ntpd: fix ntpsec config

ntpsec daemon didn't run, since minsane was greater than the default minclock (4 > 3). Also calculate maxclock option of ntpsec more effectively, and rename terminus-font package.
2023-04-06 00:00:00 +07:00 · 2023-04-06 00:00:00 +07:00 · 9e12ff1ffb
parent ec72f75587
commit 9e12ff1ffb
2 changed files with 20 additions and 4 deletions
--- a/roles/essential/tasks/main.yml
+++ b/roles/essential/tasks/main.yml
@ -15,7 +15,7 @@

 - name: essential | Install common dependencies
  community.general.apk:
-    name: zstd, dbus, terminus-font, shadow-login
+    name: zstd, dbus, font-terminus, shadow-login
    state: present

 - name: essential | Enable logging and unicode support for openrc
--- a/roles/ntpd/templates/ntp.conf.j2
+++ b/roles/ntpd/templates/ntp.conf.j2
@ -9,13 +9,29 @@ pool {{ pool }} iburst
 {% endfor %}

 {% for server in ntp_opts.servers %}
-server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts{% endif %}
+server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts
+{% endif %}
 {% endfor %}

-# Verify time with more sources than 1
-tos maxclock 7
+# From ntpd/ntpd.c
+# /*
+#  * ...
+#  *
+#  * With 2 working servers:
+#  *   if they don't agree, you can't tell which one is correct
+#  * With 3 working servers, 2 can outvote a falseticker
+#  * With 4 servers, you still have 3 if one is down.
+#  */
 tos minsane 4

+# minclock should be greater than minsane
+tos minclock 5
+
+# minclock + 2 (or 3) + number of pools
+# Also should be an odd number
+{% set maxclock = 8 + (ntp_opts.pools | length) %}
+tos maxclock {{ (maxclock | int %2 == 0) | ternary(maxclock + 1, maxclock) | int }}
+
 # Exchange time with everybody, but don't allow configuration.
 # This is the right security setup for 99% of deployments.
 restrict default kod limited nomodify noquery