forked from ISTI-ansible-roles/ansible-roles
Role that manages the ntp service.
This commit is contained in:
parent
d812967a1e
commit
974f7d893a
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
ntp_service_enabled: True
|
||||||
|
ntp_statistics_enabled: False
|
||||||
|
|
||||||
|
#ntp_allowed_clients:
|
||||||
|
# - { ip: '', netmask: '', options: '' }
|
||||||
|
|
||||||
|
#ntp_servers_pool:
|
||||||
|
# - x.y.z.w
|
||||||
|
# - w.y.z.x
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: Restart the ntp server
|
||||||
|
service: name=ntp state=restarted enabled=yes
|
||||||
|
when: ntp_service_enabled | bool
|
||||||
|
|
||||||
|
- name: Restart the ntpd server
|
||||||
|
service: name=ntpd state=restarted enabled=yes
|
||||||
|
when: ntp_service_enabled | bool
|
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install the ntp server
|
||||||
|
apt: pkg=ntp state=present valid_cache_time=3600
|
||||||
|
|
||||||
|
- name: Install the ntp configuration.
|
||||||
|
template: src=ntp.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
|
||||||
|
notify: Restart the ntp server
|
||||||
|
|
||||||
|
- name: Ensure that the ntp server is running
|
||||||
|
service: name=ntp state=started enabled=yes
|
||||||
|
when: ntp_service_enabled | bool
|
||||||
|
|
||||||
|
- name: Ensure that the ntp server is stopped and disabled
|
||||||
|
service: name=ntp state=stopped enabled=no
|
||||||
|
when: not ntp_service_enabled | bool
|
||||||
|
|
||||||
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
|
tags: [ 'packages', 'ntp' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Install the ntpd server
|
||||||
|
yum: pkg=ntp state=present
|
||||||
|
|
||||||
|
- name: Install the ntp configuration.
|
||||||
|
template: src=ntp-centos.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
|
||||||
|
notify: Restart the ntpd server
|
||||||
|
|
||||||
|
- name: Ensure that the ntpd server is running
|
||||||
|
service: name=ntpd state=started enabled=yes
|
||||||
|
when: ntp_service_enabled | bool
|
||||||
|
|
||||||
|
- name: Ensure that the ntpd server is stopped and disabled
|
||||||
|
service: name=ntpd state=stopped enabled=no
|
||||||
|
when: not ntp_service_enabled | bool
|
||||||
|
|
||||||
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
|
tags: [ 'packages', 'ntp' ]
|
|
@ -0,0 +1,85 @@
|
||||||
|
# For more information about this file, see the man pages
|
||||||
|
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
|
||||||
|
|
||||||
|
driftfile /var/lib/ntp/drift
|
||||||
|
|
||||||
|
# Permit time synchronization with our time source, but do not
|
||||||
|
# permit the source to query or modify the service on this system.
|
||||||
|
restrict default nomodify notrap nopeer noquery
|
||||||
|
|
||||||
|
# Permit all access over the loopback interface. This could
|
||||||
|
# be tightened as well, but to do so would effect some of
|
||||||
|
# the administrative functions.
|
||||||
|
restrict 127.0.0.1
|
||||||
|
restrict ::1
|
||||||
|
|
||||||
|
# Hosts on local network are less restricted.
|
||||||
|
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
|
||||||
|
|
||||||
|
# Use public servers from the pool.ntp.org project.
|
||||||
|
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
|
||||||
|
{% if ntp_servers_pool is defined %}
|
||||||
|
{% for pool_ip in ntp_servers_pool %}
|
||||||
|
{{ pool_ip }} prefer iburst
|
||||||
|
{% else %}
|
||||||
|
server 0.centos.pool.ntp.org iburst
|
||||||
|
server 1.centos.pool.ntp.org iburst
|
||||||
|
server 2.centos.pool.ntp.org iburst
|
||||||
|
server 3.centos.pool.ntp.org iburst
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
restrict source notrap nomodify noquery
|
||||||
|
|
||||||
|
# Clients from this (example!) subnet have unlimited access, but only if
|
||||||
|
# cryptographically authenticated.
|
||||||
|
{% if nagios_monitoring_server_ip is defined %}
|
||||||
|
{% for ip in nagios_monitoring_server_ip %}
|
||||||
|
restrict {{ ip }} mask 255.255.255.255 notrap nomodify
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if ntp_allowed_clients is defined %}
|
||||||
|
{% for host in ntp_allowed_clients %}
|
||||||
|
restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#broadcast 192.168.1.255 autokey # broadcast server
