debops.ntp default variables

Global options

ntp__daemon_enabled

If True, role will install and configure an NTP daemon. The daemon is not required in containerized environments, where the host takes care for setting time accurately.

ntp__daemon_enabled: '{{ "True"
                         if (ntp__daemon | d(False) and
                             not (ansible_virtualization_role | d("") == "guest" and
                                  ansible_virtualization_type | d("")
                                    in ["container", "lxc"]) and
                             not (ansible_system_capabilities_enforced | d(True) | bool and
                                  "cap_sys_time" not in ansible_system_capabilities))
                         else "False" }}'
ntp__daemon

Which clock management daemon/program should be setup?

Choices (string):

  • chrony

  • ntpdate

  • ntpd

  • openntpd

  • systemd-timesyncd

Set to False to disable clock management.

ntp__daemon: '{{ (ansible_local.ntp.daemon
                  if (ansible_local.ntp.daemon | d())
                  else ("systemd-timesyncd"
                        if (ansible_service_mgr == "systemd")
                        else "openntpd")) }}'
ntp__ignore_ntpdate

Don't uninstall ntpdate package if it's installed. Be aware that ntpdate-debian script is executed each time a network interface is brought up. This might result in unexpected time jumps forward or backward.

ntp__ignore_ntpdate: False
ntp__servers

List of NTP servers to synchronize with If you use ntpd, you can add server options in server strings, for example:

ntp__servers:
  - '0.debian.pool.ntp.org iburst minpoll 6 maxpoll 10'

If you're syncing against local servers, recommended options are: 'burst iburst minpoll 4 maxpoll 4', where:

burst and iburst:

Get a time sync as fast as possible by sending 8 sync queries with 2 second interval. (Beware though, this is considered as an abuse on public servers!)

minpoll, maxpoll:

Min/max interval for sync queries to be sent in normal operation mode. It's defined in seconds as a power of two:

  • 4 -- 16 seconds (minimal allowed)

  • 5 -- 32 seconds

  • 6 -- 64 seconds

and so on.

ntp__servers: '{{ (ntp__servers_map[ansible_distribution][1]
                   | d(ntp__servers_map["default"][1]))
                   if (ntp__daemon in ["chrony"])
                   else ntp__servers_map[ansible_distribution]
                        | d(ntp__servers_map["default"]) }}'
ntp__servers_map

YAML dictionary with different NTP server lists depending on OS distribution.

ntp__servers_map:
  'Debian':  [ '0.debian.pool.ntp.org', '1.debian.pool.ntp.org',
               '2.debian.pool.ntp.org', '3.debian.pool.ntp.org' ]
  'Ubuntu':  [ '0.ubuntu.pool.ntp.org', '1.ubuntu.pool.ntp.org',
               '2.ubuntu.pool.ntp.org', '3.ubuntu.pool.ntp.org' ]
  'default': [ '0.pool.ntp.org', '1.pool.ntp.org',
               '2.pool.ntp.org', '3.pool.ntp.org' ]
ntp__fudge

ntpd specific. Fudge local clock if time servers is not available.

ntp__fudge: True
ntp__servers_as_pool

Treat NTP server addresses as pool addresses. The server name is expected to resolve to multiple IP addresses which might change over time. This is currently only supported by chrony. Other NTP servers will ignore this setting.

ntp__servers_as_pool: True

APT packages

ntp__base_packages

List of APT packages to install for NTP support.

ntp__base_packages:
  - '{{ "chrony" if (ntp__daemon == "chrony") else [] }}'
  - '{{ "ntp" if (ntp__daemon == "ntpd") else [] }}'
  - '{{ "openntpd" if (ntp__daemon == "openntpd") else [] }}'
  - '{{ "systemd-timesyncd" if (ntp__daemon == "systemd-timesyncd" and
                                ansible_distribution_release
                                not in ["stretch", "buster"]) else [] }}'
  - '{{ "ntpdate" if (ntp__daemon == "ntpdate") else [] }}'
ntp__packages

List of additional APT packages to install with NTP support.

