phillipuniverse/ntp.conf

## ntp.conf
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Specify one or more NTP servers.

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.

{% if timelord is not defined or ansible_hostname == timelord %}
  {% for timeserver in toplevel_timeservers %}
    server {{ timeserver }} iburst
  {% endfor %}

  # Use US time servers otherwise
  server 0.us.pool.ntp.org iburst
  server 1.us.pool.ntp.org iburst
  server 2.us.pool.ntp.org iburst
  server 3.us.pool.ntp.org iburst

  # Use Ubuntu's ntp server as a fallback.
  server ntp.ubuntu.com iburst

  # And use the current local time as a fallback of that
  server 127.127.1.0
  fudge 127.127.1.0 stratum 10

{% else %}
   # Only use the time lord for time
   server {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} iburst
{% endif %}

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

{% if timelord is defined and ansible_hostname == timelord %}
  # Allow this server to act as TIMELORD: KEEPER OF ALL TIME
  restrict {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }} mask {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} nomodify notrap
{% endif %}


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
##broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

## ntp_playbook.yml
---

- hosts: *
  vars:
    # Obviously change this if you are not in this Rackspace datacenter (or at Rackspace at all)
    - toplevel_timeservers: ['time.ord1.rackspace.com', 'time.ord2.rackspace.com']

    # TIMELORD IS THE KEEPER OF ALL OF THE TIME
    # This variable currently assumes that each server can be referenced by its own group. If this is
    # not the case, edit ntp.conf to instead look for a defined inventory_hostname if you would rather reference it that way.
    # You can easily find where this is used in ntp.conf by searching for 'timelord' or 'groups[timelord][0]'
    # This is also used a bit later on in the handlers for this playbook
    - timelord: 'apache-1'

    # The ethernet device that the servers will communicate over. If applicable, change this to the one connected to your VPN
    - ntp_netdevice: 'eth0'

  tasks:
    - name: Install NTP
      apt: package=ntp,ntpdate state=present update_cache=yes
      tags: ntp

    - name: Copy over the NTP configuration
      template: src=ntp.conf dest=/etc/ntp.conf
      notify:
        - restart ntp
        - force ntp update
      tags: ntp

    - name: Make sure NTP is started up
      service: name=ntp state=started enabled=yes
      tags: ntp

    - name: Open inbound NTP connections for the timelord, time giver to all
      shell: ufw allow from {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }}/{{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} to any port 123
      when: timelord is defined and ansible_hostname == timelord
      tags: ntp

  handlers:
    - name: restart ntp
      service: name=ntp state=restarted

    - name: force ntp update
      shell: "service ntp stop && ntpdate -s {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} && service ntp start"
      when: ansible_hostname != timelord
	# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

	driftfile /var/lib/ntp/ntp.drift


	# Enable this if you want statistics to be logged.
	#statsdir /var/log/ntpstats/

	statistics loopstats peerstats clockstats
	filegen loopstats file loopstats type day enable
	filegen peerstats file peerstats type day enable
	filegen clockstats file clockstats type day enable

	# Specify one or more NTP servers.

	# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
	# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
	# more information.

	{% if timelord is not defined or ansible_hostname == timelord %}
	{% for timeserver in toplevel_timeservers %}
	server {{ timeserver }} iburst
	{% endfor %}

	# Use US time servers otherwise
	server 0.us.pool.ntp.org iburst
	server 1.us.pool.ntp.org iburst
	server 2.us.pool.ntp.org iburst
	server 3.us.pool.ntp.org iburst

	# Use Ubuntu's ntp server as a fallback.
	server ntp.ubuntu.com iburst

	# And use the current local time as a fallback of that
	server 127.127.1.0
	fudge 127.127.1.0 stratum 10

	{% else %}
	# Only use the time lord for time
	server {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} iburst
	{% endif %}

	# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
	# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
	# might also be helpful.
	#
	# Note that "restrict" applies to both servers and clients, so a configuration
	# that might be intended to block requests from certain clients could also end
	# up blocking replies from your own upstream servers.

	# By default, exchange time with everybody, but don't allow configuration.
	restrict -4 default kod notrap nomodify nopeer noquery
	restrict -6 default kod notrap nomodify nopeer noquery

	# Local users may interrogate the ntp server more closely.
	restrict 127.0.0.1
	restrict ::1

	# Clients from this (example!) subnet have unlimited access, but only if
	# cryptographically authenticated.
	#restrict 192.168.123.0 mask 255.255.255.0 notrust

	{% if timelord is defined and ansible_hostname == timelord %}
	# Allow this server to act as TIMELORD: KEEPER OF ALL TIME
	restrict {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }} mask {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} nomodify notrap
	{% endif %}


	# If you want to provide time to your local subnet, change the next line.
	# (Again, the address is an example only.)
	##broadcast 192.168.123.255

	# If you want to listen to time broadcasts on your local subnet, de-comment the
	# next lines. Please do this only if you trust everybody on the network!
	#disable auth
	#broadcastclient
	---

	- hosts: *
	vars:
	# Obviously change this if you are not in this Rackspace datacenter (or at Rackspace at all)
	- toplevel_timeservers: ['time.ord1.rackspace.com', 'time.ord2.rackspace.com']

	# TIMELORD IS THE KEEPER OF ALL OF THE TIME
	# This variable currently assumes that each server can be referenced by its own group. If this is
	# not the case, edit ntp.conf to instead look for a defined inventory_hostname if you would rather reference it that way.
	# You can easily find where this is used in ntp.conf by searching for 'timelord' or 'groups[timelord][0]'
	# This is also used a bit later on in the handlers for this playbook
	- timelord: 'apache-1'

	# The ethernet device that the servers will communicate over. If applicable, change this to the one connected to your VPN
	- ntp_netdevice: 'eth0'

	tasks:
	- name: Install NTP
	apt: package=ntp,ntpdate state=present update_cache=yes
	tags: ntp

	- name: Copy over the NTP configuration
	template: src=ntp.conf dest=/etc/ntp.conf
	notify:
	- restart ntp
	- force ntp update
	tags: ntp

	- name: Make sure NTP is started up
	service: name=ntp state=started enabled=yes
	tags: ntp

	- name: Open inbound NTP connections for the timelord, time giver to all
	shell: ufw allow from {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }}/{{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} to any port 123
	when: timelord is defined and ansible_hostname == timelord
	tags: ntp

	handlers:
	- name: restart ntp
	service: name=ntp state=restarted

	- name: force ntp update
	shell: "service ntp stop && ntpdate -s {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} && service ntp start"
	when: ansible_hostname != timelord