From 7a43606e052b6c95dc0f03c405fa70ee2ce27b28 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Fri, 25 Apr 2025 22:04:42 +0200
Subject: [PATCH] Make NTP servers configurable

Introduces the 'ntp_servers' configuration variable, which will
set upstream NTP servers for all hosts. The default uses the
Debian NTP pool.
---
 roles/float-base/defaults/main.yml     | 10 ++++++
 roles/float-base/handlers/main.yml     |  5 +++
 roles/float-base/tasks/main.yml        |  2 ++
 roles/float-base/tasks/ntp.yml         |  8 +++++
 roles/float-base/templates/ntp.conf.j2 | 48 ++++++++++++++++++++++++++
 5 files changed, 73 insertions(+)
 create mode 100644 roles/float-base/tasks/ntp.yml
 create mode 100644 roles/float-base/templates/ntp.conf.j2

diff --git a/roles/float-base/defaults/main.yml b/roles/float-base/defaults/main.yml
index eb35e9a4..24cef1f5 100644
--- a/roles/float-base/defaults/main.yml
+++ b/roles/float-base/defaults/main.yml
@@ -1,3 +1,5 @@
+---
+
 admins: []
 enable_ssh: true
 enable_osquery: false
@@ -52,3 +54,11 @@ kernel_lockdown_enabled: false
 enable_serial_port: false
 serial_port_unit: 0
 serial_port_speed: 115200
+
+# NOTE: we specify the `pool` part, because some user will override it and use
+# `server` instead
+ntp_servers:
+  - "pool 0.debian.pool.ntp.org iburst"
+  - "pool 1.debian.pool.ntp.org iburst"
+  - "pool 2.debian.pool.ntp.org iburst"
+  - "pool 3.debian.pool.ntp.org iburst"
diff --git a/roles/float-base/handlers/main.yml b/roles/float-base/handlers/main.yml
index 07b630b1..6b91a579 100644
--- a/roles/float-base/handlers/main.yml
+++ b/roles/float-base/handlers/main.yml
@@ -77,3 +77,8 @@
 
 - name: update-grub
   command: /usr/sbin/update-grub
+
+- name: restart ntp
+  systemd:
+    name: ntpsec.service
+    state: restarted
diff --git a/roles/float-base/tasks/main.yml b/roles/float-base/tasks/main.yml
index f090b873..7fa545d4 100644
--- a/roles/float-base/tasks/main.yml
+++ b/roles/float-base/tasks/main.yml
@@ -62,6 +62,8 @@
 
 - import_tasks: debian_misc.yml
 
+- import_tasks: ntp.yml
+
 - import_tasks: syslog.yml
 
 - import_tasks: harden.yml
diff --git a/roles/float-base/tasks/ntp.yml b/roles/float-base/tasks/ntp.yml
new file mode 100644
index 00000000..7fedd0fb
--- /dev/null
+++ b/roles/float-base/tasks/ntp.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Configure ntp
+  template:
+    src: "ntp.conf.j2"
+    dest: "/etc/ntpsec/ntp.conf"
+    mode: 0400
+  notify: restart ntp
diff --git a/roles/float-base/templates/ntp.conf.j2 b/roles/float-base/templates/ntp.conf.j2
new file mode 100644
index 00000000..2035e6fd
--- /dev/null
+++ b/roles/float-base/templates/ntp.conf.j2
@@ -0,0 +1,48 @@
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+{{ ntp_servers | join('\n') }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that restrict applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
-- 
GitLab