#################################################################
# File: ntp.conf
# Generated by: Ansible
#################################################################
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Where to log
logfile {{ logfile }}

# Permit all access over the loopback interface.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
{% for subnet in allowed_subnets %}
restrict {{ subnet.net }} mask {{ subnet.mask | default("255.255.255.0", true) }} nomodify notrap
{% endfor %}

# --- NTP SERVERS -----

# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
{% for server in pools %}
restrict {{ server }} mask 255.255.255.255 nomodify notrap noquery
server {{ server }} iburst
{% endfor %}

# --- GENERAL CONFIGURATION ---

#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 127.127.1.0
fudge 127.127.1.0 stratum 10

#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()ing
# it to the file.
# Record the rate at which the system clock gains/losses time.# Record the rate at which the system clock gains/losses time.
#
driftfile {{ driftfile }}

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#

#
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
#
{% if keyfile is defined %}
keys {{ keyfile }}
{% endif %}

#
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
#
disable monitor