konfig im Settings-Tab. Wenn 'serve_clients' aktiv und LAN-IPs gebound sind, wird die Box selbst zum NTP-Server für das LAN.",
+    "tabs": { "pools": "Quellen", "settings": "Settings" },
+    "pool": {
+      "kind": "Typ",
+      "kindPool": "pool — DNS-Round-Robin (mehrere Server aus A-Records)",
+      "kindServer": "server — einzelner Host",
+      "address": "Adresse / Host",
+      "addressExtra": "FQDN (für pool: 0.de.pool.ntp.org) oder IP.",
+      "iburst": "iburst",
+      "prefer": "prefer",
+      "minpoll": "min-poll",
+      "maxpoll": "max-poll",
+      "options": "Optionen",
+      "description": "Beschreibung",
+      "add": "Quelle hinzufügen",
+      "edit": "Quelle bearbeiten",
+      "deleteConfirm": "NTP-Quelle {{addr}} wirklich löschen?"
+    },
+    "settings": {
+      "intro": "Globale Chrony-Settings. Save reloaded chrony automatisch.",
+      "serveClients": "Als NTP-Server für Clients arbeiten",
+      "serveClientsExtra": "Wenn aus: chrony agiert nur als Client (port 0). Wenn an + Listen-IP: bindet UDP/123.",
+      "listenAddresses": "Listen-Adressen",
+      "listenAddressesPlaceholder": "IPs wählen (oder eintippen)",
+      "listenAddressesExtra": "Auf welchen IPs chrony :123/UDP bindet. 127.0.0.1+::1 = nur lokal; LAN-IPs öffnen für LAN-Clients (FW-Rule wird automatisch generiert).",
+      "allowACL": "Allow-ACL (CIDRs)",
+      "allowACLExtra": "Wer darf NTP-Time anfragen.",
+      "makestepSecs": "makestep secs",
+      "makestepSecsExtra": "Erlaube step (statt slew) wenn offset > N sec.",
+      "makestepLimit": "makestep limit",
+      "rtcsync": "RTC mit System-Time syncen",
+      "rtcsyncExtra": "Hardware-Clock alle 11 min synchron halten — nach Reboot ist die Zeit grob korrekt.",
+      "leapsectz": "Leap-Sec TZ",
+      "leapsectzExtra": "Optional, z.B. 'right/UTC' für leap-sec über tzdata."
+    }
+  },
  "dns": {
    "title": "DNS (Unbound)",
    "intro": "Unbound-Resolver auf :53. Lokale Zonen (authoritativ aus DNS-Records) und Forward-Zonen (per stub-zone weiter zu fremden Resolvern). Default-Forwarder für alles andere.",
--- a/management-ui/src/i18n/locales/en/common.json
+++ b/management-ui/src/i18n/locales/en/common.json
@@ -15,6 +15,7 @@
    "wireguard": "WireGuard",
    "forwardProxy": "Forward proxy",
    "dns": "DNS",
+    "ntp": "Time (NTP)",
    "firewall": "Firewall",
    "cluster": "Cluster",
    "settings": "Settings",
@@ -400,6 +401,44 @@
      "wg": "WireGuard"
    }
  },
+  "ntp": {
+    "title": "Time server (Chrony)",
+    "intro": "Chrony as time-sync daemon (NTP). Sources on top, listen/serve config on the settings tab. With 'serve_clients' on and LAN-IPs bound, the box itself becomes an NTP server for the LAN.",
+    "tabs": { "pools": "Sources", "settings": "Settings" },
+    "pool": {
+      "kind": "Type",
+      "kindPool": "pool — DNS round-robin (multiple servers from A records)",
+      "kindServer": "server — single host",
+      "address": "Address / host",
+      "addressExtra": "FQDN (for pool: 0.de.pool.ntp.org) or IP.",
+      "iburst": "iburst",
+      "prefer": "prefer",
+      "minpoll": "min-poll",
+      "maxpoll": "max-poll",
+      "options": "Options",
+      "description": "Description",
+      "add": "Add source",
+      "edit": "Edit source",
+      "deleteConfirm": "Really delete NTP source {{addr}}?"
+    },
+    "settings": {
+      "intro": "Global chrony settings. Saves reload chrony automatically.",
+      "serveClients": "Act as NTP server for clients",
+      "serveClientsExtra": "If off: chrony acts as client only (port 0). If on + listen IP: binds UDP/123.",
+      "listenAddresses": "Listen addresses",
+      "listenAddressesPlaceholder": "Pick IPs (or type)",
+      "listenAddressesExtra": "Which IPs chrony binds :123/UDP on. 127.0.0.1+::1 = local only; LAN IPs open for LAN clients (FW rule auto-generated).",
+      "allowACL": "Allow ACL (CIDRs)",
+      "allowACLExtra": "Who is allowed to ask for NTP time.",
+      "makestepSecs": "makestep secs",
+      "makestepSecsExtra": "Allow step (vs. slew) when offset > N seconds.",
+      "makestepLimit": "makestep limit",
+      "rtcsync": "Sync RTC with system time",
+      "rtcsyncExtra": "Keep hardware clock in sync every 11 min — after reboot time is roughly correct.",
+      "leapsectz": "Leap-sec TZ",
+      "leapsectzExtra": "Optional, e.g. 'right/UTC' for leap-sec via tzdata."
+    }
+  },
  "dns": {
    "title": "DNS (Unbound)",
    "intro": "Unbound resolver on :53. Local zones (authoritative from DNS records) and forward zones (stub-zone to remote resolvers). Default forwarders catch everything else.",