auditd: filter out ntp time adjust event

ntpsec daemon didn't run, since minsane was greater than the default
minclock (4 > 3).

Also calculate maxclock option of ntpsec more effectively, and rename
terminus-font package.

roles/auditd/tasks/main.yml

@@ -1,14 +1,19 @@
 ---
-- name: auditd | Copy configuration and rules
+- name: auditd | Copy auditd configuration
   copy:
-    src: '{{ item }}'
-    dest: /etc/audit/{{ item }}
+    src: auditd.conf
+    dest: /etc/audit/auditd.conf
+    mode: '644'
+    owner: root
+    group: root
+
+- name: auditd | Copy audit rules
+  template:
+    src: audit.rules.j2
+    dest: /etc/audit/audit.rules
     mode: '644'
     owner: root
     group: root
-  loop:
-    - auditd.conf
-    - audit.rules
 
 - name: auditd | Copy daily cron job to rotate audit log
   copy:

roles/auditd/templates/audit.rules.j2

@@ -52,6 +52,12 @@
 ## This is not very interesting and wastes a lot of space if the server is public facing
 -a always,exclude -F msgtype=CRYPTO_KEY_USER
 
+# This prevents ntpd daemons from overwhelming the logs
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp
+{% if ntp_client == 'chrony' %}
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony
+{% endif %}
+
 ## High Volume Event Filter (especially on Linux Workstations)
 -a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
 -a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm

roles/essential/tasks/main.yml

@@ -15,7 +15,7 @@
 
 - name: essential | Install common dependencies
   community.general.apk:
-    name: zstd, dbus, terminus-font, shadow-login
+    name: zstd, dbus, font-terminus, shadow-login
     state: present
 
 - name: essential | Enable logging and unicode support for openrc

roles/ntpd/templates/ntp.conf.j2

@@ -9,13 +9,29 @@ pool {{ pool }} iburst
 {% endfor %}
 
 {% for server in ntp_opts.servers %}
-server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts{% endif %}
+server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts
+{% endif %}
 {% endfor %}
 
-# Verify time with more sources than 1
-tos maxclock 7
+# From ntpd/ntpd.c
+# /*
+#  * ...
+#  *
+#  * With 2 working servers:
+#  *   if they don't agree, you can't tell which one is correct
+#  * With 3 working servers, 2 can outvote a falseticker
+#  * With 4 servers, you still have 3 if one is down.
+#  */
 tos minsane 4
 
+# minclock should be greater than minsane
+tos minclock 5
+
+# minclock + 2 (or 3) + number of pools
+# Also should be an odd number
+{% set maxclock = 8 + (ntp_opts.pools | length) %}
+tos maxclock {{ (maxclock | int %2 == 0) | ternary(maxclock + 1, maxclock) | int }}
+
 # Exchange time with everybody, but don't allow configuration.
 # This is the right security setup for 99% of deployments.
 restrict default kod limited nomodify noquery