majic-ansible-roles Changeset

Changeset - 49af212543b0

Parent rev.

Child rev.

[Not reviewed]

0 10 0

Branko Majic (branko) - 2 months ago 2024-02-26 21:47:49
branko@majic.rs

MAR-192: Switch to using NTP pools instead of servers:

- This is the recommended configuration by NTPsec, and also default on
Debian. Previuosly suggested values for servers have been pool
addresses in any case.

10 files changed with 28 insertions and 25 deletions:

docs/releasenotes.rst

docs/rolereference.rst

docs/usage.rst

roles/common/defaults/main.yml

roles/common/handlers/main.yml

roles/common/molecule/default/group_vars/parameters-optional.yml

roles/common/molecule/default/tests/test_parameters_optional.py

roles/common/tasks/main.yml

roles/common/templates/ntp.conf.j2

testsite/group_vars/all.yml

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -39,12 +39,16 @@ Dropped support for Debian 10 (Buster). @@
   * Parameter ``maintenance_allowed_hosts`` has been dropped and
     replaced with parameter ``maintenance_allowed_sources``. The new
     parameter expects a list of IPv4 and IPv6 addresses (or
     subnets). Resolvable names can no longer be specified.
   * NTP server configuration is now based on use of pools instead of
     servers. Parameter ``ntp_servers`` has been deprecated and
     replaced with parameter ``ntp_pools``.
 * ``mail_server`` role
   * Parameter ``mail_server_tls_protocols`` has been dropped and
     replaced with parameter ``mail_server_minimum_tls_protocol``. Full
     list of TLS protocols can no longer be specified, only the minimum
     one.

