From 1e5274e6e49b6b5b5d8998a0fa2072b9a6b452a7 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 26 Feb 2024 00:43:13 +0100
Subject: [PATCH] update..

---
 files/akb.netz/homedirs/root/_bashrc          |  4 +-
 files/flr.netz/homedirs/root/_bashrc          |  4 +-
 files/mbr-bln.netz/homedirs/root/_bashrc      |  4 +-
 .../homedirs/root/_bashrc                     |  4 +-
 group_vars/all/main.yml                       |  2 +-
 group_vars/mbr.yml                            |  6 ++
 group_vars/sprachenatelier.yml                |  7 ++
 host_vars/file-akb.akb.netz.yml               |  6 +-
 host_vars/file-flr.flr.netz.yml               | 68 ++++++++++++++++++
 host_vars/file-mbr.mbr-bln.netz.yml           | 69 +++++++++++++++++++
 host_vars/file-spr.sprachenatelier.netz.yml   | 68 ++++++++++++++++++
 roles/common/handlers/main.yml                |  8 ++-
 roles/common/tasks/ntp.yml                    | 34 ++++++---
 .../templates/etc/apt/sources.list.Debian.j2  | 32 ++++++++-
 .../etc/apt/sources.list.Debian.j2.BAK        | 44 ++++++++++++
 .../etc/{ntp.conf.j2 => ntp.conf.j2.BAK}      |  0
 roles/common/templates/etc/ntpsec/ntp.conf.j2 | 52 ++++++++++++++
 17 files changed, 389 insertions(+), 23 deletions(-)
 create mode 100644 roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
 rename roles/common/templates/etc/{ntp.conf.j2 => ntp.conf.j2.BAK} (100%)
 create mode 100644 roles/common/templates/etc/ntpsec/ntp.conf.j2

diff --git a/files/akb.netz/homedirs/root/_bashrc b/files/akb.netz/homedirs/root/_bashrc
index 3bb4709..dca6a2a 100644
--- a/files/akb.netz/homedirs/root/_bashrc
+++ b/files/akb.netz/homedirs/root/_bashrc
@@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
diff --git a/files/flr.netz/homedirs/root/_bashrc b/files/flr.netz/homedirs/root/_bashrc
index 3bb4709..dca6a2a 100644
--- a/files/flr.netz/homedirs/root/_bashrc
+++ b/files/flr.netz/homedirs/root/_bashrc
@@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
diff --git a/files/mbr-bln.netz/homedirs/root/_bashrc b/files/mbr-bln.netz/homedirs/root/_bashrc
index 3bb4709..dca6a2a 100644
--- a/files/mbr-bln.netz/homedirs/root/_bashrc
+++ b/files/mbr-bln.netz/homedirs/root/_bashrc
@@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
diff --git a/files/sprachenatelier.netz/homedirs/root/_bashrc b/files/sprachenatelier.netz/homedirs/root/_bashrc
index 3bb4709..dca6a2a 100644
--- a/files/sprachenatelier.netz/homedirs/root/_bashrc
+++ b/files/sprachenatelier.netz/homedirs/root/_bashrc
@@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
+alias running_services='systemctl list-units  --type=service  --state=running'
+
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 4e9100b..12952af 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -996,7 +996,7 @@ resolved_nameserver:
 resolved_domains:
   - oopen.de
 
-resolved_dnssec: true
+resolved_dnssec: false
 
 # dns.as250.net: 194.150.168.168
 #
diff --git a/group_vars/mbr.yml b/group_vars/mbr.yml
index 4780a5c..8c691ff 100644
--- a/group_vars/mbr.yml
+++ b/group_vars/mbr.yml
@@ -257,6 +257,12 @@ nis_user:
     is_samba_user: true
     password: '20_axis_16'
 
+  - name: scan
+    groups:
+      - buero-scan
+    is_samba_user: true
+    password: '20scan13'
+
 # ---
 # Technik
 # ---
diff --git a/group_vars/sprachenatelier.yml b/group_vars/sprachenatelier.yml
index ce3ceae..6fb8c47 100644
--- a/group_vars/sprachenatelier.yml
+++ b/group_vars/sprachenatelier.yml
@@ -190,6 +190,13 @@ nis_user:
     is_samba_user: true
     password: '270988'
 
+  - name: janet
+    groups:
+      - intern
+      - buero
+    is_samba_user: true
+    password: '211085 '
+
   - name: jessica
     groups:
       - intern
diff --git a/host_vars/file-akb.akb.netz.yml b/host_vars/file-akb.akb.netz.yml
index fd3b920..979df14 100644
--- a/host_vars/file-akb.akb.netz.yml
+++ b/host_vars/file-akb.akb.netz.yml
@@ -57,7 +57,6 @@ network_interfaces:
 set_default_limit_nofile: true
 
 
-
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
@@ -117,12 +116,13 @@ resolved_nameserver:
 resolved_domains:
   - akb.netz
 
-resolved_dnssec: true
+resolved_dnssec: false
 
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
-   - 194.150.168.168
+   - 172.16.82.254
+
 
 # ---
 # vars used by roles/common/tasks/sshd.yml
diff --git a/host_vars/file-flr.flr.netz.yml b/host_vars/file-flr.flr.netz.yml
index e8368cd..4066468 100644
--- a/host_vars/file-flr.flr.netz.yml
+++ b/host_vars/file-flr.flr.netz.yml
@@ -56,6 +56,74 @@ network_interfaces:
 
 set_default_limit_nofile: true
 
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+resolved_nameserver:
+  - 192.168.102.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - flr.netz
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 172.16.102.254
+
+
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
diff --git a/host_vars/file-mbr.mbr-bln.netz.yml b/host_vars/file-mbr.mbr-bln.netz.yml
index 76031e3..53171fc 100644
--- a/host_vars/file-mbr.mbr-bln.netz.yml
+++ b/host_vars/file-mbr.mbr-bln.netz.yml
@@ -81,6 +81,75 @@ network_interfaces:
 
 set_default_limit_nofile: true
 
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+resolved_nameserver:
+  - 192.168.112.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 172.16.112.254
+
+
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
diff --git a/host_vars/file-spr.sprachenatelier.netz.yml b/host_vars/file-spr.sprachenatelier.netz.yml
index 4bbe867..57dec48 100644
--- a/host_vars/file-spr.sprachenatelier.netz.yml
+++ b/host_vars/file-spr.sprachenatelier.netz.yml
@@ -56,6 +56,74 @@ network_interfaces:
 
 set_default_limit_nofile: true
 
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+resolved_nameserver:
+  - 192.168.92.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 172.16.92.254
+
+
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 79957c0..a9d1768 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -76,7 +76,13 @@
 
 - name: Restart ntp
   service:
-    name: ntp
+    name: ntpsec
+    daemon_reload: yes
+    state: restarted
+
+- name: Restart ntpsec
+  service:
+    name: ntpsec
     daemon_reload: yes
     state: restarted
 
diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml
index fe4e977..853022c 100644
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -4,10 +4,10 @@
 # NTP Server
 # ---
 
-- name: (ntp.yml) Ensure ntp package is installed.
+- name: (ntp.yml) Ensure ntpsec package is installed.
   apt:
     name:
-      - ntp
+      - ntpsec
     state: present
   when:
     - ansible_os_family == "Debian"
@@ -15,27 +15,39 @@
   tags:
     - ntp-server
 
-- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists
+- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
   stat:
-    path: /etc/ntp.conf.ORIG
-  register: etc_ntp_conf_ORIG
+    path: /etc/ntpsec/ntp.conf.ORIG
+  register: etc_ntpsec_conf_ORIG
   when:
     - groups['file_server']|string is search(inventory_hostname)
   tags:
     - ntp-server
 
-- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf'
-  command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG
+
+- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
+  file:
+    path: /var/log/ntpsec
+    state: directory
+    owner: ntpsec
+    group: ntpsec
+    mode: '0755'
+  when:
+    - ansible_distribution == "Debian"
+
+
+- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
+  command: cp -a /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
   when:
     - groups['file_server']|string is search(inventory_hostname)
-    - etc_ntp_conf_ORIG.stat.exists == False
+    - etc_ntpsec_conf_ORIG.stat.exists == False
   tags:
     - ntp-server
 
-- name: (ntp.yml) Update '/etc/ntp.conf'
+- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
   template:
-    src: "etc/ntp.conf.j2"
-    dest: /etc/ntp.conf
+    src: "etc/ntpsec/ntp.conf.j2"
+    dest: /etc/ntpsec/ntp.conf
     owner: root
     group: root
     mode: 0644
diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2
index 5284dbb..5cb85e6 100644
--- a/roles/common/templates/etc/apt/sources.list.Debian.j2
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2
@@ -3,19 +3,25 @@
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% if not apt_src_enable %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 #deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% else %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
@@ -30,15 +36,35 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
 # but have dependencies not in main (possibly packaged for Debian in non-free).
 # Non-free contains software that does not comply with the DFSG.
 {% if apt_debian_contrib_nonfree_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {% endif %}
+{% endif %}
+
+{% if apt_debian_contrib_nonfree_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
+{% else %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
+{% endif %}
+{% endif %}
 
 # # N.B. software from this repository may not have been tested as
 # # extensively as that contained in the main release, although it includes
 # # newer versions of some applications which may provide useful features.
 {% if apt_backports_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {% endif %}
+{% endif %}
 
diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK b/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
new file mode 100644
index 0000000..5284dbb
--- /dev/null
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
@@ -0,0 +1,44 @@
+# {{ ansible_managed }}
+
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% if not apt_src_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% else %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% endif %}
+
+# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+
+# Contrib packages contain DFSG-compliant software,
+# but have dependencies not in main (possibly packaged for Debian in non-free).
+# Non-free contains software that does not comply with the DFSG.
+{% if apt_debian_contrib_nonfree_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{% endif %}
+
+# # N.B. software from this repository may not have been tested as
+# # extensively as that contained in the main release, although it includes
+# # newer versions of some applications which may provide useful features.
+{% if apt_backports_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{% endif %}
+
diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2.BAK
similarity index 100%
rename from roles/common/templates/etc/ntp.conf.j2
rename to roles/common/templates/etc/ntp.conf.j2.BAK
diff --git a/roles/common/templates/etc/ntpsec/ntp.conf.j2 b/roles/common/templates/etc/ntpsec/ntp.conf.j2
new file mode 100644
index 0000000..e9ebe72
--- /dev/null
+++ b/roles/common/templates/etc/ntpsec/ntp.conf.j2
@@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+#pool 0.debian.pool.ntp.org iburst
+#pool 1.debian.pool.ntp.org iburst
+#pool 2.debian.pool.ntp.org iburst
+#pool 3.debian.pool.ntp.org iburst
+server {{ ntp_server }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1