debops.ntp default variables
Sections
Global options
- ntp__daemon_enabled
If True
, role will install and configure an NTP daemon. The daemon is not
required in containerized environments, where the host takes care for setting
time accurately.
ntp__daemon_enabled: '{{ "True" if (ntp__daemon|d() and
((ansible_system_capabilities_enforced|d())|bool and
"cap_sys_time" in ansible_system_capabilities) or
not (ansible_system_capabilities_enforced|d(True))|bool)
else "False" }}'
- ntp__daemon
Which clock management daemon/program should be setup?
Choices (string):
chrony
ntpdate
ntpd
openntpd
systemd-timesyncd
Set to False
to disable clock management.
ntp__daemon: '{{ (ansible_local.ntp.daemon
if (ansible_local.ntp.daemon|d())
else ("systemd-timesyncd"
if (ansible_distribution == "Ubuntu" and
ansible_service_mgr == "systemd")
else "openntpd")) }}'
- ntp__ignore_ntpdate
Don't uninstall ntpdate
package if it's installed. Be aware that
ntpdate-debian
script is executed each time a network interface is
brought up. This might result in unexpected time jumps forward or backward.
ntp__ignore_ntpdate: False
- ntp__servers
List of NTP servers to synchronize with If you use ntpd, you can add server options in server strings, for example:
ntp__servers:
- '0.debian.pool.ntp.org iburst minpoll 6 maxpoll 10'
If you're syncing against local servers, recommended options are: 'burst iburst minpoll 4 maxpoll 4', where:
burst
andiburst
:Get a time sync as fast as possible by sending 8 sync queries with 2 second interval. (Beware though, this is considered as an abuse on public servers!)
minpoll
,maxpoll
:Min/max interval for sync queries to be sent in normal operation mode. It's defined in seconds as a power of two:
4 -- 16 seconds (minimal allowed)
5 -- 32 seconds
6 -- 64 seconds
and so on.
ntp__servers: '{{ (ntp__servers_map[ansible_distribution][1]
| d(ntp__servers_map["default"][1]))
if (ntp__daemon in ["chrony"])
else ntp__servers_map[ansible_distribution]
| d(ntp__servers_map["default"]) }}'
- ntp__servers_map
YAML dictionary with different NTP server lists depending on OS distribution.
ntp__servers_map:
'Debian': [ '0.debian.pool.ntp.org', '1.debian.pool.ntp.org',
'2.debian.pool.ntp.org', '3.debian.pool.ntp.org' ]
'Ubuntu': [ '0.ubuntu.pool.ntp.org', '1.ubuntu.pool.ntp.org',
'2.ubuntu.pool.ntp.org', '3.ubuntu.pool.ntp.org' ]
'default': [ '0.pool.ntp.org', '1.pool.ntp.org',
'2.pool.ntp.org', '3.pool.ntp.org' ]
- ntp__fudge
ntpd specific. Fudge local clock if time servers is not available.
ntp__fudge: True
- ntp__servers_as_pool
Treat NTP server addresses as pool addresses. The server name is expected to resolve to multiple IP addresses which might change over time. This is currently only supported by chrony. Other NTP servers will ignore this setting.
ntp__servers_as_pool: '{{ False if ansible_distribution == "Debian"
and ansible_distribution_release == "jessie"
else True }}'
APT packages
- ntp__base_packages
List of APT packages to install for NTP support.
ntp__base_packages:
- '{{ "chrony" if (ntp__daemon == "chrony") else [] }}'
- '{{ "ntp" if (ntp__daemon == "ntpd") else [] }}'
- '{{ "openntpd" if (ntp__daemon == "openntpd") else [] }}'
- '{{ "ntpdate" if (ntp__daemon == "ntpdate") else [] }}'
- ntp__packages
List of additional APT packages to install with NTP support.
ntp__packages: []
- ntp__purge_packages
List of APT packages to purge during NTP configuration to avoid issues with conflicting services.
ntp__purge_packages:
- '{{ "chrony" if (ntp__daemon != "chrony") else [] }}'
- '{{ "ntp" if (ntp__daemon not in [ "ntpd", "openntpd"]) else [] }}'
- '{{ "openntpd" if (ntp__daemon != "openntpd") else [] }}'
- '{{ "ntpdate" if (ntp__daemon != "ntpdate" and
not ntp__ignore_ntpdate|bool) else [] }}'
OpenNTPd configuration
- ntp__openntpd_options
Set the openntpd
daemon options.
ntp__openntpd_options: '-f /etc/openntpd/ntpd.conf -s'
Chrony configuration
- ntp__chrony_cmdport
Set the chrony
cmdport option. 323 is the chrony default, but
debops recommends you default to 0 to disable UDP connections which
requires chronyc
be run as root to connect over unix socket.
ntp__chrony_cmdport: 0
Network accessibility
- ntp__listen
List of interfaces ntpd should listen on.
