Try to enable ntp keying

diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml
index 6e98dec..a818c2f 100644 (file)
--- a/modules/debian-org/misc/local.yaml
+++ b/modules/debian-org/misc/local.yaml
@@ -156,6 +156,11 @@ host_settings:
     - steffani.debian.org
     - villa.debian.org
     - wieck.debian.org
     - steffani.debian.org
     - villa.debian.org
     - wieck.debian.org

+  timeserver:
+    - merikanto.debian.org
+    - orff.debian.org
+    - ravel.debian.org
+    - busoni.debian.org

   buildd:
     - alain.debian.org
     - alkman.debian.org
   buildd:
     - alain.debian.org
     - alkman.debian.org

diff --git a/modules/ntp/files/etc-default-ntp b/modules/ntp/files/etc-default-ntp
new file mode 100644 (file)
index 0000000..68df555
--- /dev/null
+++ b/modules/ntp/files/etc-default-ntp
@@ -0,0 +1,43 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+#
+# from the package:
+#
+NTPD_OPTS='-g'
+
+#
+# make sure this host already has ntp keys:
+#
+h="`hostname`"
+KEYSDIR="/etc/ntp.keys.d"
+if ! [ -e "$KEYSDIR/ntpkey_cert_$h" ] ||
+   ! [ -e "$KEYSDIR/ntpkey_host_$h" ] ||
+   ! [ -e "$KEYSDIR/ntpkey_iff_$h" ]; then
+       # on a "server" we would have to add -T to the ntp-keygen call
+       # and then run something like this:
+       #
+       ### sed -e 's/^[[:space:]]*#//' << 'EOF'
+       # cd "$KEYSDIR" &&
+       # RANDFILE=/dev/urandom /usr/sbin/ntp-keygen -T -I -H -c RSA-SHA1 -m 1024 &&
+       # RANDFILE=/dev/urandom ntp-keygen -q `hostname` -e | (
+       #        read l; echo "$l";
+       #        read l; echo "$l";
+       #        echo
+       #        echo "# This is the public version of this 'private' key -"
+       #        echo "# the private data has been replaced by 0x01."
+       #        echo "# (just ask 'openssl dsa -text < foo.pub')"
+       #        echo
+       #        openssl dsa -passin `hostname` -passin pass:`hostname` )  > ntpkey_iff_`hostname`.pub
+       #
+       #
+       # So that we can copy that .pub to all the clients that need it (don't
+       # call it .pub on the client then)
+       #
+       # on the client this is all we need:
+       if [ -x /usr/sbin/ntp-keygen ] ; then
+               [ -d "$KEYSDIR" ] || install -d -o root -g ntp -m 770 "$KEYSDIR"
+               ( cd "$KEYSDIR" && RANDFILE=/dev/urandom /usr/sbin/ntp-keygen -I -H -c RSA-SHA1 -m 1024 )
+       fi
+fi

diff --git a/modules/ntp/files/ntpkey_iff_busoni.pub b/modules/ntp/files/ntpkey_iff_busoni.pub
new file mode 100644 (file)
index 0000000..d1a8743
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_busoni.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_busoni.3492505947
+# Fri Sep  3 12:32:27 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCnnKFu3iaMXhs1Hs1GapryKEp/PUCdwHPeT1MfOWPJ+93UpZ9g
+vWxo7/GaFOHNoKQJnWOrfUMbtmJcjuc1+RFu+Xfmz5M1XcTM8tvVjMGrivT2nRSL
+32w0KPw423Etlq0tGuvCpreez42BACSW8y0UYXGZaqyC85JWU1Y/GOBIewIVAJTy
+RyGaDKqsMP00xX3pR5uz9TljAoGAIyF2RsHqsN1sKXXYTqG66ufe1kFE7eXeFGbb
+6iwE7IOcnCJMaPidr0d6gYbzR56S8WD3AqZ1HGKuV0825ZuW7xWlpDWgKwSKV9fT
+GuXnN3+zQUQ+9iLn/f77+hMl/QPHtRk3q0r9ZfhN48JCVsOYkUlA4Yf+6I2nZaYk
+jnxL34MCgYB2e7I6Gp0SvTPuxPVkbScxAEEyz2A9UGhdg7p7Niv6D9OMIWh1DMQS
+PDbY/7UESoxRmlKDQK0SXwL3r3IFXTTyHBLLZjT6QaSZiJ7g54JhmSmgBRZVBqop
+Tldvb/h1N/gLOobcX/0nMzPptyoduD4muy3hUPfH7UFwLDXaVmLhRgIBAQ==
+-----END DSA PRIVATE KEY-----

diff --git a/modules/ntp/files/ntpkey_iff_merikanto.pub b/modules/ntp/files/ntpkey_iff_merikanto.pub
new file mode 100644 (file)
index 0000000..ce9a602
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_merikanto.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_merikanto.3492505905
+# Fri Sep  3 12:31:46 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCWWLVyJ6HUVVEqOHxj7Iw+hZGaw+1Lzbugw4AwYIQWy/0PVN1j
+zyAEA+dd5JcOiZ83u83mnljRIof780ZshZo8jx0E4Xf+B/yr+/OKUiaCh+ZhDsXz
+XSvhIDPS/YMpVeDqEiEeQMnHy91IIsdAp+mY28eQ9YrL2WSlv2DZ+qIAiQIVAOQd
+lg0FvFrRL4odQCGOue0wQHKhAoGASb1auh2h+g1dLvSAkw4fUYRq06cBWnmeUC31
+KZOBAnElcg+sYyqkrmZe6U0aSZFt/mWvTk2gdoZVA+ITGfsi4GH5LOc0UHp4AsyH
+e31dpQgzceZHhXj+hPGfKjH2cQunZW+eJlsXBKKY5J2dakA6hPStsT7kpejAsoLm
+mxxffZgCgYA0PJBuVqLgKHKxncCHDC9DPq+dJ8b62hrXFB11Sb7pJs0qWtJpLD1J
+FdaiZeUmBwFRgGosU/Gb44yXBNjIr1IYlaDIE+hxz7xByKj3Vi5wZh7KylW0Em4v
+WefQlojNBsymYoDSKSFw1RX7dPKEaL+Nkuz/NvPhVxBd2EzH5uHmEAIBAQ==
+-----END DSA PRIVATE KEY-----

diff --git a/modules/ntp/files/ntpkey_iff_orff.pub b/modules/ntp/files/ntpkey_iff_orff.pub
new file mode 100644 (file)
index 0000000..1953db4
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_orff.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_orff.3492505946
+# Fri Sep  3 12:32:27 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCPMl5UYkQV+TKXIOo4ySk9B6/WOFTbbofkv9zU9BsXZx3dqBL4
+uDorS+8BawWZcaBRvl1FiG31wcDq2/ltCthIqtUqcY8OvStYpdncBNOwWfzI+iQp
+9FWg18xG9qufgkm7GOK0jSPxSg5WkkpbzDVJGtamrcM3dTfl8uD54/yqpwIVAMfA
+kSN8n3ULsmOXZ809hmsMAeuvAoGAbsjJi/trgqnmjzqB3qcPinH2ljzPX9VUCHKp
+7zZlfR3iICKTXUJSLYzoT3IWtPJuLacNpCMr641QOypHYeXhSyF4SXtNf6RTtHKU
+FgWFtrBI0TO6P1oUdUUUYGo4mf90vIA/PgH0XqGupqV5k8tWU1Nkldqkdv1V8DRZ
+/mTooYYCgYBm/1vSho/CA6ObMdCkbWZUefe6oRrOqOUKH6gWSjh4FchD8CpXuPfi
+NLgnWIW3kmvunuRfLofxg1fvyOLLbBsvMt3sP60DX3ZAAmliaoQSmpRhHQJ5MRlW
+N1YhIacmH/E/b0Pt69AEI8y2qaZ/dytdUgqhP3FiIP8xUWmgBKQ3YAIBAQ==
+-----END DSA PRIVATE KEY-----

diff --git a/modules/ntp/files/ntpkey_iff_ravel.pub b/modules/ntp/files/ntpkey_iff_ravel.pub
new file mode 100644 (file)
index 0000000..e74783d
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_ravel.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_ravel.3492505946
+# Fri Sep  3 12:32:26 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCcDkgB/G7gg7ZMwmfpUNwn56i2bc6OMKEJyPDPB3Y9l70VKC6U
+p6O5sl1S31aSTDANiUwnai0BXWBymiRRzaoSnRKQsHbhWSSUAsvChHMBgh01qlAc
++DORJUUndgk+G3Pwfh88Xsw4+nnJxhneGskYm0SmAiDKtwZhuo7P7DajWwIVAOCs
+es4iYundrvhIpQNHV0L37lClAoGAfWso0vkpwJUyNxYQ+H/EQscw/WIX7+2DtqRG
+szsdSn3WlcFaI0JAws1EsYwfIENzUf38GDymlr+kxc6Ejzsv4Gxp1bGxGr7WNLbL
+OXxxWRISxfwcvpOqKYlrPn6uMQAT7GYqLRuQAt0BwyqaRVR5hB72Q3OiUqQaEZEf
+KfYGoM8CgYAIC5W2EQGy4fjORmxeE4Dl8GB33FX1BWqiMHMTJkso6FUcD9pudKN9
+gfP0JSriXONUt3Bup0dolgzmSW8/oOMe16l4VtXXctVjt+5UUqfJNfpFyR47NkSC
+/JkHPZVvdZa3eFacf9koBEvz6Fb5K8mhuwSUKqVWBlesBNVexOIJ/QIBAQ==
+-----END DSA PRIVATE KEY-----

diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp
index dfc1517..730fbea 100644 (file)
--- a/modules/ntp/manifests/init.pp
+++ b/modules/ntp/manifests/init.pp
@@ -1,35 +1,92 @@
 class ntp {
 class ntp {

-       package { ntp: ensure => installed }
-       file {  "/var/lib/ntp/":
-                       ensure  => directory,
-                       owner   => ntp,
-                       group   => ntp,
-                       mode    => 755
-                       ;
-               "/var/lib/ntpstats":
-                       ensure  => directory,
-                       owner   => ntp,
-                       group   => ntp,
-                       mode    => 755
-                       ;
-               "/etc/ntp.conf":
-                       owner   => root,
-                       group   => root,
-                       mode    => 444,
-                       content => template("ntp/ntp.conf"),
-                       notify  => Exec["ntp restart"],
-                       require => Package["ntp"]
-                       ;
-       }
-       exec { "ntp restart":
-               path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-               refreshonly => true,
-       }
-        @ferm::rule { "dsa-ntp":
-                domain          => "(ip ip6)",
-                description     => "Allow ntp access",
-                rule            => "&SERVICE(udp, 123)"
+    package { ntp: ensure => installed }
+    file {
+        "/var/lib/ntp/":
+            ensure  => directory,
+            owner   => ntp,
+            group   => ntp,
+            mode    => 755
+            ;
+        "/var/lib/ntpstats":
+            ensure  => directory,
+            owner   => ntp,
+            group   => ntp,
+            mode    => 755
+            ;
+        "/etc/ntp.conf":
+            owner   => root,
+            group   => root,
+            mode    => 444,
+            content => template("ntp/ntp.conf"),
+            notify  => Exec["ntp restart"],
+            require => Package["ntp"]
+            ;
+        "/etc/ntp.keys.d":
+            owner   => root,
+            group   => ntp,
+            mode    => 750,
+            ensure  => directory,
+            ;
+    }
+    case extractnodeinfo($nodeinfo, 'timeserver') {
+        'true': { }
+        default: {
+            file {
+                "/etc/default/ntp":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/etc-default-ntp" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+
+                "/etc/ntp.keys.d/ntpkey_iff_merikanto":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_merikanto.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+                "/etc/ntp.keys.d/ntpkey_iff_orff":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_orff.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+                "/etc/ntp.keys.d/ntpkey_iff_ravel":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_ravel.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+                "/etc/ntp.keys.d/ntpkey_iff_busoni":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_busoni.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+            }

         }
         }

+    }
+
+
+    exec { "ntp restart":
+        path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+        refreshonly => true,
+    }
+    @ferm::rule { "dsa-ntp":
+        domain          => "(ip ip6)",
+        description     => "Allow ntp access",
+        rule            => "&SERVICE(udp, 123)"
+    }

 }
 # vim:set et:
 # vim:set sts=4 ts=4:
 }
 # vim:set et:
 # vim:set sts=4 ts=4:

diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf
index c7790ac..1cf5999 100644 (file)
--- a/modules/ntp/templates/ntp.conf
+++ b/modules/ntp/templates/ntp.conf
@@ -11,22 +11,31 @@ filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 

-<% case fqdn
-       when /geo[123].debian.org/:
--%>
+crypto randfile /dev/urandom
+keysdir /etc/ntp.keys.d
+
+<% if nodeinfo['timeserver'] -%>

 server 0.debian.pool.ntp.org iburst dynamic
 server 1.debian.pool.ntp.org iburst dynamic
 server 2.debian.pool.ntp.org iburst dynamic
 server 3.debian.pool.ntp.org iburst dynamic
 server 0.debian.pool.ntp.org iburst dynamic
 server 1.debian.pool.ntp.org iburst dynamic
 server 2.debian.pool.ntp.org iburst dynamic
 server 3.debian.pool.ntp.org iburst dynamic

-<%     when "ancina.debian.org": -%>
+<% elsif fqdn == "ancina.debian.org" -%>

 server ntp.ugent.be iburst dynamic
 server ntp.ugent.be iburst dynamic

-<%     when /(widor|argento).debian.org/: -%>
-server 195.49.152.213 iburst
-server 195.49.152.37 iburst
-<%     else -%>
-server geo1.debian.org iburst dynamic
-server geo2.debian.org iburst dynamic
-server geo3.debian.org iburst dynamic
+<% elsif nodeinfo['misc']['natted'] -%>
+# autokey doesn't work behind nat
+server merikanto.debian.org iburst
+server orff.debian.org      iburst
+server ravel.debian.org     iburst
+server busoni.debian.org    iburst
+<% else -%>
+server merikanto.debian.org iburst autokey
+server orff.debian.org      iburst autokey
+server ravel.debian.org     iburst autokey
+server busoni.debian.org    iburst autokey
+restrict merikanto.debian.org notrust nomodify notrap ntpport
+restrict orff.debian.org      notrust nomodify notrap ntpport
+restrict ravel.debian.org     notrust nomodify notrap ntpport
+restrict busoni.debian.org    notrust nomodify notrap ntpport

 <% end -%>
 
 restrict -4 default kod notrap nomodify nopeer noquery
 <% end -%>
 
 restrict -4 default kod notrap nomodify nopeer noquery


@@ -34,3 +43,7 @@ restrict -6 default kod notrap nomodify nopeer noquery
 
 restrict 127.0.0.1
 restrict ::1
 
 restrict 127.0.0.1
 restrict ::1

+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4: