Add ntp-client role

base.yml

@@ -10,10 +10,18 @@
 
     # Backup password
     backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
+
+    # NTP servers
+    # TODO get this list with re2o
+    ntp_servers:
+      - fy.adm.crans.org
+      - charybde.adm.crans.org
+      - silice.adm.crans.org
   roles:
     - debian-apt-sources
     - common-tools
     - rsync-client
+    - ntp-client
 
 # Plug LDAP on all servers
 - hosts: all

roles/ntp-client/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Install NTP
+  apt:
+    update_cache: true
+    name: ntp
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure NTP daemon
+  lineinfile:
+    path: /etc/default/ntp
+    regexp: '^NTPD_OPTS'
+    line: NTPD_OPTS='-g -x'
+
+- name: Configure NTP
+  template:
+    src: ntp.conf.j2
+    dest: /etc/ntp.conf
+    mode: 0644
+
+- name: Start ntp service
+  systemd:
+    name: ntp
+    enabled: true
+    state: started

roles/ntp-client/templates/ntp.conf.j2

@@ -0,0 +1,65 @@
+# {{ ansible_managed }}
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Leap seconds definition provided by tzdata
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+{% if inventory_hostname in ntp_servers %}
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+pool 0.debian.pool.ntp.org iburst
+pool 1.debian.pool.ntp.org iburst
+pool 2.debian.pool.ntp.org iburst
+pool 3.debian.pool.ntp.org iburst
+{% else %}
+# You do need to talk to an NTP server or two (or three).
+{% for server in ntp_servers %}
+server {{ server }} iburst
+{% endfor %}
+{% endif %}
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient