update..

2024-02-26 00:43:13 +01:00
parent bf2de2e0f6
commit 1e5274e6e4
17 changed files with 389 additions and 23 deletions
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -76,7 +76,13 @@

 - name: Restart ntp
  service:
-    name: ntp
+    name: ntpsec
+    daemon_reload: yes
+    state: restarted
+
+- name: Restart ntpsec
+  service:
+    name: ntpsec
    daemon_reload: yes
    state: restarted

--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@ -4,10 +4,10 @@
 # NTP Server
 # ---

- name: (ntp.yml) Ensure ntp package is installed.
+- name: (ntp.yml) Ensure ntpsec package is installed.
  apt:
    name:
-      - ntp
+      - ntpsec
    state: present
  when:
    - ansible_os_family == "Debian"
@ -15,27 +15,39 @@
  tags:
    - ntp-server

- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists
+- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
  stat:
-    path: /etc/ntp.conf.ORIG
-  register: etc_ntp_conf_ORIG
+    path: /etc/ntpsec/ntp.conf.ORIG
+  register: etc_ntpsec_conf_ORIG
  when:
    - groups['file_server']|string is search(inventory_hostname)
  tags:
    - ntp-server

- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf'
-  command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG
+
+- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
+  file:
+    path: /var/log/ntpsec
+    state: directory
+    owner: ntpsec
+    group: ntpsec
+    mode: '0755'
+  when:
+    - ansible_distribution == "Debian"
+
+
+- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
+  command: cp -a /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
  when:
    - groups['file_server']|string is search(inventory_hostname)
-    - etc_ntp_conf_ORIG.stat.exists == False
+    - etc_ntpsec_conf_ORIG.stat.exists == False
  tags:
    - ntp-server

- name: (ntp.yml) Update '/etc/ntp.conf'
+- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
  template:
-    src: "etc/ntp.conf.j2"
-    dest: /etc/ntp.conf
+    src: "etc/ntpsec/ntp.conf.j2"
+    dest: /etc/ntpsec/ntp.conf
    owner: root
    group: root
    mode: 0644
--- a/roles/common/templates/etc/apt/sources.list.Debian.j2
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2
@ -3,19 +3,25 @@
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main

-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% if not apt_src_enable %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 #deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% else %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
@ -30,15 +36,35 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
 # but have dependencies not in main (possibly packaged for Debian in non-free).
 # Non-free contains software that does not comply with the DFSG.
 {% if apt_debian_contrib_nonfree_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {% endif %}
+{% endif %}
+
+{% if apt_debian_contrib_nonfree_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
+{% else %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
+{% endif %}
+{% endif %}

 # # N.B. software from this repository may not have been tested as
 # # extensively as that contained in the main release, although it includes
 # # newer versions of some applications which may provide useful features.
 {% if apt_backports_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {% endif %}
+{% endif %}

--- a/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
@ -0,0 +1,44 @@
+# {{ ansible_managed }}
+
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% if not apt_src_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% else %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% endif %}
+
+# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+
+# Contrib packages contain DFSG-compliant software,
+# but have dependencies not in main (possibly packaged for Debian in non-free).
+# Non-free contains software that does not comply with the DFSG.
+{% if apt_debian_contrib_nonfree_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{% endif %}
+
+# # N.B. software from this repository may not have been tested as
+# # extensively as that contained in the main release, although it includes
+# # newer versions of some applications which may provide useful features.
+{% if apt_backports_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{% endif %}
+
--- a/roles/common/templates/etc/ntp.conf.j2.BAK
+++ b/roles/common/templates/etc/ntp.conf.j2.BAK
--- a/roles/common/templates/etc/ntpsec/ntp.conf.j2
+++ b/roles/common/templates/etc/ntpsec/ntp.conf.j2
@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+#pool 0.debian.pool.ntp.org iburst
+#pool 1.debian.pool.ntp.org iburst
+#pool 2.debian.pool.ntp.org iburst
+#pool 3.debian.pool.ntp.org iburst
+server {{ ntp_server }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1