crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[ntp-server] WIP: Replace ntp by ntpsec 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
ntpsec
Yohann D'ANELLO 2022-08-09 17:26:59 +02:00
parent b242c22732
commit f51c59f328
Signed by: _ynerant
GPG Key ID: 3A75C55819C8CF85
2 changed files with 36 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
roles/ntp-server/tasks/main.yml
View File

@ -1,27 +1,27 @@
--- ---
- name: Install NTP - name: Install NTPsec
apt: apt:
update_cache: true update_cache: true
name: ntp name: ntpsec
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- name: Configure NTP daemon - name: Configure NTP daemon
lineinfile: lineinfile:
path: /etc/default/ntp path: /etc/default/ntpsec
regexp: ^NTPD_OPTS regexp: ^NTPD_OPTS
line: NTPD_OPTS='-g -x' line: NTPD_OPTS='-g -N'
check_mode: false check_mode: false
- name: Configure NTP - name: Configure NTPsec
template: template:
src: ntp.conf.j2 src: ntp.conf.j2
dest: /etc/ntp.conf dest: /etc/ntpsec/ntp.conf
mode: 0644 mode: 0644
- name: Start ntp service - name: Start ntpsec service
systemd: systemd:
name: ntp name: ntpsec
enabled: true enabled: true
state: started state: started

67
roles/ntp-server/templates/ntp.conf.j2
View File

@ -1,63 +1,52 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntpsec/ntp.drift
# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged. # To enable Network Time Security support as a server, obtain a certificate
#statsdir /var/log/ntpstats/ # (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
statistics loopstats peerstats clockstats # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
filegen loopstats file loopstats type day enable #statsdir /var/log/ntpsec/
filegen peerstats file peerstats type day enable #statistics loopstats peerstats clockstats
filegen clockstats file clockstats type day enable #filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
# This should be maxclock 7, but the pool entries count towards maxclock.
tos maxclock 11
# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3
# Specify one or more NTP servers.
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the # pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html> # pool: <https://www.pool.ntp.org/join.html>
pool 0.debian.pool.ntp.org iburst pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # for details.
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
# #
# Note that "restrict" applies to both servers and clients, so a configuration # Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end # that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers. # up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration. # By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited restrict default kod nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely. # Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 restrict 127.0.0.1
restrict ::1 restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Server on adm can sync
{% for cidr in ntp_server.open %}
restrict {{ cidr | ansible.utils.ipaddr('network') }} mask {{ cidr | ansible.utils.ipaddr('netmask') }} notrap nomodify
{% endfor %}
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient