- steffani.debian.org
- villa.debian.org
- wieck.debian.org
+ timeserver:
+ - merikanto.debian.org
+ - orff.debian.org
+ - ravel.debian.org
+ - busoni.debian.org
buildd:
- alain.debian.org
- alkman.debian.org
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+#
+# from the package:
+#
+NTPD_OPTS='-g'
+
+#
+# make sure this host already has ntp keys:
+#
+h="`hostname`"
+KEYSDIR="/etc/ntp.keys.d"
+if ! [ -e "$KEYSDIR/ntpkey_cert_$h" ] ||
+ ! [ -e "$KEYSDIR/ntpkey_host_$h" ] ||
+ ! [ -e "$KEYSDIR/ntpkey_iff_$h" ]; then
+ # on a "server" we would have to add -T to the ntp-keygen call
+ # and then run something like this:
+ #
+ ### sed -e 's/^[[:space:]]*#//' << 'EOF'
+ # cd "$KEYSDIR" &&
+ # RANDFILE=/dev/urandom /usr/sbin/ntp-keygen -T -I -H -c RSA-SHA1 -m 1024 &&
+ # RANDFILE=/dev/urandom ntp-keygen -q `hostname` -e | (
+ # read l; echo "$l";
+ # read l; echo "$l";
+ # echo
+ # echo "# This is the public version of this 'private' key -"
+ # echo "# the private data has been replaced by 0x01."
+ # echo "# (just ask 'openssl dsa -text < foo.pub')"
+ # echo
+ # openssl dsa -passin `hostname` -passin pass:`hostname` ) > ntpkey_iff_`hostname`.pub
+ #
+ #
+ # So that we can copy that .pub to all the clients that need it (don't
+ # call it .pub on the client then)
+ #
+ # on the client this is all we need:
+ if [ -x /usr/sbin/ntp-keygen ] ; then
+ [ -d "$KEYSDIR" ] || install -d -o root -g ntp -m 770 "$KEYSDIR"
+ ( cd "$KEYSDIR" && RANDFILE=/dev/urandom /usr/sbin/ntp-keygen -I -H -c RSA-SHA1 -m 1024 )
+ fi
+fi
--- /dev/null
+# ntpkey_IFFkey_busoni.3492505947
+# Fri Sep 3 12:32:27 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCnnKFu3iaMXhs1Hs1GapryKEp/PUCdwHPeT1MfOWPJ+93UpZ9g
+vWxo7/GaFOHNoKQJnWOrfUMbtmJcjuc1+RFu+Xfmz5M1XcTM8tvVjMGrivT2nRSL
+32w0KPw423Etlq0tGuvCpreez42BACSW8y0UYXGZaqyC85JWU1Y/GOBIewIVAJTy
+RyGaDKqsMP00xX3pR5uz9TljAoGAIyF2RsHqsN1sKXXYTqG66ufe1kFE7eXeFGbb
+6iwE7IOcnCJMaPidr0d6gYbzR56S8WD3AqZ1HGKuV0825ZuW7xWlpDWgKwSKV9fT
+GuXnN3+zQUQ+9iLn/f77+hMl/QPHtRk3q0r9ZfhN48JCVsOYkUlA4Yf+6I2nZaYk
+jnxL34MCgYB2e7I6Gp0SvTPuxPVkbScxAEEyz2A9UGhdg7p7Niv6D9OMIWh1DMQS
+PDbY/7UESoxRmlKDQK0SXwL3r3IFXTTyHBLLZjT6QaSZiJ7g54JhmSmgBRZVBqop
+Tldvb/h1N/gLOobcX/0nMzPptyoduD4muy3hUPfH7UFwLDXaVmLhRgIBAQ==
+-----END DSA PRIVATE KEY-----
--- /dev/null
+# ntpkey_IFFkey_merikanto.3492505905
+# Fri Sep 3 12:31:46 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCWWLVyJ6HUVVEqOHxj7Iw+hZGaw+1Lzbugw4AwYIQWy/0PVN1j
+zyAEA+dd5JcOiZ83u83mnljRIof780ZshZo8jx0E4Xf+B/yr+/OKUiaCh+ZhDsXz
+XSvhIDPS/YMpVeDqEiEeQMnHy91IIsdAp+mY28eQ9YrL2WSlv2DZ+qIAiQIVAOQd
+lg0FvFrRL4odQCGOue0wQHKhAoGASb1auh2h+g1dLvSAkw4fUYRq06cBWnmeUC31
+KZOBAnElcg+sYyqkrmZe6U0aSZFt/mWvTk2gdoZVA+ITGfsi4GH5LOc0UHp4AsyH
+e31dpQgzceZHhXj+hPGfKjH2cQunZW+eJlsXBKKY5J2dakA6hPStsT7kpejAsoLm
+mxxffZgCgYA0PJBuVqLgKHKxncCHDC9DPq+dJ8b62hrXFB11Sb7pJs0qWtJpLD1J
+FdaiZeUmBwFRgGosU/Gb44yXBNjIr1IYlaDIE+hxz7xByKj3Vi5wZh7KylW0Em4v
+WefQlojNBsymYoDSKSFw1RX7dPKEaL+Nkuz/NvPhVxBd2EzH5uHmEAIBAQ==
+-----END DSA PRIVATE KEY-----
--- /dev/null
+# ntpkey_IFFkey_orff.3492505946
+# Fri Sep 3 12:32:27 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCPMl5UYkQV+TKXIOo4ySk9B6/WOFTbbofkv9zU9BsXZx3dqBL4
+uDorS+8BawWZcaBRvl1FiG31wcDq2/ltCthIqtUqcY8OvStYpdncBNOwWfzI+iQp
+9FWg18xG9qufgkm7GOK0jSPxSg5WkkpbzDVJGtamrcM3dTfl8uD54/yqpwIVAMfA
+kSN8n3ULsmOXZ809hmsMAeuvAoGAbsjJi/trgqnmjzqB3qcPinH2ljzPX9VUCHKp
+7zZlfR3iICKTXUJSLYzoT3IWtPJuLacNpCMr641QOypHYeXhSyF4SXtNf6RTtHKU
+FgWFtrBI0TO6P1oUdUUUYGo4mf90vIA/PgH0XqGupqV5k8tWU1Nkldqkdv1V8DRZ
+/mTooYYCgYBm/1vSho/CA6ObMdCkbWZUefe6oRrOqOUKH6gWSjh4FchD8CpXuPfi
+NLgnWIW3kmvunuRfLofxg1fvyOLLbBsvMt3sP60DX3ZAAmliaoQSmpRhHQJ5MRlW
+N1YhIacmH/E/b0Pt69AEI8y2qaZ/dytdUgqhP3FiIP8xUWmgBKQ3YAIBAQ==
+-----END DSA PRIVATE KEY-----
--- /dev/null
+# ntpkey_IFFkey_ravel.3492505946
+# Fri Sep 3 12:32:26 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCcDkgB/G7gg7ZMwmfpUNwn56i2bc6OMKEJyPDPB3Y9l70VKC6U
+p6O5sl1S31aSTDANiUwnai0BXWBymiRRzaoSnRKQsHbhWSSUAsvChHMBgh01qlAc
++DORJUUndgk+G3Pwfh88Xsw4+nnJxhneGskYm0SmAiDKtwZhuo7P7DajWwIVAOCs
+es4iYundrvhIpQNHV0L37lClAoGAfWso0vkpwJUyNxYQ+H/EQscw/WIX7+2DtqRG
+szsdSn3WlcFaI0JAws1EsYwfIENzUf38GDymlr+kxc6Ejzsv4Gxp1bGxGr7WNLbL
+OXxxWRISxfwcvpOqKYlrPn6uMQAT7GYqLRuQAt0BwyqaRVR5hB72Q3OiUqQaEZEf
+KfYGoM8CgYAIC5W2EQGy4fjORmxeE4Dl8GB33FX1BWqiMHMTJkso6FUcD9pudKN9
+gfP0JSriXONUt3Bup0dolgzmSW8/oOMe16l4VtXXctVjt+5UUqfJNfpFyR47NkSC
+/JkHPZVvdZa3eFacf9koBEvz6Fb5K8mhuwSUKqVWBlesBNVexOIJ/QIBAQ==
+-----END DSA PRIVATE KEY-----
class ntp {
- package { ntp: ensure => installed }
- file { "/var/lib/ntp/":
- ensure => directory,
- owner => ntp,
- group => ntp,
- mode => 755
- ;
- "/var/lib/ntpstats":
- ensure => directory,
- owner => ntp,
- group => ntp,
- mode => 755
- ;
- "/etc/ntp.conf":
- owner => root,
- group => root,
- mode => 444,
- content => template("ntp/ntp.conf"),
- notify => Exec["ntp restart"],
- require => Package["ntp"]
- ;
- }
- exec { "ntp restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
- @ferm::rule { "dsa-ntp":
- domain => "(ip ip6)",
- description => "Allow ntp access",
- rule => "&SERVICE(udp, 123)"
+ package { ntp: ensure => installed }
+ file {
+ "/var/lib/ntp/":
+ ensure => directory,
+ owner => ntp,
+ group => ntp,
+ mode => 755
+ ;
+ "/var/lib/ntpstats":
+ ensure => directory,
+ owner => ntp,
+ group => ntp,
+ mode => 755
+ ;
+ "/etc/ntp.conf":
+ owner => root,
+ group => root,
+ mode => 444,
+ content => template("ntp/ntp.conf"),
+ notify => Exec["ntp restart"],
+ require => Package["ntp"]
+ ;
+ "/etc/ntp.keys.d":
+ owner => root,
+ group => ntp,
+ mode => 750,
+ ensure => directory,
+ ;
+ }
+ case extractnodeinfo($nodeinfo, 'timeserver') {
