|``ddns_keys: {}`` |A dictionary defining each Dynamic DNS zone's authorized key. See **Dynamic DNS** below. Defined in an encrypted file in |
| |the secrets repo |
+--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
+|``nameserver_as_ntp_server: false`` |Set to ``true`` in Ansible inventory host or group variables if you want the nameserver to act as an NTP server as well. |
+| | |
+| |**NOTE:** You must also define ``ntp_permitted_lans``. See below. |
++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
+|:: |A list of LANs that are permitted to query the NTP server running on the host. |
+| | |
+| ntp_permitted_lans: | |
+| - 192.168.0.0/24 |Must be in CIDR format as shown. |
+| - 172.20.20.0/20 | |
+| | |
++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
**named_domains: []**
tags:
- packages
+# Configure firewalld
+- import_tasks: firewall.yml
+ tags:
+ - firewall
+
+# Configure host as NTP server if desired
+- import_tasks: ntp_server.yml
+ when: nameserver_as_ntp_server == true
+ tags:
+ - ntp-server
+
- name: Enable and start ntpd
service:
name: ntpd
tags:
- always
-# Configure firewalld
-- import_tasks: firewall.yml
- tags:
- - firewall
-
# Configure BIND
- import_tasks: config.yml
tags:
--- /dev/null
+---
+- name: Install NTP package
+ yum:
+ name: ntp
+ state: latest
+
+- name: Make sure chrony is not installed
+ yum:
+ name: chrony
+ state: absent
+
+- name: Write NTP config file
+ template:
+ src: ntp.conf.j2
+ dest: /etc/ntp.conf
+
+- name: Start and enable NTP service
+ service:
+ name: ntpd
+ state: started
+ enabled: yes
+
+- name: Allow NTP traffic through firewalld
+ firewalld:
+ service: ntp
+ permanent: true
+ immediate: true
+ state: enabled
--- /dev/null
+# For more information about this file, see the man pages
+# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
+
+driftfile /var/lib/ntp/drift
+
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+
+# Permit all access over the loopback interface. This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1
+restrict -6 ::1
+
+# Allow these networks to query this NTP server
+{% for lan in ntp_permitted_lans %}
+restrict {{ lan | ipaddr('network') }} mask {{ ntp_lan | ipaddr('netmask') }} nomodify notrap
+{% endfor %}
+
+# Get time from these public hosts
+server 0.centos.pool.ntp.org iburst
+server 1.centos.pool.ntp.org iburst
+server 2.centos.pool.ntp.org iburst
+server 3.centos.pool.ntp.org iburst
+
+includefile /etc/ntp/crypto/pw
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography.
+keys /etc/ntp/keys
+
+# Enable writing of statistics records.
+statistics clockstats cryptostats loopstats peerstats sysstats rawstats
projects / ceph-cm-ansible.git / commitdiff