|
- #################################################################
- # File: ntp.conf
- # Generated by: Ansible
- #################################################################
- # Allow the system clock to be stepped in the first three updates
- # if its offset is larger than 1 second.
- makestep 1.0 3
-
- # Enable kernel synchronization of the real-time clock (RTC).
- rtcsync
-
- # Where to log
- logfile {{ logfile }}
-
- # Permit all access over the loopback interface.
- restrict default kod nomodify notrap nopeer noquery
- restrict -6 default kod nomodify notrap nopeer noquery
- restrict 127.0.0.1
- restrict -6 ::1
-
- # -- CLIENT NETWORK -------
- # Permit systems on this network to synchronize with this
- # time service. Do not permit those systems to modify the
- # configuration of this service. Also, do not use those
- # systems as peers for synchronization.
- {% for subnet in allowed_subnets %}
- restrict {{ subnet.net }} mask {{ subnet.mask | default("255.255.255.0", true) }} nomodify notrap
- {% endfor %}
-
- # --- NTP SERVERS -----
-
- # or remove the default restrict line
- # Permit time synchronization with our time source, but do not
- # permit the source to query or modify the service on this system.
- {% for server in pools %}
- restrict {{ server }} mask 255.255.255.255 nomodify notrap noquery
- server {{ server }} iburst
- {% endfor %}
-
- # --- GENERAL CONFIGURATION ---
-
- #
- # Undisciplined Local Clock. This is a fake driver intended for backup
- # and when no outside source of synchronized time is available. The
- # default stratum is usually 3, but in this case we elect to use stratum
- # 0. Since the server line does not have the prefer keyword, this driver
- # is never used for synchronization, unless no other other
- # synchronization source is available. In case the local host is
- # controlled by some external source, such as an external oscillator or
- # another protocol, the prefer keyword would cause the local host to
- # disregard all other synchronization sources, unless the kernel
- # modifications are in use and declare an unsynchronized condition.
- #
- server 127.127.1.0
- fudge 127.127.1.0 stratum 10
-
- #
- # Drift file. Put this in a directory which the daemon can write to.
- # No symbolic links allowed, either, since the daemon updates the file
- # by creating a temporary in the same directory and then rename()ing
- # it to the file.
- # Record the rate at which the system clock gains/losses time.# Record the rate at which the system clock gains/losses time.
- #
- driftfile {{ driftfile }}
-
- #
- # Keys file. If you want to diddle your server at run time, make a
- # keys file (mode 600 for sure) and define the key number to be
- # used for making requests.
- #
-
- #
- # Key file containing the keys and key identifiers used when operating
- # with symmetric key cryptography.
- #
- {% if keyfile is defined %}
- keys {{ keyfile }}
- {% endif %}
-
- #
- # Disable the monitoring facility to prevent amplification attacks using ntpdc
- # monlist command when default restrict does not include the noquery flag. See
- # CVE-2013-5211 for more details.
- # Note: Monitoring will not be disabled with the limited restriction flag.
- #
- disable monitor
|
