ntpd: fix ntpsec config
ntpsec daemon didn't run, since minsane was greater than the default minclock (4 > 3). Also calculate maxclock option of ntpsec more effectively, and rename terminus-font package.
This commit is contained in:
parent
ec72f75587
commit
9e12ff1ffb
|
@ -15,7 +15,7 @@
|
|||
|
||||
- name: essential | Install common dependencies
|
||||
community.general.apk:
|
||||
name: zstd, dbus, terminus-font, shadow-login
|
||||
name: zstd, dbus, font-terminus, shadow-login
|
||||
state: present
|
||||
|
||||
- name: essential | Enable logging and unicode support for openrc
|
||||
|
|
|
@ -9,13 +9,29 @@ pool {{ pool }} iburst
|
|||
{% endfor %}
|
||||
|
||||
{% for server in ntp_opts.servers %}
|
||||
server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts{% endif %}
|
||||
server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# Verify time with more sources than 1
|
||||
tos maxclock 7
|
||||
# From ntpd/ntpd.c
|
||||
# /*
|
||||
# * ...
|
||||
# *
|
||||
# * With 2 working servers:
|
||||
# * if they don't agree, you can't tell which one is correct
|
||||
# * With 3 working servers, 2 can outvote a falseticker
|
||||
# * With 4 servers, you still have 3 if one is down.
|
||||
# */
|
||||
tos minsane 4
|
||||
|
||||
# minclock should be greater than minsane
|
||||
tos minclock 5
|
||||
|
||||
# minclock + 2 (or 3) + number of pools
|
||||
# Also should be an odd number
|
||||
{% set maxclock = 8 + (ntp_opts.pools | length) %}
|
||||
tos maxclock {{ (maxclock | int %2 == 0) | ternary(maxclock + 1, maxclock) | int }}
|
||||
|
||||
# Exchange time with everybody, but don't allow configuration.
|
||||
# This is the right security setup for 99% of deployments.
|
||||
restrict default kod limited nomodify noquery
|
||||
|
|
Reference in New Issue