ntp__packages: []
ntp__purge_packages

List of APT packages to purge during NTP configuration to avoid issues with conflicting services.

ntp__purge_packages:
  - '{{ "chrony" if (ntp__daemon != "chrony") else [] }}'
  - '{{ "ntp" if (ntp__daemon not in ["ntpd", "openntpd"]) else [] }}'
  - '{{ "openntpd" if (ntp__daemon != "openntpd") else [] }}'
  - '{{ "systemd-timesyncd" if (ntp__daemon != "systemd-timesyncd") else [] }}'
  - '{{ "ntpdate" if (ntp__daemon != "ntpdate" and
                      not ntp__ignore_ntpdate | bool) else [] }}'

OpenNTPd configuration

ntp__openntpd_options

Set the openntpd daemon options.

ntp__openntpd_options: '-f /etc/openntpd/ntpd.conf -s'

Chrony configuration

ntp__chrony_cmdport

Set the chrony cmdport option. 323 is the chrony default, but debops recommends you default to 0 to disable UDP connections which requires chronyc be run as root to connect over unix socket.

ntp__chrony_cmdport: 0

Network accessibility

ntp__listen

List of interfaces ntpd should listen on. Specify ntp__listen: '*' to listen on all interfaces.

The chrony service only supports one listen interface for each of the IPv4 and IPv6 protocols. It must be specified as an IP address.

ntp__listen: []
ntp__firewall_access

Enable or disable access to NTP through the firewall.

ntp__firewall_access: False
ntp__allow

List of hosts/networks in CIDR format to allow access to the NTP port by the firewall. If this list is set to False, access will be allowed from anywhere. You should probably define a list of networks allowed access to mitigate NTP amplification attacks.

ntp__allow: []
ntp__ferm_chain

Name of the iptables chain to use for filtering NTP connections.

ntp__ferm_chain: 'filter-ntp'
ntp__ferm_weight

Weight of the debops.ntp firewall rules, determines the order of the configuration files.

ntp__ferm_weight: '40'
ntp__ferm_recent_seconds

Time window which firewall checks to filter too many connections, specified in seconds.

ntp__ferm_recent_seconds: '{{ (60 * 60) }}'
ntp__ferm_recent_hitcount

Maximum number of new connections from a host in the specified time window.

ntp__ferm_recent_hitcount: 5
ntp__ferm_recent_target

Specify what the firewall should do with packets that exceed the allowed limits. You can use DROP (recommended), REJECT (high risk of reflection attacks) or specify name of an iptables chain to further process the packet(s).

ntp__ferm_recent_target: 'DROP'

Configuration for other Ansible roles

ntp__ferm__dependent_rules

Configuration of the Linux firewall using debops.ferm.

ntp__ferm__dependent_rules:

  - type: 'accept'
    dport: [ 'ntp' ]
    protocol: 'udp'
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '10'
    name: 'jump-filter-ntp'
    target: '{{ ntp__ferm_chain }}'
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'

  - chain: '{{ ntp__ferm_chain }}'
    type: 'recent'
    dport: [ 'ntp' ]
    protocol: 'udp'
    saddr: '{{ ntp__allow }}'
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '20'
    name: 'mark'
    subchain: False
    recent_set_name: 'ntp-new'
    recent_log: False
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'

  - chain: '{{ ntp__ferm_chain }}'
    type: 'recent'
    dport: [ 'ntp' ]
    protocol: [ 'udp' ]
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '30'
    name: 'filter'
    subchain: False
    recent_name: 'ntp-new'
    recent_update: True
    recent_seconds: '{{ ntp__ferm_recent_seconds }}'
    recent_hitcount: '{{ ntp__ferm_recent_hitcount }}'
    recent_target: '{{ ntp__ferm_recent_target }}'
    recent_log_prefix: 'ipt-recent-ntp: '
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'

  - chain: '{{ ntp__ferm_chain }}'
    type: 'accept'
    dport: [ 'ntp' ]
    protocol: 'udp'
    state: 'NEW'
    saddr: '{{ ntp__allow }}'
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '40'
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'