From 974f7d893ad7b16d4a70b6fa9a0761a8258ebc72 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Fri, 25 Oct 2019 12:32:10 +0200
Subject: [PATCH] Role that manages the ntp service.

---
 library/roles/ntp/defaults/main.yml           | 11 +++
 library/roles/ntp/handlers/main.yml           |  8 ++
 library/roles/ntp/tasks/main.yml              | 38 +++++++++
 .../roles/ntp/templates/ntp-centos.conf.j2    | 85 +++++++++++++++++++
 library/roles/ntp/templates/ntp.conf.j2       | 82 ++++++++++++++++++
 5 files changed, 224 insertions(+)
 create mode 100644 library/roles/ntp/defaults/main.yml
 create mode 100644 library/roles/ntp/handlers/main.yml
 create mode 100644 library/roles/ntp/tasks/main.yml
 create mode 100644 library/roles/ntp/templates/ntp-centos.conf.j2
 create mode 100644 library/roles/ntp/templates/ntp.conf.j2

diff --git a/library/roles/ntp/defaults/main.yml b/library/roles/ntp/defaults/main.yml
new file mode 100644
index 00000000..c3f5b344
--- /dev/null
+++ b/library/roles/ntp/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+ntp_service_enabled: True
+ntp_statistics_enabled: False
+
+#ntp_allowed_clients:
+#  - { ip: '', netmask: '', options: '' }
+
+#ntp_servers_pool:
+# - x.y.z.w
+# - w.y.z.x
+
diff --git a/library/roles/ntp/handlers/main.yml b/library/roles/ntp/handlers/main.yml
new file mode 100644
index 00000000..a98f2b76
--- /dev/null
+++ b/library/roles/ntp/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Restart the ntp server
+  service: name=ntp state=restarted enabled=yes
+  when: ntp_service_enabled | bool
+
+- name: Restart the ntpd server
+  service: name=ntpd state=restarted enabled=yes
+  when: ntp_service_enabled | bool
diff --git a/library/roles/ntp/tasks/main.yml b/library/roles/ntp/tasks/main.yml
new file mode 100644
index 00000000..c7f74c54
--- /dev/null
+++ b/library/roles/ntp/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- block:
+  - name: Install the ntp server
+    apt: pkg=ntp state=present valid_cache_time=3600
+
+  - name: Install the ntp configuration.
+    template: src=ntp.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
+    notify: Restart the ntp server
+  
+  - name: Ensure that the ntp server is running
+    service: name=ntp state=started enabled=yes
+    when: ntp_service_enabled | bool
+
+  - name: Ensure that the ntp server is stopped and disabled
+    service: name=ntp state=stopped enabled=no
+    when: not ntp_service_enabled | bool
+
+  when: ansible_distribution_file_variety == "Debian"
+  tags: [ 'packages', 'ntp' ]
+
+- block:
+  - name: Install the ntpd server
+    yum: pkg=ntp state=present
+
+  - name: Install the ntp configuration.
+    template: src=ntp-centos.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
+    notify: Restart the ntpd server
+  
+  - name: Ensure that the ntpd server is running
+    service: name=ntpd state=started enabled=yes
+    when: ntp_service_enabled | bool
+
+  - name: Ensure that the ntpd server is stopped and disabled
+    service: name=ntpd state=stopped enabled=no
+    when: not ntp_service_enabled | bool
+
+  when: ansible_distribution_file_variety == "RedHat"
+  tags: [ 'packages', 'ntp' ]
diff --git a/library/roles/ntp/templates/ntp-centos.conf.j2 b/library/roles/ntp/templates/ntp-centos.conf.j2
new file mode 100644
index 00000000..9a779b42
--- /dev/null
+++ b/library/roles/ntp/templates/ntp-centos.conf.j2
@@ -0,0 +1,85 @@
+# For more information about this file, see the man pages
+# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
+
+driftfile /var/lib/ntp/drift
+
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default nomodify notrap nopeer noquery
+
+# Permit all access over the loopback interface.  This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1
+restrict ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+{% if ntp_servers_pool is defined %}
+{% for pool_ip in ntp_servers_pool %}
+{{ pool_ip }} prefer iburst
+{% else %}
+server 0.centos.pool.ntp.org iburst
+server 1.centos.pool.ntp.org iburst
+server 2.centos.pool.ntp.org iburst
+server 3.centos.pool.ntp.org iburst
+{% endif %}
+
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+{% if nagios_monitoring_server_ip is defined %}
+{% for ip in nagios_monitoring_server_ip %}
+restrict {{ ip }} mask 255.255.255.255 notrap nomodify
+{% endfor %}
+{% endif %}
+{% if ntp_allowed_clients is defined %}
+{% for host in ntp_allowed_clients %}
+restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
+{% endfor %}
+{% endif %}
+
+#broadcast 192.168.1.255 autokey        # broadcast server
+#broadcastclient                        # broadcast client
+#broadcast 224.0.1.1 autokey            # multicast server
+#multicastclient 224.0.1.1              # multicast client
+#manycastserver 239.255.254.254         # manycast server
+#manycastclient 239.255.254.254 autokey # manycast client
+
+# Enable public key cryptography.
+#crypto
+
+includefile /etc/ntp/crypto/pw
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography.
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+
+# Enable writing of statistics records.
+{% if ntp_statistics_enabled %}
+statsdir /var/log/ntpstats/
+
+statistics clockstats cryptostats loopstats peerstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+{% endif %}
+
+# Disable the monitoring facility to prevent amplification attacks using ntpdc
+# monlist command when default restrict does not include the noquery flag. See
+# CVE-2013-5211 for more details.
+# Note: Monitoring will not be disabled with the limited restriction flag.
+disable monitor
diff --git a/library/roles/ntp/templates/ntp.conf.j2 b/library/roles/ntp/templates/ntp.conf.j2
new file mode 100644
index 00000000..20d6a48e
--- /dev/null
+++ b/library/roles/ntp/templates/ntp.conf.j2
@@ -0,0 +1,82 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+{% if ntp_statistics_enabled %}
+statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+{% endif %}
+# Specify one or more NTP servers.
+
+# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
+# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
+# more information.
+{% if ntp_servers_pool is defined %}
+{% for pool_ip in ntp_servers_pool %}
+{{ pool_ip }} prefer iburst
+{% else %}
+pool 0.ubuntu.pool.ntp.org iburst
+pool 1.ubuntu.pool.ntp.org iburst
+pool 2.ubuntu.pool.ntp.org iburst
+pool 3.ubuntu.pool.ntp.org iburst
+{% endif %}
+
+# Use Ubuntu's ntp server as a fallback.
+pool ntp.ubuntu.com
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+{% if nagios_monitoring_server_ip is defined %}
+{% for ip in nagios_monitoring_server_ip %}
+restrict {{ ip }} mask 255.255.255.255 notrap nomodify
+{% endfor %}
+{% endif %}
+{% if ntp_allowed_clients is defined %}
+{% for host in ntp_allowed_clients %}
+restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
+{% endfor %}
+{% endif %}
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
+
+#Changes recquired to use pps synchonisation as explained in documentation:
+#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918
+
+#server 127.127.8.1 mode 135 prefer    # Meinberg GPS167 with PPS
+#fudge 127.127.8.1 time1 0.0042        # relative to PPS for my hardware
+
+#server 127.127.22.1                   # ATOM(PPS)
+#fudge 127.127.22.1 flag3 1            # enable PPS API
+