2017-01-29 13:33:33 -06:00
|
|
|
###############################################################################
|
|
|
|
|
# Managed by Ansible
|
|
|
|
|
# file: ansible/roles/acs/templates/ntp.conf.j2
|
|
|
|
|
###############################################################################
|
|
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
2017-01-29 13:33:33 -06:00
|
|
|
|
2020-03-21 20:50:12 -05:00
|
|
|
# To avoid ntpd from panic and exit if the drift between new time and
|
|
|
|
|
# current system time is large.
|
|
|
|
|
tinker panic 0
|
|
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
driftfile /var/lib/ntpsec/ntp.drift
|
|
|
|
|
leapfile /usr/share/zoneinfo/leap-seconds.list
|
2017-01-29 13:33:33 -06:00
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
# To enable Network Time Security support as a server, obtain a certificate
|
|
|
|
|
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
|
|
|
|
|
# nts cert CERT_FILE
|
|
|
|
|
# nts key KEY_FILE
|
|
|
|
|
# nts enable
|
2017-01-29 13:33:33 -06:00
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
|
|
|
|
|
#statsdir /var/log/ntpsec/
|
|
|
|
|
#statistics loopstats peerstats clockstats
|
|
|
|
|
#filegen loopstats file loopstats type day enable
|
|
|
|
|
#filegen peerstats file peerstats type day enable
|
|
|
|
|
#filegen clockstats file clockstats type day enable
|
2017-01-29 13:33:33 -06:00
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
# Specify one or more NTP servers.
|
2017-01-29 13:33:33 -06:00
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
# Public NTP servers supporting Network Time Security:
|
|
|
|
|
# server time.cloudflare.com nts
|
2017-09-12 16:13:27 -05:00
|
|
|
{% for ntp_server in NTP_SERVER %}
|
2017-01-29 13:33:33 -06:00
|
|
|
server {{ ntp_server }} iburst
|
|
|
|
|
{% endfor %}
|
|
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
|
|
|
|
|
# pick a different set every time it starts up. Please consider joining the
|
|
|
|
|
# pool: <https://www.pool.ntp.org/join.html>
|
|
|
|
|
|
2020-12-21 07:34:13 -06:00
|
|
|
#listen on source interface if configured, else
|
2019-10-07 09:49:25 -05:00
|
|
|
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
|
|
|
|
|
# if we don't have both of them (default is to listen on all ip addresses)
|
2017-01-29 13:33:33 -06:00
|
|
|
interface ignore wildcard
|
2020-12-21 07:34:13 -06:00
|
|
|
{%- macro check_ip_on_interface(interface_name, table_name) %}
|
2021-05-23 15:40:43 -05:00
|
|
|
{%- set ns = namespace(valid_intf = 'false') %}
|
2020-12-21 07:34:13 -06:00
|
|
|
{%- if table_name %}
|
|
|
|
|
{%- for (name, source_prefix) in table_name|pfx_filter %}
|
|
|
|
|
{%- if source_prefix and name == interface_name %}
|
2021-05-23 15:40:43 -05:00
|
|
|
{%- set ns.valid_intf = 'true' %}
|
2020-12-21 07:34:13 -06:00
|
|
|
{%- endif %}
|
|
|
|
|
{%- endfor %}
|
|
|
|
|
{%- endif %}
|
2021-05-23 15:40:43 -05:00
|
|
|
{{ ns.valid_intf }}
|
2020-12-21 07:34:13 -06:00
|
|
|
{%- endmacro %}
|
|
|
|
|
|
|
|
|
|
{% set ns = namespace(source_intf = "") %}
|
2023-10-23 10:44:13 -05:00
|
|
|
{%- set ns = namespace(source_intf_ip = 'false') %}
|
|
|
|
|
{%- if (NTP) and (NTP['global']['src_intf']) %}
|
|
|
|
|
{%- set ns.source_intf = (NTP['global']['src_intf']) %}
|
|
|
|
|
{%- if ns.source_intf != "" %}
|
|
|
|
|
{%- if ns.source_intf == "eth0" %}
|
|
|
|
|
{%- set ns.source_intf_ip = 'true' %}
|
|
|
|
|
{%- elif ns.source_intf.startswith('Vlan') %}
|
|
|
|
|
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
|
|
|
|
|
{%- elif ns.source_intf.startswith('Ethernet') %}
|
|
|
|
|
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
|
|
|
|
|
{%- elif ns.source_intf.startswith('PortChannel') %}
|
|
|
|
|
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
|
|
|
|
|
{%- elif ns.source_intf.startswith('Loopback') %}
|
|
|
|
|
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
|
|
|
|
|
{%- endif %}
|
|
|
|
|
{%- endif %}
|
2020-12-21 07:34:13 -06:00
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
{% if ns.source_intf_ip == 'true' %}
|
|
|
|
|
interface listen {{ns.source_intf}}
|
|
|
|
|
{% elif (NTP) and NTP['global']['vrf'] == 'mgmt' %}
|
|
|
|
|
interface listen eth0
|
|
|
|
|
{% elif MGMT_INTERFACE %}
|
2019-06-10 16:02:55 -05:00
|
|
|
{% for (mgmt_intf, mgmt_prefix) in MGMT_INTERFACE|pfx_filter %}
|
2017-09-12 16:13:27 -05:00
|
|
|
interface listen {{ mgmt_prefix | ip }}
|
|
|
|
|
{% endfor %}
|
2019-10-07 09:49:25 -05:00
|
|
|
{% elif LOOPBACK_INTERFACE %}
|
|
|
|
|
{% for (name, prefix) in LOOPBACK_INTERFACE|pfx_filter %}
|
|
|
|
|
{% if prefix | ipv4 and name == 'Loopback0' %}
|
|
|
|
|
interface listen {{ prefix | ip }}
|
|
|
|
|
{% endif %}
|
|
|
|
|
{% endfor %}
|
2017-10-13 19:08:35 -05:00
|
|
|
{% else %}
|
|
|
|
|
interface listen eth0
|
|
|
|
|
{% endif %}
|
2017-01-29 13:33:33 -06:00
|
|
|
interface listen 127.0.0.1
|
|
|
|
|
|
2023-10-23 10:44:13 -05:00
|
|
|
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
|
|
|
|
|
# for details.
|
2017-01-29 13:33:33 -06:00
|
|
|
#
|
|
|
|
|
# Note that "restrict" applies to both servers and clients, so a configuration
|
|
|
|
|
# that might be intended to block requests from certain clients could also end
|
|
|
|
|
# up blocking replies from your own upstream servers.
|
|
|
|
|
|
|
|
|
|
# By default, exchange time with everybody, but don't allow configuration.
|
2023-10-23 10:44:13 -05:00
|
|
|
# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
|
|
|
|
|
restrict default kod nomodify noquery limited
|
2017-01-29 13:33:33 -06:00
|
|
|
|
|
|
|
|
# Local users may interrogate the ntp server more closely.
|
|
|
|
|
restrict 127.0.0.1
|
|
|
|
|
restrict ::1
|
