3 files changed, 15 insertions, 14 deletions

diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index c89a136..808383c 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -151,79 +151,83 @@ table inet filter {
     chain input {
         type filter hook input priority 0
         policy drop
 
         iif lo accept
 
         # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions
         # to match match inbound resp. outbound policies and source resp. destination tunnel addresses.
         # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
         # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
         # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP
         # encapsulation.)  We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way
         # peers can't impersonate each other.
         meta l4proto esp accept
         # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept
         ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
 
         # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already
         meta l4proto { icmp, icmpv6 } counter accept
 
-        udp sport  123 udp dport  123 ct state     related,established accept
+        # NTP (ntpd uses sport 123 but systemd-timesyncd does not)
+        udp sport 123 ct state related,established accept
+
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
 {% endif %}
 {% endif %}
 
         udp sport 53 ct state related,established accept
         tcp sport 53 ct state related,established accept
 {% if 'dhclient' in group_names %}
         ip  version 4 udp sport  67 udp dport  68 ct state related,established accept
         ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept
 {% endif %}
 
         meta l4proto tcp ip  saddr @fail2ban  counter drop
         meta l4proto tcp ip6 saddr @fail2ban6 counter drop
 
         tcp dport $in-tcp-ports  ct state related,established accept
         tcp dport $in-tcp-ports  ct state new counter accept
         tcp sport $out-tcp-ports ct state related,established accept
     }
 
     chain output {
         type filter hook output priority 0
         policy drop
 
         oif lo accept
 
         # XXX Bullseye: unlike for input we can't use marks or test for
         # secpath existence here, because by the time we see a packet to
         # 172.16.0.0/24 we don't know if it'll be encapsulated
         meta l4proto esp accept
         # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept
         ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
 
         meta l4proto { icmp, icmpv6 } counter accept
 
-        udp sport  123 udp dport  123 ct state new,related,established accept
+        # NTP (ntpd uses sport 123 but systemd-timesyncd does not)
+        udp dport 123 ct state new,related,established accept
+
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
 {% endif %}
 {% endif %}
 
         udp dport 53 ct state new,related,established accept
         tcp dport 53 ct state new,related,established accept
 {% if 'dhclient' in group_names %}
         ip  version 4 udp sport  68 udp dport  67 ct state new,related,established accept
         ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept
 {% endif %}
 
         tcp sport $in-tcp-ports  ct state related,established accept
         tcp dport $out-tcp-ports ct state related,established accept
         tcp dport $out-tcp-ports ct state new counter accept
 
         meta l4proto tcp counter reject with tcp reset
         meta l4proto udp counter reject
diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2
index 1016d55..b76f0dd 100644
--- a/roles/common/templates/etc/ntp.conf.j2
+++ b/roles/common/templates/etc/ntp.conf.j2
@@ -1,57 +1,45 @@
 # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
 driftfile /var/lib/ntp/ntp.drift
 
 # Leap seconds definition provided by tzdata
 leapfile /usr/share/zoneinfo/leap-seconds.list
 
 # Enable this if you want statistics to be logged.
 #statsdir /var/log/ntpstats/
 
 statistics loopstats peerstats clockstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 
 
 # You do need to talk to an NTP server or two (or three).
-{% if 'NTP_master' in group_names %}
 # Use Stratum One Time Servers:
 # http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
 server sth1.ntp.se iburst
 server sth2.ntp.se iburst
 server gbg1.ntp.se iburst
 server gbg2.ntp.se iburst
 server ntp1.sp.se  iburst
 server ntp2.sp.se  iburst
-{% else %}
-# Sychronize to our (stratum 2) NTP server, to ensure our network has a
-# consistent time.
-{% for host in groups['NTP_master'] | sort %}
-server {{ ipsec[ hostvars[host].inventory_hostname_short ] }} prefer iburst
-{% endfor %}
-pool 0.{{ geoip | default('debian') }}.pool.ntp.org iburst
-pool 1.{{ geoip | default('debian') }}.pool.ntp.org iburst
-pool 2.{{ geoip | default('debian') }}.pool.ntp.org iburst
-pool 3.{{ geoip | default('debian') }}.pool.ntp.org iburst
-{% endif %}
 
 
 # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 
 # By default, exchange time with everybody, but don't allow configuration.
 restrict -4 default kod notrap nomodify nopeer noquery limited
 restrict -6 default kod notrap nomodify nopeer noquery limited
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
 
 # Needed for adding pool entries
 restrict source notrap nomodify noquery
diff --git a/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2
new file mode 100644
index 0000000..f578cd9
--- /dev/null
+++ b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2
@@ -0,0 +1,9 @@
+[Time]
+# Sychronize to our (stratum 2) NTP server, to ensure our network has a
+# consistent time.
+{%- set ntp = [] -%}
+{%- for host in groups['NTP_master'] -%}
+{%- set _ = ntp.append(ipsec[ hostvars[host].inventory_hostname_short ]) -%}
+{%- endfor %}
+
+NTP={{ ntp | join(' ') }}