Configure NTP

hosts

@@ -40,7 +40,6 @@ strombola.csclub.uwaterloo.ca
 [syscom:children]
 syscom-bare-metal
 syscom-containers
-load-balancers
 
 [syscom-bare-metal]
 aspartame.csclub.uwaterloo.ca
@@ -62,6 +61,9 @@ rt.csclub.uwaterloo.ca
 netbox.csclub.uwaterloo.ca
 logstash.csclub.uwaterloo.ca
 
+[syscom-containers:children]
+load-balancers
+
 [audio-sink]
 nullsleep.csclub.uwaterloo.ca
 

install-general-use-container.yml

@@ -5,6 +5,7 @@
     roles:
       - common
       - core
+      - container
       - devel
       - generate-hosts
       - auth

install-syscom-container.yml

@@ -5,6 +5,7 @@
     roles:
       - common
       - core
+      - container
       - static-ipv6
       - generate-hosts
       - auth

loadbalancer.yml

@@ -3,11 +3,12 @@
     become: yes
     become_method: sudo
     roles:
-       #      - common
-       #- core
-       #- static-ipv6
-       #- generate-hosts
-       #- auth
-       #- csc-packages
+      - common
+      - core
+      - container
+      - static-ipv6
+      - generate-hosts
+      - auth
+      - csc-packages
       - load-balancer
       - cleanup

roles/auth/tasks/main.yml

@@ -11,6 +11,7 @@
       - sssd
       - sssd-tools
       - kstart
+      - sudo
 
 - name: install ubuntu sss pam and nss
   apt: name={{ item }} state=latest

roles/container/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Disable NTP
+  service:
+     name: ntp
+     state: stopped
+     enabled: no

roles/core/files/ntp.conf

@@ -0,0 +1,37 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+statistics loopstats peerstats clockstats
+filegen loopstats  file loopstats  type day enable
+filegen peerstats  file peerstats  type day enable
+filegen clockstats file clockstats type day enable
+
+# NTP Server
+server   ntp.csclub.uwaterloo.ca
+server   ntp.student.cs.uwaterloo.ca
+server   ntp.cs.uwaterloo.ca
+server   ntp.cscf.uwaterloo.ca
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page
+# <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# Disable the monitoring facility.
+# see https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
+disable monitor
+
+# By default, exchange time with everybody, but don't allow configuration
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1

roles/core/tasks/main.yml

@@ -95,6 +95,17 @@
 -   name: Install ntp
     apt: name=ntp state=latest
 
+-   name: Copy NTP configuration
+    copy:
+       src: ntp.conf
+       dest: /etc/ntp.conf
+       backup: no
+
+-   name: Restart NTP
+    service:
+       name: ntp
+       state: restarted
+
 -   name: Install debian package management
     apt: name={{ item }} state=latest
     with_items:

run-container.yml

@@ -0,0 +1,7 @@
+---
+  - hosts: containers
+    become: yes
+    become_method: sudo
+    roles:
+      - container
+      - cleanup

run-core.yml

@@ -0,0 +1,7 @@
+---
+  - hosts: all
+    become: yes
+    become_method: sudo
+    roles:
+      - core
+      - cleanup

webnode.yml

@@ -3,13 +3,14 @@
     become: yes
     become_method: sudo
     roles:
-       #- common
-       #- core
-       #- static-ipv6
-       #- generate-hosts
-       #- auth
-       #- csc-packages
-       #- devel
-       #- general-use
+      - common
+      - core
+      - container
+      - static-ipv6
+      - generate-hosts
+      - auth
+      - csc-packages
+      - devel
+      - general-use
       - webnode
       - cleanup