diff options
| -rw-r--r-- | production | 1 | ||||
| -rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 5 | ||||
| -rw-r--r-- | roles/common/templates/etc/ntp.conf.j2 | 6 |
3 files changed, 3 insertions, 9 deletions
@@ -3,41 +3,40 @@ mistral.fripost.org [elefant] elefant.fripost.org mxno=1 [giraff] giraff.fripost.org [antilop] antilop.fripost.org [civett] civett.friprogramvarusyndikatet.se mxno=2 [benjamin] benjamin.skangas.se # ldap.fripost.org [LDAP-provider:children] mistral -# ntp.fripost.org [NTP-master:children] mistral # imap.fripost.org [IMAP:children] mistral # mda.fripost.org [MDA:children] IMAP # mx{1,2,3}.fripost.org [MX:children] elefant civett # smtp.fripost.org [MSA:children] IMAP diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 6bd2533..8450f00 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -1,44 +1,39 @@ # {{ ansible_managed }} # Do NOT edit this file directly! # # direction protocol destination port source port # (in|out|inout)[46]? (tcp|udp|..) (port|port:port|port,port) (port|port:port|port,port) {% if groups.all | length > 1 %} inout4 udp 500 500 # ISAKMP {% if groups.NATed | length > 0 %} inout4 udp 4500 4500 # IPSec NAT Traversal {% endif %} {% endif %} out tcp 80,443 # HTTP/HTTPS out tcp 9418 # GIT out udp 53 # DNS out udp 67 # DHCP out tcp 22 # SSH -{% if 'NTP-master' in group_names %} -in udp 123 # NTP -out udp 123 # NTP -{% else %} out udp 123 123 # NTP -{% endif %} in tcp {{ ansible_port|default('22') }} # SSH {% if 'LDAP-provider' in group_names %} in tcp 636 # LDAPS {% elif 'MX' in group_names or 'lists' in group_names %} out tcp 636 # LDAPS {% endif %} {% if 'MX' in group_names %} in tcp 25 # SMTP {% if 'MDA' not in group_names %} out tcp {{ postfix_instance.IMAP.port }} {% endif %} {% if 'lists' not in group_names %} out tcp {{ postfix_instance.lists.port }} {% endif %} {% endif %} {% if 'out' in group_names %} {% if groups.all | difference([inventory_hostname]) %} in tcp {{ postfix_instance.out.port }} {% endif %} diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 index d46ba18..5957276 100644 --- a/roles/common/templates/etc/ntp.conf.j2 +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -7,43 +7,43 @@ driftfile /var/lib/ntp/ntp.drift #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). {% if 'NTP-master' in group_names %} # Use Stratum One Time Servers: # http://support.ntp.org/bin/view/Servers/StratumOneTimeServers server ntp1.sp.se iburst server ntp2.sp.se iburst server ntp2.gbg.netnod.se iburst server ntp1.sth.netnod.se iburst server ntp2.sth.netnod.se iburst {% else %} # Sychronize to our (stratum 2) NTP server, to ensure our network has a # consistent time. -# TODO: use to pubkey authentication to unsure an attacker doesn't -# impersonate our NTP server and gives us incorrect time. -server ntp.fripost.org iburst +{% for host in groups['NTP-master'] | sort %} +server {{ ipsec[ hostvars[host].inventory_hostname_short ] }} prefer iburst +{% endfor %} server 0.se.pool.ntp.org iburst server 1.se.pool.ntp.org iburst {% endif %} # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default limited kod nomodify notrap nopeer noquery restrict -6 default limited kod nomodify notrap nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 |