From 5d345eecad6086b941258bfcd90dbc1301bfcd1c Mon Sep 17 00:00:00 2001 From: Zachary Seguin Date: Sun, 11 Dec 2016 12:05:48 -0500 Subject: [PATCH] Configure NTP --- hosts | 4 +++- install-general-use-container.yml | 1 + install-syscom-container.yml | 1 + loadbalancer.yml | 13 ++++++----- roles/auth/tasks/main.yml | 1 + roles/container/tasks/main.yml | 7 ++++++ roles/core/files/ntp.conf | 37 +++++++++++++++++++++++++++++++ roles/core/tasks/main.yml | 11 +++++++++ run-container.yml | 7 ++++++ run-core.yml | 7 ++++++ webnode.yml | 17 +++++++------- 11 files changed, 91 insertions(+), 15 deletions(-) create mode 100644 roles/container/tasks/main.yml create mode 100644 roles/core/files/ntp.conf create mode 100644 run-container.yml create mode 100644 run-core.yml diff --git a/hosts b/hosts index 5a797d3..ec1307c 100644 --- a/hosts +++ b/hosts @@ -40,7 +40,6 @@ strombola.csclub.uwaterloo.ca [syscom:children] syscom-bare-metal syscom-containers -load-balancers [syscom-bare-metal] aspartame.csclub.uwaterloo.ca @@ -62,6 +61,9 @@ rt.csclub.uwaterloo.ca netbox.csclub.uwaterloo.ca logstash.csclub.uwaterloo.ca +[syscom-containers:children] +load-balancers + [audio-sink] nullsleep.csclub.uwaterloo.ca diff --git a/install-general-use-container.yml b/install-general-use-container.yml index 104fc5c..c1be0e3 100644 --- a/install-general-use-container.yml +++ b/install-general-use-container.yml @@ -5,6 +5,7 @@ roles: - common - core + - container - devel - generate-hosts - auth diff --git a/install-syscom-container.yml b/install-syscom-container.yml index 67fef97..f7b0494 100644 --- a/install-syscom-container.yml +++ b/install-syscom-container.yml @@ -5,6 +5,7 @@ roles: - common - core + - container - static-ipv6 - generate-hosts - auth diff --git a/loadbalancer.yml b/loadbalancer.yml index 8948819..75c5e5f 100644 --- a/loadbalancer.yml +++ b/loadbalancer.yml @@ -3,11 +3,12 @@ become: yes become_method: sudo roles: - # - common - #- core - #- static-ipv6 - #- generate-hosts - #- auth - #- csc-packages + - common + - core + - container + - static-ipv6 + - generate-hosts + - auth + - csc-packages - load-balancer - cleanup diff --git a/roles/auth/tasks/main.yml b/roles/auth/tasks/main.yml index a434ada..ea4ae23 100644 --- a/roles/auth/tasks/main.yml +++ b/roles/auth/tasks/main.yml @@ -11,6 +11,7 @@ - sssd - sssd-tools - kstart + - sudo - name: install ubuntu sss pam and nss apt: name={{ item }} state=latest diff --git a/roles/container/tasks/main.yml b/roles/container/tasks/main.yml new file mode 100644 index 0000000..2999df9 --- /dev/null +++ b/roles/container/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Disable NTP + service: + name: ntp + state: stopped + enabled: no diff --git a/roles/core/files/ntp.conf b/roles/core/files/ntp.conf new file mode 100644 index 0000000..6deea04 --- /dev/null +++ b/roles/core/files/ntp.conf @@ -0,0 +1,37 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +# NTP Server +server ntp.csclub.uwaterloo.ca +server ntp.student.cs.uwaterloo.ca +server ntp.cs.uwaterloo.ca +server ntp.cscf.uwaterloo.ca + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# Disable the monitoring facility. +# see https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300 +disable monitor + +# By default, exchange time with everybody, but don't allow configuration +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 diff --git a/roles/core/tasks/main.yml b/roles/core/tasks/main.yml index 2692b1b..4b7333b 100644 --- a/roles/core/tasks/main.yml +++ b/roles/core/tasks/main.yml @@ -95,6 +95,17 @@ - name: Install ntp apt: name=ntp state=latest +- name: Copy NTP configuration + copy: + src: ntp.conf + dest: /etc/ntp.conf + backup: no + +- name: Restart NTP + service: + name: ntp + state: restarted + - name: Install debian package management apt: name={{ item }} state=latest with_items: diff --git a/run-container.yml b/run-container.yml new file mode 100644 index 0000000..9e0cec5 --- /dev/null +++ b/run-container.yml @@ -0,0 +1,7 @@ +--- + - hosts: containers + become: yes + become_method: sudo + roles: + - container + - cleanup diff --git a/run-core.yml b/run-core.yml new file mode 100644 index 0000000..1fc5bb4 --- /dev/null +++ b/run-core.yml @@ -0,0 +1,7 @@ +--- + - hosts: all + become: yes + become_method: sudo + roles: + - core + - cleanup diff --git a/webnode.yml b/webnode.yml index 609d5df..7d4e7cd 100644 --- a/webnode.yml +++ b/webnode.yml @@ -3,13 +3,14 @@ become: yes become_method: sudo roles: - #- common - #- core - #- static-ipv6 - #- generate-hosts - #- auth - #- csc-packages - #- devel - #- general-use + - common + - core + - container + - static-ipv6 + - generate-hosts + - auth + - csc-packages + - devel + - general-use - webnode - cleanup