diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-11-05 17:13:03 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-11-15 18:33:37 +0100 |
| commit | e8e01842f4e578ec427dd8d6f5a5e40b498458af (patch) | |
| tree | b4fcd836afa59a11570d54ab2e55dceb99e98bfc | |
| parent | 6a7bf972fa2c054f1aef5465237343247959e313 (diff) | |
Change NTP client to systemd-timesyncd.
(Excluding our NTP master.) It's simpler, arguably more secure, and
provides enough functionality when only simple client use-cases are
desired.
We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd
can connect to the fallbacks NTP servers.
| -rw-r--r-- | roles/common/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/common/tasks/ntp.yml | 29 | ||||
| -rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 8 | ||||
| -rw-r--r-- | roles/common/templates/etc/ntp.conf.j2 | 12 | ||||
| -rw-r--r-- | roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 | 9 |
5 files changed, 40 insertions, 21 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 9cc94bf..bbaaef5 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -29,6 +29,9 @@ - name: Restart rsyslog service: name=rsyslog state=restarted +- name: Restart systemd-timesyncd + service: name=systemd-timesyncd state=restarted + - name: Restart ntp service: name=ntp state=restarted diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml index f9a01c8..60ffef9 100644 --- a/roles/common/tasks/ntp.yml +++ b/roles/common/tasks/ntp.yml @@ -1,15 +1,30 @@ -- name: Install ntp - apt: pkg=ntp +- name: Install/Remove ntp + # TODO bullseye: install new package 'systemd-timesyncd' + apt: pkg=ntp state={{ state }} purge=yes + vars: + state: "{{ ('NTP_master' in group_names) | ternary('present', 'absent') }}" + +- name: Create /etc/systemd/timesyncd.conf.d + file: path=/etc/systemd/timesyncd.conf.d + state=directory + owner=root group=root + mode=0755 + when: "'NTP_master' not in group_names" - name: Configure ntp - template: src=etc/ntp.conf.j2 - dest=/etc/ntp.conf + template: src=etc/{{ conf }}.j2 + dest=/etc/{{ conf }} owner=root group=root mode=0644 + vars: + conf: "{{ ('NTP_master' in group_names) | ternary('ntp.conf', 'systemd/timesyncd.conf.d/fripost.conf') }}" + service: "{{ ('NTP_master' in group_names) | ternary('ntp', 'systemd-timesyncd') }}" notify: - - Restart ntp + - Restart {{ service }} - meta: flush_handlers -- name: Start ntp - service: name=ntp state=started +- name: Start and enable ntp + service: name={{ service }}.service state=started enabled=true + vars: + service: "{{ ('NTP_master' in group_names) | ternary('ntp', 'systemd-timesyncd') }}" diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index c89a136..808383c 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -168,7 +168,9 @@ table inet filter { # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already meta l4proto { icmp, icmpv6 } counter accept - udp sport 123 udp dport 123 ct state related,established accept + # NTP (ntpd uses sport 123 but systemd-timesyncd does not) + udp sport 123 ct state related,established accept + {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} @@ -206,7 +208,9 @@ table inet filter { meta l4proto { icmp, icmpv6 } counter accept - udp sport 123 udp dport 123 ct state new,related,established accept + # NTP (ntpd uses sport 123 but systemd-timesyncd does not) + udp dport 123 ct state new,related,established accept + {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 index 1016d55..b76f0dd 100644 --- a/roles/common/templates/etc/ntp.conf.j2 +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -15,7 +15,6 @@ filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). -{% if 'NTP_master' in group_names %} # Use Stratum One Time Servers: # http://support.ntp.org/bin/view/Servers/StratumOneTimeServers server sth1.ntp.se iburst @@ -24,17 +23,6 @@ server gbg1.ntp.se iburst server gbg2.ntp.se iburst server ntp1.sp.se iburst server ntp2.sp.se iburst -{% else %} -# Sychronize to our (stratum 2) NTP server, to ensure our network has a -# consistent time. -{% for host in groups['NTP_master'] | sort %} -server {{ ipsec[ hostvars[host].inventory_hostname_short ] }} prefer iburst -{% endfor %} -pool 0.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 1.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 2.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 3.{{ geoip | default('debian') }}.pool.ntp.org iburst -{% endif %} # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for diff --git a/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 new file mode 100644 index 0000000..f578cd9 --- /dev/null +++ b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 @@ -0,0 +1,9 @@ +[Time] +# Sychronize to our (stratum 2) NTP server, to ensure our network has a +# consistent time. +{%- set ntp = [] -%} +{%- for host in groups['NTP_master'] -%} +{%- set _ = ntp.append(ipsec[ hostvars[host].inventory_hostname_short ]) -%} +{%- endfor %} + +NTP={{ ntp | join(' ') }} |