jsumners/ntp.conf

## ntp.conf
# {{ansible_managed}}

{% if 'vmware' in ansible_product_name|lower %}
# Disable panic quit if system is >1000s out of sync because VMware.
tinker panic 0
{% endif %}

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

{% if 'vmware' in ansible_product_name|lower %}
server time.example.com prefer minpoll 4 maxpoll 6
server time2.example.com prefer minpoll 4 maxpoll 6
{% else %}
server time.example.com prefer
server time2.example.com prefer
{% endif %}

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

## ntp.step-tickers
# {{ansible_managed}}

time.example.com
time2.example.com

## ntp.yml
- name: check for chronyd running
  command: systemctl status chronyd
  register: chronyd_status
  ignore_errors: yes

- name: disable chronyd
  service:
    name: chronyd
    state: stopped
    enabled: no
  when: chronyd_status.rc == 0

- name: remove chrony
  yum:
    name: chrony
    state: absent
  when: chronyd_status.rc == 0

- name: install ntp
  yum:
    name: ntp
    state: present
  register: ntp_install_status

- name: upload ntp.conf
  template:
    src: "{{playbook_dir}}/templates/ntp.conf"
    dest: /etc/ntp.conf
  register: ntp_status

# We need the ntpdate stuff because the VM hosts aren't always synchronized.
# Thus, we have to force the system to sync on boot. And because systemd is
# stupid, we have to disable ntpd while we apply the ntpdate stuff.
- name: upload step-tickers
  template:
    src: "{{playbook_dir}}/templates/ntp.step-tickers"
    dest: /etc/ntp/step-tickers
  register: tickers_status

- name: stop ntp to install ntpdate service
  service:
    name: ntpd
    state: stopped
  when: ntp_install_status.changed == false

- name: enable ntpdate
  service:
    name: ntpdate
    state: started
    enabled: yes

- name: restart ntpdate
  service:
    name: ntpdate
    state: restarted
  when: tickers_status.changed == true

- name: enable ntp
  service:
    name: ntpd
    state: started
    enabled: yes

- name: restart ntp
  service:
    name: ntpd
    state: restarted
  when: ntp_status.changed == true
	# {{ansible_managed}}

	{% if 'vmware' in ansible_product_name\|lower %}
	# Disable panic quit if system is >1000s out of sync because VMware.
	tinker panic 0
	{% endif %}

	# Permit time synchronization with our time source, but do not
	# permit the source to query or modify the service on this system.
	restrict default kod nomodify notrap nopeer noquery
	restrict -6 default kod nomodify notrap nopeer noquery

	# Permit all access over the loopback interface. This could
	# be tightened as well, but to do so would effect some of
	# the administrative functions.
	restrict 127.0.0.1
	restrict -6 ::1

	{% if 'vmware' in ansible_product_name\|lower %}
	server time.example.com prefer minpoll 4 maxpoll 6
	server time2.example.com prefer minpoll 4 maxpoll 6
	{% else %}
	server time.example.com prefer
	server time2.example.com prefer
	{% endif %}

	# Undisciplined Local Clock. This is a fake driver intended for backup
	# and when no outside source of synchronized time is available.
	server 127.127.1.0 # local clock
	fudge 127.127.1.0 stratum 10

	# Drift file. Put this in a directory which the daemon can write to.
	# No symbolic links allowed, either, since the daemon updates the file
	# by creating a temporary in the same directory and then rename()'ing
	# it to the file.
	driftfile /var/lib/ntp/drift

	# Key file containing the keys and key identifiers used when operating
	# with symmetric key cryptography.
	keys /etc/ntp/keys
	- name: check for chronyd running
	command: systemctl status chronyd
	register: chronyd_status
	ignore_errors: yes

	- name: disable chronyd
	service:
	name: chronyd
	state: stopped
	enabled: no
	when: chronyd_status.rc == 0

	- name: remove chrony
	yum:
	name: chrony
	state: absent
	when: chronyd_status.rc == 0

	- name: install ntp
	yum:
	name: ntp
	state: present
	register: ntp_install_status

	- name: upload ntp.conf
	template:
	src: "{{playbook_dir}}/templates/ntp.conf"
	dest: /etc/ntp.conf
	register: ntp_status

	# We need the ntpdate stuff because the VM hosts aren't always synchronized.
	# Thus, we have to force the system to sync on boot. And because systemd is
	# stupid, we have to disable ntpd while we apply the ntpdate stuff.
	- name: upload step-tickers
	template:
	src: "{{playbook_dir}}/templates/ntp.step-tickers"
	dest: /etc/ntp/step-tickers
	register: tickers_status

	- name: stop ntp to install ntpdate service
	service:
	name: ntpd
	state: stopped
	when: ntp_install_status.changed == false

	- name: enable ntpdate
	service:
	name: ntpdate
	state: started
	enabled: yes

	- name: restart ntpdate
	service:
	name: ntpdate
	state: restarted
	when: tickers_status.changed == true

	- name: enable ntp
	service:
	name: ntpd
	state: started
	enabled: yes

	- name: restart ntp
	service:
	name: ntpd
	state: restarted
	when: ntp_status.changed == true