From 2cff6b4cfe8b35c47797cb04fcd852ea73988a67 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 29 Nov 2020 16:52:17 +0100
Subject: [PATCH] NTP client with timesyncd

---
 plays/ntp.yml                                 |  7 +++++
 roles/ntp-client/handlers/main.yml            |  5 ++++
 roles/ntp-client/tasks/main.yml               | 29 +++++++------------
 roles/ntp-server/tasks/main.yml               | 27 +++++++++++++++++
 .../templates/ntp.conf.j2                     | 10 ++-----
 5 files changed, 52 insertions(+), 26 deletions(-)
 create mode 100755 plays/ntp.yml
 create mode 100644 roles/ntp-client/handlers/main.yml
 create mode 100644 roles/ntp-server/tasks/main.yml
 rename roles/{ntp-client => ntp-server}/templates/ntp.conf.j2 (91%)

diff --git a/plays/ntp.yml b/plays/ntp.yml
new file mode 100755
index 00000000..0ba9a409
--- /dev/null
+++ b/plays/ntp.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+# NTP client is in root.yml
+
+- hosts: charybde.adm.crans.org
+  roles:
+    - ntp-server
diff --git a/roles/ntp-client/handlers/main.yml b/roles/ntp-client/handlers/main.yml
new file mode 100644
index 00000000..ffd2754d
--- /dev/null
+++ b/roles/ntp-client/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart systemd-timesyncd
+  service:
+    name: systemd-timesyncd
+    state: restarted
diff --git a/roles/ntp-client/tasks/main.yml b/roles/ntp-client/tasks/main.yml
index 0bc25d21..2dac6728 100644
--- a/roles/ntp-client/tasks/main.yml
+++ b/roles/ntp-client/tasks/main.yml
@@ -1,27 +1,18 @@
 ---
-- name: Install NTP
+- name: Clean up ntp
   apt:
-    update_cache: true
+    state: absent
     name: ntp
+    purge: true
   register: apt_result
   retries: 3
   until: apt_result is succeeded
-
-- name: Configure NTP daemon
-  lineinfile:
-    path: /etc/default/ntp
-    regexp: '^NTPD_OPTS'
-    line: NTPD_OPTS='-g -x'
-  check_mode: no
+  when: inventory_hostname in ntp_servers
 
 - name: Configure NTP
-  template:
-    src: ntp.conf.j2
-    dest: /etc/ntp.conf
-    mode: 0644
-
-- name: Start ntp service
-  systemd:
-    name: ntp
-    enabled: true
-    state: started
+  lineinfile:
+    path: /etc/systemd/timesyncd.conf
+    regexp: '^NTP='
+    line: "NTP={{ ntp_servers | join(' ') }}"
+  notify: Restart systemd-timesyncd
+  when: inventory_hostname in ntp_servers
diff --git a/roles/ntp-server/tasks/main.yml b/roles/ntp-server/tasks/main.yml
new file mode 100644
index 00000000..0bc25d21
--- /dev/null
+++ b/roles/ntp-server/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: Install NTP
+  apt:
+    update_cache: true
+    name: ntp
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure NTP daemon
+  lineinfile:
+    path: /etc/default/ntp
+    regexp: '^NTPD_OPTS'
+    line: NTPD_OPTS='-g -x'
+  check_mode: no
+
+- name: Configure NTP
+  template:
+    src: ntp.conf.j2
+    dest: /etc/ntp.conf
+    mode: 0644
+
+- name: Start ntp service
+  systemd:
+    name: ntp
+    enabled: true
+    state: started
diff --git a/roles/ntp-client/templates/ntp.conf.j2 b/roles/ntp-server/templates/ntp.conf.j2
similarity index 91%
rename from roles/ntp-client/templates/ntp.conf.j2
rename to roles/ntp-server/templates/ntp.conf.j2
index 050f51c8..5d480582 100644
--- a/roles/ntp-client/templates/ntp.conf.j2
+++ b/roles/ntp-server/templates/ntp.conf.j2
@@ -15,7 +15,6 @@ filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 
 
-{% if inventory_hostname in ntp_servers %}
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
 # pool: <http://www.pool.ntp.org/join.html>
@@ -23,12 +22,6 @@ pool 0.debian.pool.ntp.org iburst
 pool 1.debian.pool.ntp.org iburst
 pool 2.debian.pool.ntp.org iburst
 pool 3.debian.pool.ntp.org iburst
-{% else %}
-# You do need to talk to an NTP server or two (or three).
-{% for server in ntp_servers %}
-server {{ server }} iburst
-{% endfor %}
-{% endif %}
 
 
 # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
@@ -50,6 +43,9 @@ restrict ::1
 # Needed for adding pool entries
 restrict source notrap nomodify noquery
 
+# Server on adm can sync
+restrict 172.16.10.0 mask 255.255.255.0 notrap nomodify
+
 # Clients from this (example!) subnet have unlimited access, but only if
 # cryptographically authenticated.
 #restrict 192.168.123.0 mask 255.255.255.0 notrust
-- 
GitLab