debops.ntp default variables

Global options


If True, role will install and configure an NTP daemon. The daemon is not required in containerized environments, where the host takes care for setting time accurately.

ntp__daemon_enabled: '{{ "True"
                         if (ntp__daemon | d(False) and
                             not (ansible_virtualization_role | d("") == "guest" and
                                  ansible_virtualization_type | d("")
                                    in ["container", "lxc"]) and
                             not (ansible_system_capabilities_enforced | d(True) and
                                  "cap_sys_time" not in ansible_system_capabilities))
                         else "False" }}'

Which clock management daemon/program should be setup?

Choices (string):

  • chrony

  • ntpdate

  • ntpd

  • openntpd

  • systemd-timesyncd

Set to False to disable clock management.

ntp__daemon: '{{ (ansible_local.ntp.daemon
                  if (ansible_local.ntp.daemon | d())
                  else ("systemd-timesyncd"
                        if (ansible_service_mgr == "systemd")
                        else "openntpd")) }}'

Don't uninstall ntpdate package if it's installed. Be aware that ntpdate-debian script is executed each time a network interface is brought up. This might result in unexpected time jumps forward or backward.

ntp__ignore_ntpdate: False

List of NTP servers to synchronize with If you use ntpd, you can add server options in server strings, for example:

  - ' iburst minpoll 6 maxpoll 10'

If you're syncing against local servers, recommended options are: 'burst iburst minpoll 4 maxpoll 4', where:

burst and iburst:

Get a time sync as fast as possible by sending 8 sync queries with 2 second interval. (Beware though, this is considered as an abuse on public servers!)

minpoll, maxpoll:

Min/max interval for sync queries to be sent in normal operation mode. It's defined in seconds as a power of two:

  • 4 -- 16 seconds (minimal allowed)

  • 5 -- 32 seconds

  • 6 -- 64 seconds

and so on.

ntp__servers: '{{ (ntp__servers_map[ansible_distribution][1]
                   | d(ntp__servers_map["default"][1]))
                   if (ntp__daemon in ["chrony"])
                   else ntp__servers_map[ansible_distribution]
                        | d(ntp__servers_map["default"]) }}'

YAML dictionary with different NTP server lists depending on OS distribution.

  'Debian':  [ '', '',
               '', '' ]
  'Ubuntu':  [ '', '',
               '', '' ]
  'default': [ '', '',
               '', '' ]

ntpd specific. Fudge local clock if time servers is not available.

ntp__fudge: True

Treat NTP server addresses as pool addresses. The server name is expected to resolve to multiple IP addresses which might change over time. This is currently only supported by chrony. Other NTP servers will ignore this setting.

ntp__servers_as_pool: True

APT packages


List of APT packages to install for NTP support.

  - '{{ "chrony" if (ntp__daemon == "chrony") else [] }}'
  - '{{ "ntp" if (ntp__daemon == "ntpd") else [] }}'
  - '{{ "openntpd" if (ntp__daemon == "openntpd") else [] }}'
  - '{{ "systemd-timesyncd" if (ntp__daemon == "systemd-timesyncd" and
                                not in ["stretch", "buster"]) else [] }}'
  - '{{ "ntpdate" if (ntp__daemon == "ntpdate") else [] }}'

List of additional APT packages to install with NTP support.

ntp__packages: []

List of APT packages to purge during NTP configuration to avoid issues with conflicting services.

  - '{{ "chrony" if (ntp__daemon != "chrony") else [] }}'
  - '{{ "ntp" if (ntp__daemon not in ["ntpd", "openntpd"]) else [] }}'
  - '{{ "openntpd" if (ntp__daemon != "openntpd") else [] }}'
  - '{{ "systemd-timesyncd" if (ntp__daemon != "systemd-timesyncd") else [] }}'
  - '{{ "ntpdate" if (ntp__daemon != "ntpdate" and
                      not ntp__ignore_ntpdate | bool) else [] }}'

OpenNTPd configuration


Set the openntpd daemon options.

ntp__openntpd_options: '-f /etc/openntpd/ntpd.conf -s'

Chrony configuration


Set the chrony cmdport option. 323 is the chrony default, but debops recommends you default to 0 to disable UDP connections which requires chronyc be run as root to connect over unix socket.

ntp__chrony_cmdport: 0

Network accessibility


List of interfaces ntpd should listen on. Specify ntp__listen: '*' to listen on all interfaces.

The chrony service only supports one listen interface for each of the IPv4 and IPv6 protocols. It must be specified as an IP address.

ntp__listen: []

Enable or disable access to NTP through the firewall.

ntp__firewall_access: False

List of hosts/networks in CIDR format to allow access to the NTP port by the firewall. If this list is set to False, access will be allowed from anywhere. You should probably define a list of networks allowed access to mitigate NTP amplification attacks.

ntp__allow: []

Name of the iptables chain to use for filtering NTP connections.

ntp__ferm_chain: 'filter-ntp'

Weight of the debops.ntp firewall rules, determines the order of the configuration files.

ntp__ferm_weight: '40'

Time window which firewall checks to filter too many connections, specified in seconds.

ntp__ferm_recent_seconds: '{{ (60 * 60) }}'

Maximum number of new connections from a host in the specified time window.

ntp__ferm_recent_hitcount: 5

Specify what the firewall should do with packets that exceed the allowed limits. You can use DROP (recommended), REJECT (high risk of reflection attacks) or specify name of an iptables chain to further process the packet(s).

ntp__ferm_recent_target: 'DROP'

Configuration for other Ansible roles


Configuration of the Linux firewall using debops.ferm.


  - type: 'accept'
    dport: [ 'ntp' ]
    protocol: 'udp'
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '10'
    name: 'jump-filter-ntp'
    target: '{{ ntp__ferm_chain }}'
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'

  - chain: '{{ ntp__ferm_chain }}'
    type: 'recent'
    dport: [ 'ntp' ]
    protocol: 'udp'
    saddr: '{{ ntp__allow }}'
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '20'
    name: 'mark'
    subchain: False
    recent_set_name: 'ntp-new'
    recent_log: False
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'

  - chain: '{{ ntp__ferm_chain }}'
    type: 'recent'
    dport: [ 'ntp' ]
    protocol: [ 'udp' ]
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '30'
    name: 'filter'
    subchain: False
    recent_name: 'ntp-new'
    recent_update: True
    recent_seconds: '{{ ntp__ferm_recent_seconds }}'
    recent_hitcount: '{{ ntp__ferm_recent_hitcount }}'
    recent_target: '{{ ntp__ferm_recent_target }}'
    recent_log_prefix: 'ipt-recent-ntp: '
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'

  - chain: '{{ ntp__ferm_chain }}'
    type: 'accept'
    dport: [ 'ntp' ]
    protocol: 'udp'
    state: 'NEW'
    saddr: '{{ ntp__allow }}'
    weight: '{{ ntp__ferm_weight }}'
    role: 'ntp'
    role_weight: '40'
    rule_state: '{{ "present"
                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
                        ntp__firewall_access | bool)
                    else "absent" }}'