Specify ntp__listen: '*'
to listen on all interfaces.
The chrony service only supports one listen interface for each of the IPv4 and IPv6 protocols. It must be specified as an IP address.
ntp__listen: []
- ntp__firewall_access
Enable or disable access to NTP through the firewall.
ntp__firewall_access: False
- ntp__allow
List of hosts/networks in CIDR format to allow access to the NTP port by the
firewall. If this list is set to False
, access will be allowed from
anywhere. You should probably define a list of networks allowed access to
mitigate NTP amplification attacks.
ntp__allow: []
- ntp__ferm_chain
Name of the iptables chain to use for filtering NTP connections.
ntp__ferm_chain: 'filter-ntp'
- ntp__ferm_weight
Weight of the debops.ntp
firewall rules, determines the order of the
configuration files.
ntp__ferm_weight: '40'
- ntp__ferm_recent_seconds
Time window which firewall checks to filter too many connections, specified in seconds.
ntp__ferm_recent_seconds: '{{ (60 * 60) }}'
- ntp__ferm_recent_hitcount
Maximum number of new connections from a host in the specified time window.
ntp__ferm_recent_hitcount: 5
- ntp__ferm_recent_target
Specify what the firewall should do with packets that exceed the allowed
limits. You can use DROP
(recommended), REJECT
(high risk of
reflection attacks) or specify name of an iptables chain to
further process the packet(s).
ntp__ferm_recent_target: 'DROP'
Configuration for other Ansible roles
- ntp__ferm__dependent_rules
Configuration of the Linux firewall using debops.ferm.
ntp__ferm__dependent_rules:
- type: 'accept'
dport: [ 'ntp' ]
protocol: 'udp'
weight: '{{ ntp__ferm_weight }}'
role: 'ntp'
role_weight: '10'
name: 'jump-filter-ntp'
target: '{{ ntp__ferm_chain }}'
rule_state: '{{ "present" if (
ntp__daemon in [ "openntpd", "ntpd", "chrony" ] and
ntp__firewall_access|bool)
else "absent" }}'
- chain: '{{ ntp__ferm_chain }}'
type: 'recent'
dport: [ 'ntp' ]
protocol: 'udp'
saddr: '{{ ntp__allow }}'
weight: '{{ ntp__ferm_weight }}'
role: 'ntp'
role_weight: '20'
name: 'mark'
subchain: False
recent_set_name: 'ntp-new'
recent_log: False
rule_state: '{{ "present" if (
ntp__daemon in [ "openntpd", "ntpd", "chrony" ] and
ntp__firewall_access|bool)
else "absent" }}'
- chain: '{{ ntp__ferm_chain }}'
type: 'recent'
dport: [ 'ntp' ]
protocol: [ 'udp' ]
weight: '{{ ntp__ferm_weight }}'
role: 'ntp'
role_weight: '30'
name: 'filter'
subchain: False
recent_name: 'ntp-new'
recent_update: True
recent_seconds: '{{ ntp__ferm_recent_seconds }}'
recent_hitcount: '{{ ntp__ferm_recent_hitcount }}'
recent_target: '{{ ntp__ferm_recent_target }}'
recent_log_prefix: 'ipt-recent-ntp: '
rule_state: '{{ "present" if (
ntp__daemon in [ "openntpd", "ntpd", "chrony" ] and
ntp__firewall_access|bool)
else "absent" }}'
- chain: '{{ ntp__ferm_chain }}'
type: 'accept'
dport: [ 'ntp' ]
protocol: 'udp'
state: 'NEW'
saddr: '{{ ntp__allow }}'
weight: '{{ ntp__ferm_weight }}'
role: 'ntp'
role_weight: '40'
rule_state: '{{ "present" if (
ntp__daemon in [ "openntpd", "ntpd", "chrony" ] and
ntp__firewall_access|bool)
else "absent" }}'