update..

2024-02-26 00:43:13 +01:00 · 2024-02-26 00:43:13 +01:00 · 1e5274e6e4
commit 1e5274e6e4
parent bf2de2e0f6
17 changed files with 389 additions and 23 deletions
--- a/files/akb.netz/homedirs/root/_bashrc
+++ b/files/akb.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/files/flr.netz/homedirs/root/_bashrc
+++ b/files/flr.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/files/mbr-bln.netz/homedirs/root/_bashrc
+++ b/files/mbr-bln.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/files/sprachenatelier.netz/homedirs/root/_bashrc
+++ b/files/sprachenatelier.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -996,7 +996,7 @@ resolved_nameserver:
 resolved_domains:
  - oopen.de

-resolved_dnssec: true
+resolved_dnssec: false

 # dns.as250.net: 194.150.168.168
 #
--- a/group_vars/mbr.yml
+++ b/group_vars/mbr.yml
@ -257,6 +257,12 @@ nis_user:
    is_samba_user: true
    password: '20_axis_16'

+  - name: scan
+    groups:
+      - buero-scan
+    is_samba_user: true
+    password: '20scan13'
+
 # ---
 # Technik
 # ---
--- a/group_vars/sprachenatelier.yml
+++ b/group_vars/sprachenatelier.yml
@ -190,6 +190,13 @@ nis_user:
    is_samba_user: true
    password: '270988'

+  - name: janet
+    groups:
+      - intern
+      - buero
+    is_samba_user: true
+    password: '211085 '
+
  - name: jessica
    groups:
      - intern
--- a/host_vars/file-akb.akb.netz.yml
+++ b/host_vars/file-akb.akb.netz.yml
@ -57,7 +57,6 @@ network_interfaces:
 set_default_limit_nofile: true


-
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
@ -117,12 +116,13 @@ resolved_nameserver:
 resolved_domains:
  - akb.netz

-resolved_dnssec: true
+resolved_dnssec: false

 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
-   - 194.150.168.168
+   - 172.16.82.254
+

 # ---
 # vars used by roles/common/tasks/sshd.yml
--- a/host_vars/file-flr.flr.netz.yml
+++ b/host_vars/file-flr.flr.netz.yml
@ -56,6 +56,74 @@ network_interfaces:

 set_default_limit_nofile: true

+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+resolved_nameserver:
+  - 192.168.102.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - flr.netz
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 172.16.102.254
+
+
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
--- a/host_vars/file-mbr.mbr-bln.netz.yml
+++ b/host_vars/file-mbr.mbr-bln.netz.yml
@ -81,6 +81,75 @@ network_interfaces:

 set_default_limit_nofile: true

+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+resolved_nameserver:
+  - 192.168.112.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 172.16.112.254
+
+
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
--- a/host_vars/file-spr.sprachenatelier.netz.yml
+++ b/host_vars/file-spr.sprachenatelier.netz.yml
@ -56,6 +56,74 @@ network_interfaces:

 set_default_limit_nofile: true

+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+resolved_nameserver:
+  - 192.168.92.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 172.16.92.254
+
+
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -76,7 +76,13 @@

 - name: Restart ntp
  service:
-    name: ntp
+    name: ntpsec
+    daemon_reload: yes
+    state: restarted
+
+- name: Restart ntpsec
+  service:
+    name: ntpsec
    daemon_reload: yes
    state: restarted

--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@ -4,10 +4,10 @@
 # NTP Server
 # ---

- name: (ntp.yml) Ensure ntp package is installed.
+- name: (ntp.yml) Ensure ntpsec package is installed.
  apt:
    name:
-      - ntp
+      - ntpsec
    state: present
  when:
    - ansible_os_family == "Debian"
@ -15,27 +15,39 @@
  tags:
    - ntp-server

- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists
+- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
  stat:
-    path: /etc/ntp.conf.ORIG
-  register: etc_ntp_conf_ORIG
+    path: /etc/ntpsec/ntp.conf.ORIG
+  register: etc_ntpsec_conf_ORIG
  when:
    - groups['file_server']|string is search(inventory_hostname)
  tags:
    - ntp-server

- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf'
-  command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG
+
+- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
+  file:
+    path: /var/log/ntpsec
+    state: directory
+    owner: ntpsec
+    group: ntpsec
+    mode: '0755'
+  when:
+    - ansible_distribution == "Debian"
+
+
+- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
+  command: cp -a /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
  when:
    - groups['file_server']|string is search(inventory_hostname)
-    - etc_ntp_conf_ORIG.stat.exists == False
+    - etc_ntpsec_conf_ORIG.stat.exists == False
  tags:
    - ntp-server

- name: (ntp.yml) Update '/etc/ntp.conf'
+- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
  template:
-    src: "etc/ntp.conf.j2"
-    dest: /etc/ntp.conf
+    src: "etc/ntpsec/ntp.conf.j2"
+    dest: /etc/ntpsec/ntp.conf
    owner: root
    group: root
    mode: 0644
--- a/roles/common/templates/etc/apt/sources.list.Debian.j2
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2
@ -3,19 +3,25 @@
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main

-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% if not apt_src_enable %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 #deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% else %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
@ -30,15 +36,35 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
 # but have dependencies not in main (possibly packaged for Debian in non-free).
 # Non-free contains software that does not comply with the DFSG.
 {% if apt_debian_contrib_nonfree_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {% endif %}
+{% endif %}
+
+{% if apt_debian_contrib_nonfree_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
+{% else %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
+{% endif %}
+{% endif %}

 # # N.B. software from this repository may not have been tested as
 # # extensively as that contained in the main release, although it includes
 # # newer versions of some applications which may provide useful features.
 {% if apt_backports_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {% endif %}
+{% endif %}

--- a/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
@ -0,0 +1,44 @@
+# {{ ansible_managed }}
+
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% if not apt_src_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% else %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% endif %}
+
+# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+
+# Contrib packages contain DFSG-compliant software,
+# but have dependencies not in main (possibly packaged for Debian in non-free).
+# Non-free contains software that does not comply with the DFSG.
+{% if apt_debian_contrib_nonfree_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{% endif %}
+
+# # N.B. software from this repository may not have been tested as
+# # extensively as that contained in the main release, although it includes
+# # newer versions of some applications which may provide useful features.
+{% if apt_backports_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{% endif %}
+
--- a/roles/common/templates/etc/ntp.conf.j2.BAK
+++ b/roles/common/templates/etc/ntp.conf.j2.BAK
--- a/roles/common/templates/etc/ntpsec/ntp.conf.j2
+++ b/roles/common/templates/etc/ntpsec/ntp.conf.j2
@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+#pool 0.debian.pool.ntp.org iburst
+#pool 1.debian.pool.ntp.org iburst
+#pool 2.debian.pool.ntp.org iburst
+#pool 3.debian.pool.ntp.org iburst
+server {{ ntp_server }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1