From 0a3483d03c11ed24062322150ef18ca083a1b35b Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Sat, 8 Mar 2025 23:04:32 +0100 Subject: [PATCH] Set up ntpd on domotica machines Listen on 172.30.2.0/24. --- ansible/roles/domotica/tasks/main.yaml | 2 + ansible/roles/domotica/tasks/ntp.yaml | 21 ++++ ansible/roles/domotica/templates/ntp.conf | 115 ++++++++++++++++++++++ 3 files changed, 138 insertions(+) create mode 100644 ansible/roles/domotica/tasks/ntp.yaml create mode 100644 ansible/roles/domotica/templates/ntp.conf diff --git a/ansible/roles/domotica/tasks/main.yaml b/ansible/roles/domotica/tasks/main.yaml index fa9b923..7826038 100644 --- a/ansible/roles/domotica/tasks/main.yaml +++ b/ansible/roles/domotica/tasks/main.yaml @@ -43,3 +43,5 @@ - meta: flush_handlers - name: iot_net import_tasks: iot_net.yaml +- name: ntp + import_tasks: ntp.yaml diff --git a/ansible/roles/domotica/tasks/ntp.yaml b/ansible/roles/domotica/tasks/ntp.yaml new file mode 100644 index 0000000..597c8e7 --- /dev/null +++ b/ansible/roles/domotica/tasks/ntp.yaml @@ -0,0 +1,21 @@ +- name: install ntp.conf + template: + src: ntp.conf + dest: /etc/ntp.conf + owner: root + group: wheel + mode: 0644 + become: true +- name: ntp enable + community.general.sysrc: + name: ntpd_enable + value: "YES" + become: true +- name: ntpdate enable + community.general.sysrc: + name: ntpdate_enable + value: "YES" +- name: sync on start + community.general.sysrc: + name: ntpd_sync_on_start + value: "YES" diff --git a/ansible/roles/domotica/templates/ntp.conf b/ansible/roles/domotica/templates/ntp.conf new file mode 100644 index 0000000..bcae066 --- /dev/null +++ b/ansible/roles/domotica/templates/ntp.conf @@ -0,0 +1,115 @@ +# +# +# Default NTP servers for the FreeBSD operating system. +# +# Don't forget to enable ntpd in /etc/rc.conf with: +# ntpd_enable="YES" +# +# The driftfile is by default /var/db/ntpd.drift, check +# /etc/defaults/rc.conf on how to change the location. +# + +# +# Set the target and limit for adding servers configured via pool statements +# or discovered dynamically via mechanisms such as broadcast and manycast. +# Ntpd automatically adds maxclock-1 servers from configured pools, and may +# add as many as maxclock*2 if necessary to ensure that at least minclock +# servers are providing good consistent time. +# +tos minclock 3 maxclock 6 + +# +# The following pool statements will give you a random set of IPv4 and IPv6 +# NTP servers geographically close to you. A single pool statement adds +# multiple servers from the pool, according to the tos minclock/maxclock +# targets. +# See http://www.pool.ntp.org/ for details. Note, pool.ntp.org encourages +# users with a static IP and good upstream NTP servers to add a server +# to the pool. See http://www.pool.ntp.org/join.html if you are interested. +# +# The option `iburst' is used for faster initial synchronization. +# +pool 0.freebsd.pool.ntp.org iburst +pool 2.freebsd.pool.ntp.org iburst + +# +# If you want to pick yourself which country's public NTP server +# you want to sync against, comment out the above pool statements, +# uncomment the next ones, and replace CC with the country's abbreviation. +# Make sure that the hostnames resolves to a proper IP address! +# +# pool 0.CC.pool.ntp.org iburst +# pool 2.CC.pool.ntp.org iburst + +# +# To configure a specific server, such as an organization-wide local +# server, add lines similar to the following. One or more specific +# servers can be configured in addition to, or instead of, any server +# pools specified above. When both are configured, ntpd first adds all +# the specific servers, then adds servers from the pool until the tos +# minclock/maxclock targets are met. +# +#server time.my-internal.org iburst + +# +# Security: +# +# By default, only allow time queries and block all other requests +# from unauthenticated clients. +# +# The "restrict source" line allows peers to be mobilized when added by +# ntpd from a pool, but does not enable mobilizing a new peer association +# by other dynamic means (broadcast, manycast, ntpq commands, etc). +# +# See http://support.ntp.org/bin/view/Support/AccessRestrictions +# for more information. +# +restrict default limited kod nomodify notrap noquery nopeer +restrict source limited kod nomodify notrap noquery + +# +# Alternatively, the following rules would block all unauthorized access. +# +#restrict default ignore +# +# In this case, all remote NTP time servers also need to be explicitly +# allowed or they would not be able to exchange time information with +# this server. +# +# Please note that this example doesn't work for the servers in +# the pool.ntp.org domain since they return multiple A records. +# +#restrict 0.pool.ntp.org nomodify nopeer noquery notrap +#restrict 1.pool.ntp.org nomodify nopeer noquery notrap +#restrict 2.pool.ntp.org nomodify nopeer noquery notrap +# +# The following settings allow unrestricted access from the localhost +restrict 127.0.0.1 +restrict ::1 +restrict 172.30.2.0 mask 255.255.255.0 + +# +# If a server loses sync with all upstream servers, NTP clients +# no longer follow that server. The local clock can be configured +# to provide a time source when this happens, but it should usually +# be configured on just one server on a network. For more details see +# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock +# The use of Orphan Mode may be preferable. +# +#server 127.127.1.0 +#fudge 127.127.1.0 stratum 10 + +# See http://support.ntp.org/bin/view/Support/ConfiguringNTP#Section_6.14. +# for documentation regarding leapfile. Updates to the file can be obtained +# from ftp://time.nist.gov/pub/ or ftp://tycho.usno.navy.mil/pub/ntp/. +# Use either leapfile in /etc/ntp or periodically updated leapfile in /var/db. +#leapfile "/etc/ntp/leap-seconds" +leapfile "/var/db/ntpd.leap-seconds.list" + +# Specify the number of megabytes of memory that should be allocated and +# locked. -1 (default) means "do not lock the process into memory". +# 0 means "lock whatever memory the process wants into memory". Any other +# number means to lock up to that number of megabytes into memory. +# 0 may result in a segfault when ASLR with stack gap randomization +# is enabled. +#rlimit memlock 32 -- 2.51.0