59 lines
1.7 KiB
Django/Jinja
59 lines
1.7 KiB
Django/Jinja
# /etc/ntp.conf
|
|
# Ref:
|
|
# - ntp.conf(5)
|
|
# - https://gitlab.com/NTPsec/ntpsec/-/tree/master/etc/ntp.d
|
|
|
|
# There is no peer in ntpsec, just pool and server
|
|
{% for pool in ntp_opts.pools %}
|
|
pool {{ pool }} iburst
|
|
{% endfor %}
|
|
|
|
{% for server in ntp_opts.servers %}
|
|
server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
# From ntpd/ntpd.c
|
|
# /*
|
|
# * ...
|
|
# *
|
|
# * With 2 working servers:
|
|
# * if they don't agree, you can't tell which one is correct
|
|
# * With 3 working servers, 2 can outvote a falseticker
|
|
# * With 4 servers, you still have 3 if one is down.
|
|
# */
|
|
tos minsane 4
|
|
|
|
# minclock should be greater than minsane
|
|
tos minclock 5
|
|
|
|
# minclock + 2 (or 3) + number of pools
|
|
# Also should be an odd number
|
|
{% set maxclock = 8 + (ntp_opts.pools | length) %}
|
|
tos maxclock {{ (maxclock | int %2 == 0) | ternary(maxclock + 1, maxclock) | int }}
|
|
|
|
# Exchange time with everybody, but don't allow configuration.
|
|
# This is the right security setup for 99% of deployments.
|
|
restrict default kod limited nomodify noquery
|
|
restrict -6 default kod limited nomodify noquery
|
|
|
|
# Local users may interrogate the NTP server more closely.
|
|
restrict 127.0.0.1
|
|
restrict -6 ::1
|
|
|
|
driftfile /var/lib/ntp/ntp.drift
|
|
|
|
# Where to store keys to encrypt NTS cookies
|
|
nts cookie /var/lib/ntp/nts-keys
|
|
|
|
# Where to log NTP statistics
|
|
# NOTE: /var/lib/ntp and /var/log/ntpstats are already created by ntpsec package with correct permissions
|
|
statsdir /var/log/ntpstats/
|
|
|
|
statistics loopstats peerstats clockstats
|
|
filegen loopstats file loopstats type day enable
|
|
filegen peerstats file peerstats type day enable
|
|
filegen clockstats file clockstats type day enable
|
|
|
|
logconfig =syncall +clockall +peerall +sysall
|