Merge branch 'master' of adellam/ansible-roles into master

library/centos/roles/basic-setup/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: '../../library/roles/ntp'

library/centos/roles/basic-setup/tasks/main.yml

@@ -71,16 +71,6 @@
   when: configure_domain_name_in_interface
   tags: [ 'centos', 'bootstrap' ]
 
-- name: Ensure that the ntpd service is enabled and running
-  service: name=ntpd state=started enabled=yes
-  when: centos_ntpd_enabled
-  tags: [ 'centos', 'bootstrap', 'ntp' ]
-
-- name: Ensure that the ntpd service is stopped and disabled
-  service: name=ntpd state=stopped enabled=no
-  when: not centos_ntpd_enabled
-  tags: [ 'centos', 'bootstrap', 'ntp' ]
-
 - name: Stop avahi before removing it when it is not needed
   service: name=avahi-daemon state=stopped enabled=no
   when: centos_remove_avahi or centos_disable_avahi

library/roles/ntp/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+ntp_service_enabled: True
+ntp_statistics_enabled: False
+
+#ntp_allowed_clients:
+#  - { ip: '', netmask: '', options: '' }
+
+#ntp_servers_pool:
+# - x.y.z.w
+# - w.y.z.x
+

library/roles/ntp/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Restart the ntp server
+  service: name=ntp state=restarted enabled=yes
+  when: ntp_service_enabled | bool
+
+- name: Restart the ntpd server
+  service: name=ntpd state=restarted enabled=yes
+  when: ntp_service_enabled | bool

library/roles/ntp/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+- block:
+  - name: Install the ntp server
+    apt: pkg=ntp state=present valid_cache_time=3600
+
+  - name: Install the ntp configuration.
+    template: src=ntp.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
+    notify: Restart the ntp server
+  
+  - name: Ensure that the ntp server is running
+    service: name=ntp state=started enabled=yes
+    when: ntp_service_enabled | bool
+
+  - name: Ensure that the ntp server is stopped and disabled
+    service: name=ntp state=stopped enabled=no
+    when: not ntp_service_enabled | bool
+
+  when: ansible_distribution_file_variety == "Debian"
+  tags: [ 'packages', 'ntp' ]
+
+- block:
+  - name: Install the ntpd server
+    yum: pkg=ntp state=present
+
+  - name: Install the ntp configuration.
+    template: src=ntp-centos.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
+    notify: Restart the ntpd server
+  
+  - name: Ensure that the ntpd server is running
+    service: name=ntpd state=started enabled=yes
+    when: ntp_service_enabled | bool
+
+  - name: Ensure that the ntpd server is stopped and disabled
+    service: name=ntpd state=stopped enabled=no
+    when: not ntp_service_enabled | bool
+
+  when: ansible_distribution_file_variety == "RedHat"
+  tags: [ 'packages', 'ntp' ]

library/roles/ntp/templates/ntp-centos.conf.j2

@@ -0,0 +1,85 @@
+# For more information about this file, see the man pages
+# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
+
+driftfile /var/lib/ntp/drift
+
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default nomodify notrap nopeer noquery
+
+# Permit all access over the loopback interface.  This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1
+restrict ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+{% if ntp_servers_pool is defined %}
+{% for pool_ip in ntp_servers_pool %}
+{{ pool_ip }} prefer iburst
+{% else %}
+server 0.centos.pool.ntp.org iburst
+server 1.centos.pool.ntp.org iburst
+server 2.centos.pool.ntp.org iburst
+server 3.centos.pool.ntp.org iburst
+{% endif %}
+
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+{% if nagios_monitoring_server_ip is defined %}
+{% for ip in nagios_monitoring_server_ip %}
+restrict {{ ip }} mask 255.255.255.255 notrap nomodify
+{% endfor %}
+{% endif %}
+{% if ntp_allowed_clients is defined %}
+{% for host in ntp_allowed_clients %}
+restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
+{% endfor %}
+{% endif %}
+
+#broadcast 192.168.1.255 autokey        # broadcast server
+#broadcastclient                        # broadcast client
+#broadcast 224.0.1.1 autokey            # multicast server
+#multicastclient 224.0.1.1              # multicast client
+#manycastserver 239.255.254.254         # manycast server
+#manycastclient 239.255.254.254 autokey # manycast client
+
+# Enable public key cryptography.
+#crypto
+
+includefile /etc/ntp/crypto/pw
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography.
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+
+# Enable writing of statistics records.
+{% if ntp_statistics_enabled %}
+statsdir /var/log/ntpstats/
+
+statistics clockstats cryptostats loopstats peerstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+{% endif %}
+
+# Disable the monitoring facility to prevent amplification attacks using ntpdc
+# monlist command when default restrict does not include the noquery flag. See
+# CVE-2013-5211 for more details.
+# Note: Monitoring will not be disabled with the limited restriction flag.
+disable monitor

