############################################################################### # Managed by Ansible # file: ansible/roles/acs/templates/ntp.conf.j2 ############################################################################### # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # To avoid ntpd from panic and exit if the drift between new time and # current system time is large. tinker panic 0 driftfile /var/lib/ntpsec/ntp.drift leapfile /usr/share/zoneinfo/leap-seconds.list # To enable Network Time Security support as a server, obtain a certificate # (e.g. with Let's Encrypt), configure the paths below, and uncomment: # nts cert CERT_FILE # nts key KEY_FILE # nts enable # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. #statsdir /var/log/ntpsec/ #statistics loopstats peerstats clockstats #filegen loopstats file loopstats type day enable #filegen peerstats file peerstats type day enable #filegen clockstats file clockstats type day enable # Specify one or more NTP servers. # Public NTP servers supporting Network Time Security: # server time.cloudflare.com nts {% for ntp_server in NTP_SERVER %} server {{ ntp_server }} iburst {% endfor %} # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: #listen on source interface if configured, else #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 # if we don't have both of them (default is to listen on all ip addresses) interface ignore wildcard {%- macro check_ip_on_interface(interface_name, table_name) %} {%- set ns = namespace(valid_intf = 'false') %} {%- if table_name %} {%- for (name, source_prefix) in table_name|pfx_filter %} {%- if source_prefix and name == interface_name %} {%- set ns.valid_intf = 'true' %} {%- endif %} {%- endfor %} {%- endif %} {{ ns.valid_intf }} {%- endmacro %} {% set ns = namespace(source_intf = "") %} {%- set ns = namespace(source_intf_ip = 'false') %} {%- if (NTP) and (NTP['global']['src_intf']) %} {%- set ns.source_intf = (NTP['global']['src_intf']) %} {%- if ns.source_intf != "" %} {%- if ns.source_intf == "eth0" %} {%- set ns.source_intf_ip = 'true' %} {%- elif ns.source_intf.startswith('Vlan') %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %} {%- elif ns.source_intf.startswith('Ethernet') %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %} {%- elif ns.source_intf.startswith('PortChannel') %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %} {%- elif ns.source_intf.startswith('Loopback') %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %} {%- endif %} {%- endif %} {% endif %} {% if ns.source_intf_ip == 'true' %} interface listen {{ns.source_intf}} {% elif (NTP) and NTP['global']['vrf'] == 'mgmt' %} interface listen eth0 {% elif MGMT_INTERFACE %} {% for (mgmt_intf, mgmt_prefix) in MGMT_INTERFACE|pfx_filter %} interface listen {{ mgmt_prefix | ip }} {% endfor %} {% elif LOOPBACK_INTERFACE %} {% for (name, prefix) in LOOPBACK_INTERFACE|pfx_filter %} {% if prefix | ipv4 and name == 'Loopback0' %} interface listen {{ prefix | ip }} {% endif %} {% endfor %} {% else %} interface listen eth0 {% endif %} interface listen 127.0.0.1 # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html # for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. # NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here restrict default kod nomodify noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1