Skip to content

Instantly share code, notes, and snippets.

Forked from phillipuniverse/ntp.conf
Created March 29, 2018 08:38
Show Gist options
  • Save vishnuatrai/f553312f50ee9ab5421ec4720f37a655 to your computer and use it in GitHub Desktop.
Save vishnuatrai/f553312f50ee9ab5421ec4720f37a655 to your computer and use it in GitHub Desktop.
Set up NTP with Ansible, dedicating one as a timelord
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See for
# more information.
{% if timelord is not defined or ansible_hostname == timelord %}
{% for timeserver in toplevel_timeservers %}
server {{ timeserver }} iburst
{% endfor %}
# Use US time servers otherwise
server iburst
server iburst
server iburst
server iburst
# Use Ubuntu's ntp server as a fallback.
server iburst
# And use the current local time as a fallback of that
fudge stratum 10
{% else %}
# Only use the time lord for time
server {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} iburst
{% endif %}
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <>
# might also be helpful.
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict mask notrust
{% if timelord is defined and ansible_hostname == timelord %}
# Allow this server to act as TIMELORD: KEEPER OF ALL TIME
restrict {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }} mask {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} nomodify notrap
{% endif %}
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
- hosts: *
# Obviously change this if you are not in this Rackspace datacenter (or at Rackspace at all)
- toplevel_timeservers: ['', '']
# This variable currently assumes that each server can be referenced by its own group. If this is
# not the case, edit ntp.conf to instead look for a defined inventory_hostname if you would rather reference it that way.
# You can easily find where this is used in ntp.conf by searching for 'timelord' or 'groups[timelord][0]'
# This is also used a bit later on in the handlers for this playbook
- timelord: 'apache-1'
# The ethernet device that the servers will communicate over. If applicable, change this to the one connected to your VPN
- ntp_netdevice: 'eth0'
- name: Install NTP
apt: package=ntp state=present update_cache=yes
tags: ntp
- name: Copy over the NTP configuration
template: src=ntp.conf dest=/etc/ntp.conf
- restart ntp
- force ntp update
tags: ntp
- name: Make sure NTP is started up
service: name=ntp state=started enabled=yes
tags: ntp
- name: Open inbound NTP connections for the timelord, time giver to all
shell: ufw allow from {{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['network'] }}/{{ hostvars[inventory_hostname]['ansible_' ~ ntp_netdevice]['ipv4']['netmask'] }} to any port 123
when: timelord is defined and ansible_hostname == timelord
tags: ntp
- name: restart ntp
service: name=ntp state=restarted
- name: force ntp update
shell: "service ntp stop && ntpdate -s {{ hostvars[groups[timelord][0]]['ansible_' ~ ntp_netdevice]['ipv4']['address'] }} && service ntp start"
when: ansible_hostname != timelord
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment