diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2013-12-08 00:12:01 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:12 +0200 |
| commit | 5b209a8e337f03683c45d0eb6029e2321cc3e82b (patch) | |
| tree | 0f127d63468ae68927429313596ad3b470ccb205 /roles/common/templates/etc/ntp.conf.j2 | |
| parent | c79f18ff9a04a7534dba3c288bc9606f17786b16 (diff) | |
Configure NTP.
We use a "master" NTP server, which synchronizes against stratum 1
servers (hence is a stratum 2 itself); all other clients synchronize to
this master server through IPSec.
Diffstat (limited to 'roles/common/templates/etc/ntp.conf.j2')
| -rw-r--r-- | roles/common/templates/etc/ntp.conf.j2 | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 new file mode 100644 index 0000000..2f70cef --- /dev/null +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -0,0 +1,59 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +{% if 'NTP-master' in group_names %} +# Use Stratum One Time Servers: +# http://support.ntp.org/bin/view/Servers/StratumOneTimeServers +server ntp1.sp.se iburst +server ntp2.sp.se iburst +server ntp2.gbg.netnod.se iburst +server ntp1.sth.netnod.se iburst +server ntp2.sth.netnod.se iburst +{% else %} +# Sychronize to our (stratum 2) NTP server through IPSec, to ensure our +# network has a consistent time. +server {{ NTP_master }} iburst +{% endif %} + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient |