diff --git a/roles/common/templates/ntp.conf.j2 b/roles/common/templates/ntp.conf.j2 index 441ac250409be6e846fafd1dd8f981ca0db70934..3eded9122bd39d1b52a312e1cc6d61ca559cb211 100644 --- a/roles/common/templates/ntp.conf.j2 +++ b/roles/common/templates/ntp.conf.j2 @@ -1,53 +1,50 @@ -# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help +# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help -driftfile /var/lib/ntp/ntp.drift +driftfile /var/lib/ntpsec/ntp.drift +leapfile /usr/share/zoneinfo/leap-seconds.list +# To enable Network Time Security support as a server, obtain a certificate +# (e.g. with Let's Encrypt), configure the paths below, and uncomment: +# nts cert CERT_FILE +# nts key KEY_FILE +# nts enable -# Enable this if you want statistics to be logged. -#statsdir /var/log/ntpstats/ +# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. +#statsdir /var/log/ntpsec/ +#statistics loopstats peerstats clockstats +#filegen loopstats file loopstats type day enable +#filegen peerstats file peerstats type day enable +#filegen clockstats file clockstats type day enable -statistics loopstats peerstats clockstats -filegen loopstats file loopstats type day enable -filegen peerstats file peerstats type day enable -filegen clockstats file clockstats type day enable +# This should be maxclock 7, but the pool entries count towards maxclock. +tos maxclock 11 +# Comment this out if you have a refclock and want it to be able to discipline +# the clock by itself (e.g. if the system is not connected to the network). +tos minclock 4 minsane 3 -# You do need to talk to an NTP server or two (or three). -#server ntp.your-provider.example +# Specify one or more NTP servers. + +# Public NTP servers supporting Network Time Security: +# server time.cloudflare.com nts # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the -# pool: +# pool: {% for server in ntp_servers %} server {{ server }} iburst {% endfor %} -# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for -# details. The web page -# might also be helpful. +# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html +# for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery +restrict default kod nomodify nopeer noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 - -# Clients from this (example!) subnet have unlimited access, but only if -# cryptographically authenticated. -#restrict 192.168.123.0 mask 255.255.255.0 notrust - - -# If you want to provide time to your local subnet, change the next line. -# (Again, the address is an example only.) -#broadcast 192.168.123.255 - -# If you want to listen to time broadcasts on your local subnet, de-comment the -# next lines. Please do this only if you trust everybody on the network! -#disable auth -#broadcastclient