summaryrefslogtreecommitdiffstats
path: root/templates
diff options
context:
space:
mode:
authorJeff Geerling <geerlingguy@mac.com>2016-03-03 22:45:52 -0600
committerJeff Geerling <geerlingguy@mac.com>2016-03-03 22:45:52 -0600
commit9c0a3ce4ff0c8bc00dbb8497193c2fc5f015c5aa (patch)
tree103fd05671d52dfab54cb7c38d08a747bff057c6 /templates
parent567078d7c3ac7190d6748f0cfcd535e82912a12b (diff)
downloadntp-9c0a3ce4ff0c8bc00dbb8497193c2fc5f015c5aa.tar.gz
ntp-9c0a3ce4ff0c8bc00dbb8497193c2fc5f015c5aa.tar.bz2
ntp-9c0a3ce4ff0c8bc00dbb8497193c2fc5f015c5aa.tar.xz
ntp-9c0a3ce4ff0c8bc00dbb8497193c2fc5f015c5aa.zip
NTP configuration cleanup and add documentation for new vars.
Diffstat (limited to 'templates')
-rw-r--r--templates/ntp.conf.j278
1 files changed, 63 insertions, 15 deletions
diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2
index b0ddb0c..cc1e0f0 100644
--- a/templates/ntp.conf.j2
+++ b/templates/ntp.conf.j2
@@ -1,22 +1,70 @@
# {{ ansible_managed }}
-# Default NTP servers for the operating system.
+# For more information about this file, see the man pages
+# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
+
+driftfile /var/lib/ntp/drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
{% for item in ntp_servers %}
server {{ item }}
{% endfor %}
-# Security:
-#
-# By default, only allow time queries and block all other requests
-# from unauthenticated clients.
-#
-# See http://support.ntp.org/bin/view/Support/AccessRestrictions
-# for more information.
-#
-restrict default kod limited nomodify notrap nopeer noquery
-restrict -6 default kod limited nomodify notrap nopeer noquery
-
-# The following settings allow unrestricted access from the localhost
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default nomodify notrap nopeer noquery
+
+# Permit all access over the loopback interface. This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
restrict 127.0.0.1
-restrict -6 ::1
-restrict 127.127.1.0
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+# Enable public key cryptography.
+#crypto
+
+#includefile /etc/ntp/crypto/pw
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography.
+#keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+
+# Enable writing of statistics records.
+#statistics clockstats cryptostats loopstats peerstats
+
+# Disable the monitoring facility to prevent amplification attacks using ntpdc
+# monlist command when default restrict does not include the noquery flag. See
+# CVE-2013-5211 for more details.
+# Note: Monitoring will not be disabled with the limited restriction flag.
+disable monitor
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines. Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient