initial upload

roles/ntp/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+
+ntp_servers:
+  - time1.google.com
+  - time2.google.com
+  - time3.google.com
+  - time4.google.com
+
+ntp_firewall: no

roles/ntp/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Restart NTP
+  service: name=ntp state=restarted

roles/ntp/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: firewall
+    when: ntp_firewall

roles/ntp/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Install NTP
+  apt: pkg=ntp state=present
+
+- name: Configure NTP
+  template: src=ntp.conf.j2 dest=/etc/ntp.conf
+  notify: Restart NTP
+
+- name: Configure NTP keys
+  template: src=ntp.keys.j2 dest=/etc/ntp.keys owner=ntp group=ntp mode=0400
+  notify: Restart NTP
+
+- name: Ensure NTP is running
+  service: name=ntp state=started enabled=yes
+
+- name: Configure firewall rules for NTP
+  template:
+    dest: /etc/firewall/rules-v4.d/21_ntp.sh
+    src: etc_firewall_rules-v4.d_21_ntp.sh.j2
+    owner: root
+    group: root
+    mode: 0600
+  when: ntp_firewall
+  notify: Restart firewall

roles/ntp/templates/etc_firewall_rules-v4.d_21_ntp.sh.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+{% for ip in ntp_servers | default([]) %}
+iptables -A INPUT -s {{ ip }} -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
+iptables -A OUTPUT -d {{ ip }} -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
+{% endfor %}

roles/ntp/templates/ntp.conf.j2

@@ -0,0 +1,34 @@
+# {{ ansible_managed }}
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+keys /etc/ntp.keys
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+{% if ntp_broadcast_key is defined %}
+broadcastclient
+trustedkey 22
+{% else %}
+# You do need to talk to an NTP server or two (or three).
+{% for server in ntp_servers %}
+server {{ server }} iburst
+{% endfor %}
+{% endif %}
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery

roles/ntp/templates/ntp.keys.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% if ntp_broadcast_key is defined %}
+22 M {{ ntp_broadcast_key }}
+{% endif %}