|
||||||
|
#broadcastclient # broadcast client
|
||||||
|
#broadcast 224.0.1.1 autokey # multicast server
|
||||||
|
#multicastclient 224.0.1.1 # multicast client
|
||||||
|
#manycastserver 239.255.254.254 # manycast server
|
||||||
|
#manycastclient 239.255.254.254 autokey # manycast client
|
||||||
|
|
||||||
|
# Enable public key cryptography.
|
||||||
|
#crypto
|
||||||
|
|
||||||
|
includefile /etc/ntp/crypto/pw
|
||||||
|
|
||||||
|
# Key file containing the keys and key identifiers used when operating
|
||||||
|
# with symmetric key cryptography.
|
||||||
|
keys /etc/ntp/keys
|
||||||
|
|
||||||
|
# Specify the key identifiers which are trusted.
|
||||||
|
#trustedkey 4 8 42
|
||||||
|
|
||||||
|
# Specify the key identifier to use with the ntpdc utility.
|
||||||
|
#requestkey 8
|
||||||
|
|
||||||
|
# Specify the key identifier to use with the ntpq utility.
|
||||||
|
#controlkey 8
|
||||||
|
|
||||||
|
# Enable writing of statistics records.
|
||||||
|
{% if ntp_statistics_enabled %}
|
||||||
|
statsdir /var/log/ntpstats/
|
||||||
|
|
||||||
|
statistics clockstats cryptostats loopstats peerstats
|
||||||
|
filegen loopstats file loopstats type day enable
|
||||||
|
filegen peerstats file peerstats type day enable
|
||||||
|
filegen clockstats file clockstats type day enable
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# Disable the monitoring facility to prevent amplification attacks using ntpdc
|
||||||
|
# monlist command when default restrict does not include the noquery flag. See
|
||||||
|
# CVE-2013-5211 for more details.
|
||||||
|
# Note: Monitoring will not be disabled with the limited restriction flag.
|
||||||
|
disable monitor
|
|
@ -0,0 +1,82 @@
|
||||||
|
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||||
|
|
||||||
|
driftfile /var/lib/ntp/ntp.drift
|
||||||
|
|
||||||
|
# Enable this if you want statistics to be logged.
|
||||||
|
{% if ntp_statistics_enabled %}
|
||||||
|
statsdir /var/log/ntpstats/
|
||||||
|
|
||||||
|
statistics loopstats peerstats clockstats
|
||||||
|
filegen loopstats file loopstats type day enable
|
||||||
|
filegen peerstats file peerstats type day enable
|
||||||
|
filegen clockstats file clockstats type day enable
|
||||||
|
{% endif %}
|
||||||
|
# Specify one or more NTP servers.
|
||||||
|
|
||||||
|
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
|
||||||
|
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
|
||||||
|
# more information.
|
||||||
|
{% if ntp_servers_pool is defined %}
|
||||||
|
{% for pool_ip in ntp_servers_pool %}
|
||||||
|
{{ pool_ip }} prefer iburst
|
||||||
|
{% else %}
|
||||||
|
pool 0.ubuntu.pool.ntp.org iburst
|
||||||
|
pool 1.ubuntu.pool.ntp.org iburst
|
||||||
|
pool 2.ubuntu.pool.ntp.org iburst
|
||||||
|
pool 3.ubuntu.pool.ntp.org iburst
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# Use Ubuntu's ntp server as a fallback.
|
||||||
|
pool ntp.ubuntu.com
|
||||||
|
|
||||||
|
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
|
||||||
|
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
|
||||||
|
# might also be helpful.
|
||||||
|
#
|
||||||
|
# Note that "restrict" applies to both servers and clients, so a configuration
|
||||||
|
# that might be intended to block requests from certain clients could also end
|
||||||
|
# up blocking replies from your own upstream servers.
|
||||||
|
|
||||||
|
# By default, exchange time with everybody, but don't allow configuration.
|
||||||
|
restrict -4 default kod notrap nomodify nopeer noquery limited
|
||||||
|
restrict -6 default kod notrap nomodify nopeer noquery limited
|
||||||
|
|
||||||
|
# Local users may interrogate the ntp server more closely.
|
||||||
|
restrict 127.0.0.1
|
||||||
|
restrict ::1
|
||||||
|
|
||||||
|
# Needed for adding pool entries
|
||||||
|
restrict source notrap nomodify noquery
|
||||||
|
|
||||||
|
# Clients from this (example!) subnet have unlimited access, but only if
|
||||||
|
# cryptographically authenticated.
|
||||||
|
{% if nagios_monitoring_server_ip is defined %}
|
||||||
|
{% for ip in nagios_monitoring_server_ip %}
|
||||||
|
restrict {{ ip }} mask 255.255.255.255 notrap nomodify
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if ntp_allowed_clients is defined %}
|
||||||
|
{% for host in ntp_allowed_clients %}
|
||||||
|
restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
|
# If you want to provide time to your local subnet, change the next line.
|
||||||
|
# (Again, the address is an example only.)
|
||||||
|
#broadcast 192.168.123.255
|
||||||
|
|
||||||
|
# If you want to listen to time broadcasts on your local subnet, de-comment the
|
||||||
|
# next lines. Please do this only if you trust everybody on the network!
|
||||||
|
#disable auth
|
||||||
|
#broadcastclient
|
||||||
|
|
||||||
|
#Changes recquired to use pps synchonisation as explained in documentation:
|
||||||
|
#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918
|
||||||
|
|
||||||
|
#server 127.127.8.1 mode 135 prefer # Meinberg GPS167 with PPS
|
||||||
|
#fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware
|
||||||
|
|
||||||
|
#server 127.127.22.1 # ATOM(PPS)
|
||||||
|
#fudge 127.127.22.1 flag3 1 # enable PPS API
|
||||||
|
|
Loading…
Reference in New Issue