+ 'true': { }
+ default: {
+ file {
+ "/etc/default/ntp":
+ owner => root,
+ group => root,
+ mode => 444,
+ source => [ "puppet:///ntp/etc-default-ntp" ],
+ require => Package["ntp"],
+ notify => Exec["ntp restart"],
+ ;
+
+ "/etc/ntp.keys.d/ntpkey_iff_merikanto":
+ owner => root,
+ group => root,
+ mode => 444,
+ source => [ "puppet:///ntp/ntpkey_iff_merikanto.pub" ],
+ require => Package["ntp"],
+ notify => Exec["ntp restart"],
+ ;
+ "/etc/ntp.keys.d/ntpkey_iff_orff":
+ owner => root,
+ group => root,
+ mode => 444,
+ source => [ "puppet:///ntp/ntpkey_iff_orff.pub" ],
+ require => Package["ntp"],
+ notify => Exec["ntp restart"],
+ ;
+ "/etc/ntp.keys.d/ntpkey_iff_ravel":
+ owner => root,
+ group => root,
+ mode => 444,
+ source => [ "puppet:///ntp/ntpkey_iff_ravel.pub" ],
+ require => Package["ntp"],
+ notify => Exec["ntp restart"],
+ ;
+ "/etc/ntp.keys.d/ntpkey_iff_busoni":
+ owner => root,
+ group => root,
+ mode => 444,
+ source => [ "puppet:///ntp/ntpkey_iff_busoni.pub" ],
+ require => Package["ntp"],
+ notify => Exec["ntp restart"],
+ ;
+ }
}
+ }
+
+
+ exec { "ntp restart":
+ path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+ refreshonly => true,
+ }
+ @ferm::rule { "dsa-ntp":
+ domain => "(ip ip6)",
+ description => "Allow ntp access",
+ rule => "&SERVICE(udp, 123)"
+ }
}
# vim:set et:
# vim:set sts=4 ts=4:
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
-<% case fqdn
- when /geo[123].debian.org/:
--%>
+crypto randfile /dev/urandom
+keysdir /etc/ntp.keys.d
+
+<% if nodeinfo['timeserver'] -%>
server 0.debian.pool.ntp.org iburst dynamic
server 1.debian.pool.ntp.org iburst dynamic
server 2.debian.pool.ntp.org iburst dynamic
server 3.debian.pool.ntp.org iburst dynamic
-<% when "ancina.debian.org": -%>
+<% elsif fqdn == "ancina.debian.org" -%>
server ntp.ugent.be iburst dynamic
-<% when /(widor|argento).debian.org/: -%>
-server 195.49.152.213 iburst
-server 195.49.152.37 iburst
-<% else -%>
-server geo1.debian.org iburst dynamic
-server geo2.debian.org iburst dynamic
-server geo3.debian.org iburst dynamic
+<% elsif nodeinfo['misc']['natted'] -%>
+# autokey doesn't work behind nat
+server merikanto.debian.org iburst
+server orff.debian.org iburst
+server ravel.debian.org iburst
+server busoni.debian.org iburst
+<% else -%>
+server merikanto.debian.org iburst autokey
+server orff.debian.org iburst autokey
+server ravel.debian.org iburst autokey
+server busoni.debian.org iburst autokey
+restrict merikanto.debian.org notrust nomodify notrap ntpport
+restrict orff.debian.org notrust nomodify notrap ntpport
+restrict ravel.debian.org notrust nomodify notrap ntpport
+restrict busoni.debian.org notrust nomodify notrap ntpport
<% end -%>
restrict -4 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
projects / mirror / dsa-puppet.git / commitdiff