[ntp-server] WIP: Replace ntp by ntpsec

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2022-08-09 17:26:59 +02:00 · 2022-08-09 17:26:59 +02:00 · f51c59f328
parent b242c22732
commit f51c59f328
2 changed files with 36 additions and 47 deletions
--- a/roles/ntp-server/tasks/main.yml
+++ b/roles/ntp-server/tasks/main.yml
@ -1,27 +1,27 @@
 ---
- name: Install NTP
+- name: Install NTPsec
  apt:
    update_cache: true
-    name: ntp
+    name: ntpsec
  register: apt_result
  retries: 3
  until: apt_result is succeeded

 - name: Configure NTP daemon
  lineinfile:
-    path: /etc/default/ntp
+    path: /etc/default/ntpsec
    regexp: ^NTPD_OPTS
-    line: NTPD_OPTS='-g -x'
+    line: NTPD_OPTS='-g -N'
  check_mode: false

- name: Configure NTP
+- name: Configure NTPsec
  template:
    src: ntp.conf.j2
-    dest: /etc/ntp.conf
+    dest: /etc/ntpsec/ntp.conf
    mode: 0644

- name: Start ntp service
+- name: Start ntpsec service
  systemd:
-    name: ntp
+    name: ntpsec
    enabled: true
    state: started
--- a/roles/ntp-server/templates/ntp.conf.j2
+++ b/roles/ntp-server/templates/ntp.conf.j2
@ -1,63 +1,52 @@
 {{ ansible_header | comment }}
-# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

-driftfile /var/lib/ntp/ntp.drift
-
-# Leap seconds definition provided by tzdata
+driftfile /var/lib/ntpsec/ntp.drift
 leapfile /usr/share/zoneinfo/leap-seconds.list

-# Enable this if you want statistics to be logged.
-#statsdir /var/log/ntpstats/
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable

-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable

+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts

 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
+# pool: <https://www.pool.ntp.org/join.html>
 pool 0.debian.pool.ntp.org iburst
 pool 1.debian.pool.ntp.org iburst
 pool 2.debian.pool.ntp.org iburst
 pool 3.debian.pool.ntp.org iburst

-
-# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
-# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
-# might also be helpful.
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.

 # By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
+restrict default kod nomodify nopeer noquery limited

 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
-
-# Needed for adding pool entries
-restrict source notrap nomodify noquery
-
-# Server on adm can sync
-{% for cidr in ntp_server.open %}
-restrict {{ cidr | ansible.utils.ipaddr('network') }} mask {{ cidr | ansible.utils.ipaddr('netmask') }} notrap nomodify
-{% endfor %}
-
-# Clients from this (example!) subnet have unlimited access, but only if
-# cryptographically authenticated.
-#restrict 192.168.123.0 mask 255.255.255.0 notrust
-
-
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-#broadcast 192.168.123.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient