Skip to content
Snippets Groups Projects
Commit f6ddd1dc authored by ale's avatar ale
Browse files

Merge branch 'configure-ntp' into 'master'

Make NTP servers configurable

See merge request !316
parents 07bb2549 7a43606e
Branches
No related tags found
1 merge request!316Make NTP servers configurable
Pipeline #94020 failed
---
admins: []
enable_ssh: true
enable_osquery: false
......@@ -52,3 +54,11 @@ kernel_lockdown_enabled: false
enable_serial_port: false
serial_port_unit: 0
serial_port_speed: 115200
# NOTE: we specify the `pool` part, because some user will override it and use
# `server` instead
ntp_servers:
- "pool 0.debian.pool.ntp.org iburst"
- "pool 1.debian.pool.ntp.org iburst"
- "pool 2.debian.pool.ntp.org iburst"
- "pool 3.debian.pool.ntp.org iburst"
......@@ -77,3 +77,8 @@
- name: update-grub
command: /usr/sbin/update-grub
- name: restart ntp
systemd:
name: ntpsec.service
state: restarted
......@@ -62,6 +62,8 @@
- import_tasks: debian_misc.yml
- import_tasks: ntp.yml
- import_tasks: syslog.yml
- import_tasks: harden.yml
......
---
- name: Configure ntp
template:
src: "ntp.conf.j2"
dest: "/etc/ntpsec/ntp.conf"
mode: 0400
notify: restart ntp
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
# This should be maxclock 7, but the pool entries count towards maxclock.
tos maxclock 11
# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3
# Specify one or more NTP servers.
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
{{ ntp_servers | join('\n') }}
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that restrict applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment