summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc/ntp.conf.j2
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/templates/etc/ntp.conf.j2')
-rw-r--r--roles/common/templates/etc/ntp.conf.j26
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2
index d46ba18..5957276 100644
--- a/roles/common/templates/etc/ntp.conf.j2
+++ b/roles/common/templates/etc/ntp.conf.j2
@@ -7,43 +7,43 @@ driftfile /var/lib/ntp/ntp.drift
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
{% if 'NTP-master' in group_names %}
# Use Stratum One Time Servers:
# http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
server ntp1.sp.se iburst
server ntp2.sp.se iburst
server ntp2.gbg.netnod.se iburst
server ntp1.sth.netnod.se iburst
server ntp2.sth.netnod.se iburst
{% else %}
# Sychronize to our (stratum 2) NTP server, to ensure our network has a
# consistent time.
-# TODO: use to pubkey authentication to unsure an attacker doesn't
-# impersonate our NTP server and gives us incorrect time.
-server ntp.fripost.org iburst
+{% for host in groups['NTP-master'] | sort %}
+server {{ ipsec[ hostvars[host].inventory_hostname_short ] }} prefer iburst
+{% endfor %}
server 0.se.pool.ntp.org iburst
server 1.se.pool.ntp.org iburst
{% endif %}
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-26 01:48:59 +0000