library/roles/ntp/templates/ntp.conf.j2

@@ -3,22 +3,28 @@
 driftfile /var/lib/ntp/ntp.drift
 
 # Enable this if you want statistics to be logged.
-#statsdir /var/log/ntpstats/
+{% if ntp_statistics_enabled %}
+statsdir /var/log/ntpstats/
 
 statistics loopstats peerstats clockstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
-
+{% endif %}
 # Specify one or more NTP servers.
 
 # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
 # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
 # more information.
+{% if ntp_servers_pool is defined %}
+{% for pool_ip in ntp_servers_pool %}
+{{ pool_ip }} prefer iburst
+{% else %}
 pool 0.ubuntu.pool.ntp.org iburst
 pool 1.ubuntu.pool.ntp.org iburst
 pool 2.ubuntu.pool.ntp.org iburst
 pool 3.ubuntu.pool.ntp.org iburst
+{% endif %}
 
 # Use Ubuntu's ntp server as a fallback.
 pool ntp.ubuntu.com
@@ -46,9 +52,15 @@ restrict source notrap nomodify noquery
 # cryptographically authenticated.
 {% if nagios_monitoring_server_ip is defined %}
 {% for ip in nagios_monitoring_server_ip %}
-restrict {{ ip }} mask 255.255.255.255
+restrict {{ ip }} mask 255.255.255.255 notrap nomodify
 {% endfor %}
 {% endif %}
+{% if ntp_allowed_clients is defined %}
+{% for host in ntp_allowed_clients %}
+restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
+{% endfor %}
+{% endif %}
+
 
 # If you want to provide time to your local subnet, change the next line.
 # (Again, the address is an example only.)
@@ -67,3 +79,4 @@ restrict {{ ip }} mask 255.255.255.255
 
 #server 127.127.22.1                   # ATOM(PPS)
 #fudge 127.127.22.1 flag3 1            # enable PPS API
+

library/roles/ubuntu-deb-general/handlers/main.yml

@@ -22,7 +22,3 @@
   shell: update-ca-certificates
   tags: ca
 
-- name: Restart ntp server
-  service: name=ntp state=restarted
-
-

library/roles/ubuntu-deb-general/meta/main.yml

@@ -6,6 +6,7 @@ dependencies:
   - role: '../../library/roles/deb-set-locale'
   - role: '../../library/roles/timezone'
   - role: '../../library/roles/motd'
+  - role: '../../library/roles/ntp'
   - role: '../../library/roles/linux-kernel-sysctl'
   - role: '../../library/roles/sshd_config'
   - role: '../../library/roles/fail2ban'

library/roles/ubuntu-deb-general/tasks/main.yml

@@ -7,7 +7,6 @@
 - import_tasks: packages.yml
 - import_tasks: install_nscd.yml
   when: install_nscd
-- import_tasks: ntp.yml
 - import_tasks: remove-unneeded-pkgs.yml
 - import_tasks: denyhost.yml
   when: is_debian_7_or_older

library/roles/ubuntu-deb-general/tasks/ntp.yml

@@ -1,14 +0,0 @@
----
-- name: Install the ntp server
-  apt: pkg=ntp state={{ pkg_state }}
-  tags: [ 'packages', 'ntp' ]
-
-- name: Install the ntp configuration. Needed on Ubuntu Xenial to allow the nagios check
-  template: src=ntp.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
-  notify: Restart ntp server
-  tags: [ 'packages', 'ntp' ]
-  
-- name: Ensure that the ntp server is running
-  service: name=ntp state=started enabled=yes
-  tags: [ 'packages', 'ntp' ]
-