docs/rolereference.rst

➞

Show inline comments

@@ @@ -287,13 +287,13 @@ The role implements the following: @@
   ``~=`` operator (for example ``django~=1.8.0``. Checks are
   implemented via `pip-tools <https://github.com/jazzband/pip-tools>`_
   and a custom script that outputs diffs if upgrades are
   available. Script is run via cronjob on daily basis, and any output
   will be delivered to local ``root`` user.
 * Optionally configures time synchronisation using NTP (if
-  ``ntp_servers`` parameter is set).
+  ``ntp_pools`` parameter is set).
 Role dependencies
 ~~~~~~~~~~~~~~~~~
 Depends on the following roles:
@@ @@ -401,19 +401,19 @@ Parameters @@
 **maintenance_allowed_sources** (list, optional,  ``[]``)
   List of source addreses (IPv4 or IPv6) that should be allowed to
   connect to the server when in maintenance mode. Subnets can be
   specified as well.
 **ntp_servers** (list, optional, ``[]``)
   List of NTP servers to use for synchronising the time on managed
 **ntp_pools** (list, optional, ``[]``)
   List of NTP pools to use for synchronising the time on managed
   machine using NTP. If no time synchronisation should be set-up, set
   to empty list. Default is not to configure time synchronisation.
   If setting this parameter, it is recommended to set the list of
-  servers to list shipped by default Debian configuration::
+  pools to list shipped by default Debian configuration::
     - "0.debian.pool.ntp.org"
     - "1.debian.pool.ntp.org"
     - "2.debian.pool.ntp.org"
     - "3.debian.pool.ntp.org"

docs/usage.rst

➞

Show inline comments

@@ @@ -600,13 +600,13 @@ Let's take care of this common configuration right away: @@
       ca_certificates:
         truststore: "{{ lookup('file', '~/mysite/tls/truststore.pem') }}"
    .. note::
       The ``common`` role comes with ability to set-up time
       synchronisation using NTP. This is not done by default. For
-      details see the role parameter ``ntp_servers``.
+      details see the role parameter ``ntp_pools``.
    .. note::
       The ``ca_certificates`` parameter lets us deploy custom CA
       certificates on servers. The name we pick (in this case
       ``truststore``) can be set to anything. In this particular case,
       we want to deploy our own CA certificate for use as truststore,

roles/common/defaults/main.yml

➞

Show inline comments

@@ @@ -27,13 +27,13 @@ pip_check_requirements: @@
   - pyproject-hooks==1.0.0
   - setuptools==68.0.0
   - tomli==2.0.1
   - typing-extensions==4.7.1
   - wheel==0.41.3
   - zipp==3.15.0
-ntp_servers: []
+ntp_pools: []
 maintenance: false
 maintenance_allowed_sources: []
 # Internal use only.
 prompt_colour_mapping:
   black: "0;30"

roles/common/handlers/main.yml

➞

Show inline comments

@@ @@ -29,7 +29,7 @@ @@
     daemon_reload: true
 - name: Restart NTP server
   service:
     name: ntpsec
     state: restarted
-  when: ntp_servers | length > 0
+  when: ntp_pools | length > 0

roles/common/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -43,13 +43,13 @@ incoming_connection_limit_burst: 5 @@
 pipreqcheck_uid: 2500
 pipreqcheck_gid: 2500
 prompt_colour: cyan
 prompt_id: test
 # Purposefully set this to 3 servers to make sure we are
 # overriding the default configuration.
-ntp_servers:
+ntp_pools:
   - "0.debian.pool.ntp.org"
   - "1.debian.pool.ntp.org"
   - "2.debian.pool.ntp.org"
 maintenance: true
 maintenance_allowed_sources:
   - 192.168.56.3  # client1

roles/common/molecule/default/tests/test_parameters_optional.py

➞

Show inline comments

@@ @@ -290,39 +290,38 @@ def test_ntp_server_configuration(host): @@
         # Extract relevant sections of configuration (exclude empty
         # lines and comments).
         configuration = configuration_file.content_string.split("\n")
         configuration = [c.strip() for c in configuration if re.match(r'^\s*(|#.*)$', c) is None]
         # Ensure correct servers have been configured in the pool.
         servers = [c for c in configuration if c.startswith('server')]
         # Ensure correct pools have been configured.
         pools = [c for c in configuration if c.startswith('pool')]
         expected_servers = ["server 0.debian.pool.ntp.org iburst",
                             "server 1.debian.pool.ntp.org iburst",
                             "server 2.debian.pool.ntp.org iburst"]
         expected_pools = ["pool 0.debian.pool.ntp.org iburst",
                           "pool 1.debian.pool.ntp.org iburst",
                           "pool 2.debian.pool.ntp.org iburst"]
-        assert sorted(servers) == sorted(expected_servers)
+        assert sorted(pools) == sorted(expected_pools)
         # Ensure querying of server is disabled for untrusted clients.
         restrictions = [c for c in configuration if c.startswith('restrict')]
         expected_restrictions = ["restrict default kod nomodify nopeer noquery limited",
                                  "restrict 127.0.0.1",
                                  "restrict ::1"]
         assert sorted(restrictions) == sorted(expected_restrictions)
 def test_ntp_query_server_count(host):
     # Two lines for headers, and one line per configured server.
     expected_stdout_line_count = 5
 def test_ntp_runtime_pool_count(host):
     ntpq = host.command("ntpq -p -n")
     assert ntpq.rc == 0
     assert len(ntpq.stdout.strip().split("\n")) == expected_stdout_line_count
     # We expect 3 pools, as requested via role parameter.
     ntpq_pool_info = [line for line in ntpq.stdout.split("\n") if ".POOL." in line]
     assert len(ntpq_pool_info) == 3
 def test_ntp_listening_interfaces(host):
     """
     Tests if NTP server is listening on correct ports.
     """

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -478,22 +478,22 @@ @@
 - name: Install NTP packages
   apt:
     name:
       - ntpsec
       - ntpsec-ntpdate
     state: present
-  when: ntp_servers | length > 0
+  when: ntp_pools | length > 0
 - name: Deploy NTP configuration
   template:
     src: "ntp.conf.j2"
     dest: "/etc/ntpsec/ntp.conf"
     owner: root
     group: root
     mode: 0644
-  when: ntp_servers | length > 0
+  when: ntp_pools | length > 0
   notify:
     - Restart NTP server
 - name: Explicitly run all handlers
   include: ../handlers/main.yml
   when: "run_handlers | default(False) | bool()"

roles/common/templates/ntp.conf.j2

➞

Show inline comments

@@ @@ -28,14 +28,14 @@ tos minclock 4 minsane 3 @@
 # Public NTP servers supporting Network Time Security:
 # server time.cloudflare.com nts
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
 # pool: <https://www.pool.ntp.org/join.html>
 {% for server in ntp_servers %}
 server {{ server }} iburst
 {% for server in ntp_pools %}
 pool {{ server }} iburst
 {% endfor %}
 # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
 # for details.
+#
 # Note that "restrict" applies to both servers and clients, so a configuration

testsite/group_vars/all.yml

➞

Show inline comments

 # Set-up prompt.
 prompt_colour: light_purple
 prompt_id: MAR
 # Set-up NTP time synchronisation.
-ntp_servers:
+ntp_pools:
   - "0.debian.pool.ntp.org"
   - "1.debian.pool.ntp.org"
   - "2.debian.pool.ntp.org"
   - "3.debian.pool.ntp.org"

0 comments (0 inline, 0 general)