First push.

master
Andrea Dell'Amico 3 years ago
parent 0cbad4224e
commit ebd4f42452
Signed by: andrea.dellamico
GPG Key ID: 147ABE6CEB9E20FF

@ -1,31 +1,31 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that installs and configure a NTP server.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
Dependencies
------------
``` yaml
ntp_service_enabled: True
ntp_statistics_enabled: False
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
ntp_allow_external_clients: False
ntp_allowed_clients: []
# - { ip: '', netmask: '', options: '' }
Example Playbook
----------------
ntp_define_servers_pool: False
ntp_servers_pool: []
# - x.y.z.w
# - w.y.z.x
```
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
Dependencies
------------
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
None
License
-------
@ -35,4 +35,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

@ -1,2 +1,12 @@
---
# defaults file for ansible-role-template
ntp_service_enabled: True
ntp_statistics_enabled: False
ntp_allow_external_clients: False
ntp_allowed_clients: []
# - { ip: '', netmask: '', options: '' }
ntp_define_servers_pool: False
ntp_servers_pool: []
# - x.y.z.w
# - w.y.z.x

@ -1,2 +1,8 @@
---
# handlers file for ansible-role-template
- name: Restart the ntp server
service: name=ntp state=restarted enabled=yes
when: ntp_service_enabled | bool
- name: Restart the ntpd server
service: name=ntpd state=restarted enabled=yes
when: ntp_service_enabled | bool

@ -1,46 +1,26 @@
galaxy_info:
author: your name
description: your description
company: your company (optional)
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://support.d4science.org/projects/automatic-provisioning/issues
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
platforms:
- name: Ubuntu
versions:
- bionic
- name: Ubuntu
versions:
- bionic
- name: EL
versions:
- 7
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- ntp
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

@ -1,2 +1,42 @@
---
# tasks file for ansible-role-template
- block:
- name: Install the ntp server
apt: pkg=ntp state=present cache_valid_time=3600
- name: Install the ntp configuration.
template: src=ntp.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
notify: Restart the ntp server
- name: Ensure that the ntp server is running
service: name=ntp state=started enabled=yes
when: ntp_service_enabled | bool
- name: Ensure that the ntp server is stopped and disabled
service: name=ntp state=stopped enabled=no
when: not ntp_service_enabled | bool
when: ansible_distribution_file_variety == "Debian"
tags: [ 'packages', 'ntp' ]
- block:
- name: Install the ntpd server
yum: pkg=ntp state=present
- name: Install the ntp configuration.
template: src=ntp-centos.conf.j2 dest=/etc/ntp.conf owner=root group=root mode=0644
notify: Restart the ntpd server
- name: Ensure that the ntpd server is running
service: name=ntpd state=started enabled=yes
when: ntp_service_enabled | bool
- name: Ensure that the ntpd server is stopped and disabled
service: name=ntpd state=stopped enabled=no
when: not ntp_service_enabled | bool
- name: Manage the ntp firewalld rules in zone {{ firewalld_default_zone }}
firewalld: service=ntp zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
when: firewalld_enabled | bool
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'packages', 'ntp' ]

@ -0,0 +1,85 @@
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
{% if ntp_define_servers_pool %}
{% for pool_ip in ntp_servers_pool %}
server {{ pool_ip }} prefer iburst
{% endfor %}
{% else %}
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
{% endif %}
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
{% if nagios_monitoring_server_ip is defined %}
{% for ip in nagios_monitoring_server_ip %}
restrict {{ ip }} mask 255.255.255.255 notrap nomodify
{% endfor %}
{% endif %}
{% if ntp_allow_external_clients %}
{% for host in ntp_allowed_clients %}
restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
{% endfor %}
{% endif %}
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
{% if ntp_statistics_enabled %}
statsdir /var/log/ntpstats/
statistics clockstats cryptostats loopstats peerstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
{% endif %}
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

@ -0,0 +1,81 @@
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
{% if ntp_statistics_enabled %}
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
{% endif %}
# Specify one or more NTP servers.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
{% if ntp_define_servers_pool %}
{% for pool_ip in ntp_servers_pool %}
server {{ pool_ip }} prefer iburst
{% endfor %}
{% else %}
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst
{% endif %}
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
{% if nagios_monitoring_server_ip is defined %}
{% for ip in nagios_monitoring_server_ip %}
restrict {{ ip }} mask 255.255.255.255 notrap nomodify
{% endfor %}
{% endif %}
{% if ntp_allow_external_clients %}
{% for host in ntp_allowed_clients %}
restrict {{ host.ip }} mask {{ host.netmask }} {% if host.options is defined %}{{ host.options }}{% else %}notrap nomodify{% endif %}
{% endfor %}
{% endif %}
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
#Changes recquired to use pps synchonisation as explained in documentation:
#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918
#server 127.127.8.1 mode 135 prefer # Meinberg GPS167 with PPS
#fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware
#server 127.127.22.1 # ATOM(PPS)
#fudge 127.127.22.1 flag3 1 # enable PPS API
Loading…
Cancel
Save