Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Set up NTP with Ansible, dedicating one as a timelord
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
{% if timelord is not defined or ansible_hostname == timelord %}
{% for timeserver in toplevel_timeservers %}
server {{ timeserver }} iburst
{% endfor %}
# Use US time servers otherwise
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst
# Use Ubuntu's ntp server as a fallback.
server ntp.ubuntu.com iburst
# And use the current local time as a fallback of that
server 127.127.1.0
fudge 127.127.1.0 stratum 10
{% else %}
# Only use the time lord for time
server {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} iburst
{% endif %}
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
{% if timelord is defined and ansible_hostname == timelord %}
# Allow this server to act as TIMELORD: KEEPER OF ALL TIME
restrict {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }} mask {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} nomodify notrap
{% endif %}
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
##broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
---
- hosts: *
vars:
# Obviously change this if you are not in this Rackspace datacenter (or at Rackspace at all)
- toplevel_timeservers: ['time.ord1.rackspace.com', 'time.ord2.rackspace.com']
# TIMELORD IS THE KEEPER OF ALL OF THE TIME
# This variable currently assumes that each server can be referenced by its own group. If this is
# not the case, edit ntp.conf to instead look for a defined inventory_hostname if you would rather reference it that way.
# You can easily find where this is used in ntp.conf by searching for 'timelord' or 'groups[timelord][0]'
# This is also used a bit later on in the handlers for this playbook
- timelord: 'apache-1'
# The ethernet device that the servers will communicate over. If applicable, change this to the one connected to your VPN
- ntp_netdevice: 'eth0'
tasks:
- name: Install NTP
apt: package=ntp,ntpdate state=present update_cache=yes
tags: ntp
- name: Copy over the NTP configuration
template: src=ntp.conf dest=/etc/ntp.conf
notify:
- restart ntp
- force ntp update
tags: ntp
- name: Make sure NTP is started up
service: name=ntp state=started enabled=yes
tags: ntp
- name: Open inbound NTP connections for the timelord, time giver to all
shell: ufw allow from {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }}/{{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} to any port 123
when: timelord is defined and ansible_hostname == timelord
tags: ntp
handlers:
- name: restart ntp
service: name=ntp state=restarted
- name: force ntp update
shell: "service ntp stop && ntpdate -s {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} && service ntp start"
when: ansible_hostname != timelord
@stefan-enway

This comment has been minimized.

Copy link

stefan-enway commented Sep 9, 2019

ntpdate needs to exist

@phillipuniverse

This comment has been minimized.

Copy link
Owner Author

phillipuniverse commented Sep 9, 2019

Good catch. Updated to include it in the apt step!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.