From e8e01842f4e578ec427dd8d6f5a5e40b498458af Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 5 Nov 2020 17:13:03 +0100 Subject: Change NTP client to systemd-timesyncd. (Excluding our NTP master.) It's simpler, arguably more secure, and provides enough functionality when only simple client use-cases are desired. We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd can connect to the fallbacks NTP servers. --- roles/common/templates/etc/nftables.conf.j2 | 8 ++++++-- roles/common/templates/etc/ntp.conf.j2 | 12 ------------ .../templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 | 9 +++++++++ 3 files changed, 15 insertions(+), 14 deletions(-) create mode 100644 roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 (limited to 'roles/common/templates') diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index c89a136..808383c 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -168,7 +168,9 @@ table inet filter { # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already meta l4proto { icmp, icmpv6 } counter accept - udp sport 123 udp dport 123 ct state related,established accept + # NTP (ntpd uses sport 123 but systemd-timesyncd does not) + udp sport 123 ct state related,established accept + {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} @@ -206,7 +208,9 @@ table inet filter { meta l4proto { icmp, icmpv6 } counter accept - udp sport 123 udp dport 123 ct state new,related,established accept + # NTP (ntpd uses sport 123 but systemd-timesyncd does not) + udp dport 123 ct state new,related,established accept + {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 index 1016d55..b76f0dd 100644 --- a/roles/common/templates/etc/ntp.conf.j2 +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -15,7 +15,6 @@ filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). -{% if 'NTP_master' in group_names %} # Use Stratum One Time Servers: # http://support.ntp.org/bin/view/Servers/StratumOneTimeServers server sth1.ntp.se iburst @@ -24,17 +23,6 @@ server gbg1.ntp.se iburst server gbg2.ntp.se iburst server ntp1.sp.se iburst server ntp2.sp.se iburst -{% else %} -# Sychronize to our (stratum 2) NTP server, to ensure our network has a -# consistent time. -{% for host in groups['NTP_master'] | sort %} -server {{ ipsec[ hostvars[host].inventory_hostname_short ] }} prefer iburst -{% endfor %} -pool 0.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 1.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 2.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 3.{{ geoip | default('debian') }}.pool.ntp.org iburst -{% endif %} # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for diff --git a/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 new file mode 100644 index 0000000..f578cd9 --- /dev/null +++ b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 @@ -0,0 +1,9 @@ +[Time] +# Sychronize to our (stratum 2) NTP server, to ensure our network has a +# consistent time. +{%- set ntp = [] -%} +{%- for host in groups['NTP_master'] -%} +{%- set _ = ntp.append(ipsec[ hostvars[host].inventory_hostname_short ]) -%} +{%- endfor %} + +NTP={{ ntp | join(' ') }} -- cgit v1.2.3