chore: first commit

roles/ntpd/defaults/main.yml

@@ -0,0 +1,26 @@
+# NTP configuration file
+ntp_config_file: "/etc/ntp.conf"
+
+# NTP servers to use.
+ntp_pools: -" 0.uk.pool.ntp.org"
+  -" 1.uk.pool.ntp.org"
+  -" 2.uk.pool.ntp.org"
+  -" 3.uk.pool.ntp.org"
+
+# System timezone
+ntp_timezone: "Europe/London"
+
+# NTP drift file location
+# (keeps track of your clock's time deviation)
+ntp_drift_file: "/var/lib/ntp/ntp.drift"
+
+# NTP security restrictions
+ntp_restrict: "kod nomodify notrap nopeer noquery limited"
+
+# Networks allowed to query this ntpd server
+ntp_allowed_networks:
+  - "127.0.0.1"
+  - "::1"
+# - "192.168.1.0 mask 255.255.255.0"
+
+ntp_port: 123

roles/ntpd/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: "Restart ntpd service"
+  ansible.builtin.systemd:
+    name: "ntpd"
+    state: restarted
+    reload: yes

roles/ntpd/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+- name: install NTP package
+  package:
+    name: "ntp"
+    state: present
+    update_cache: yes
+
+- name: set system timezone to {{ ntp_timezone }}"
+  community.general.timezone:
+    name: "{{ ntp_timezone }}"
+  notify: "Restart ntpd service"
+
+- name: ensure NTP drift file directory exists
+  ansible.builtin.file:
+    path: "{{ ntp_drift_file | dirname }}"
+    state: directory
+    owner: "ntp"
+    group: "ntp"
+    mode: "0750"
+
+- name: setup systems timezone
+  community.general.timezone:
+    name: "{{ ntp_timezone }}"
+  notify: Restart chronyd # Redémarrer chrony peut être utile après un changement de TZ pour qu'il la prenne bien en compte dans ses logs/opérations
+
+- name: "configure {{ ntp_config_file }}"
+  ansible.builtin.template:
+    src: "ntp.conf.j2"
+    dest: "{{ ntp_config_file }}"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: "Restart ntpd service"
+
+- name: "ensure ntpd service is started and enabled"
+  ansible.builtin.systemd:
+    name: "ntpd"
+    state: started
+    enabled: true
+
+- name: "configure ufw firewall"
+  community.general.ufw:
+    rule: allow
+    port: "{{ ntp_port }}"
+    proto: udp
+    src: "{{ item }}"
+    direction: in
+  loop: "{{ ntp_firewall_allowed_sources | default([]) }}"

roles/ntpd/templates/ntp.conf.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+#
+# NTP configuration file for ntpd
+
+restrict default {{ ntp_restrict }}
+
+{% for network in ntp_allowed_networks %}
+restrict {{ network }}
+{% endfor %}
+
+# Use servers from the NTP Pool Project. 'iburst' speeds up initial synchronization.
+{% for pool_host in ntp_pools %}
+pool {{ pool_host }} iburst
+{% endfor %}
+
+# Frequency drift file
+driftfile {{ ntp_drift_file }}
+
+# Disable the monitoring facility (monlist) to prevent ntpq -c monlist DDOS attacks.
+# @see CVE-2013-5211
+disable monitor