From 268603a8b57bfbe4480b25e37488f5b1276054ba Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 3 Sep 2010 14:33:51 +0200
Subject: [PATCH] Try to enable ntp keying

---
 modules/debian-org/misc/local.yaml         |   5 +
 modules/ntp/files/etc-default-ntp          |  43 ++++++++
 modules/ntp/files/ntpkey_iff_busoni.pub    |  18 ++++
 modules/ntp/files/ntpkey_iff_merikanto.pub |  18 ++++
 modules/ntp/files/ntpkey_iff_orff.pub      |  18 ++++
 modules/ntp/files/ntpkey_iff_ravel.pub     |  18 ++++
 modules/ntp/manifests/init.pp              | 117 +++++++++++++++------
 modules/ntp/templates/ntp.conf             |  35 ++++--
 8 files changed, 231 insertions(+), 41 deletions(-)
 create mode 100644 modules/ntp/files/etc-default-ntp
 create mode 100644 modules/ntp/files/ntpkey_iff_busoni.pub
 create mode 100644 modules/ntp/files/ntpkey_iff_merikanto.pub
 create mode 100644 modules/ntp/files/ntpkey_iff_orff.pub
 create mode 100644 modules/ntp/files/ntpkey_iff_ravel.pub

diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml
index 6e98dec2f..a818c2ff9 100644
--- a/modules/debian-org/misc/local.yaml
+++ b/modules/debian-org/misc/local.yaml
@@ -156,6 +156,11 @@ host_settings:
     - steffani.debian.org
     - villa.debian.org
     - wieck.debian.org
+  timeserver:
+    - merikanto.debian.org
+    - orff.debian.org
+    - ravel.debian.org
+    - busoni.debian.org
   buildd:
     - alain.debian.org
     - alkman.debian.org
diff --git a/modules/ntp/files/etc-default-ntp b/modules/ntp/files/etc-default-ntp
new file mode 100644
index 000000000..68df55542
--- /dev/null
+++ b/modules/ntp/files/etc-default-ntp
@@ -0,0 +1,43 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+#
+# from the package:
+#
+NTPD_OPTS='-g'
+
+#
+# make sure this host already has ntp keys:
+#
+h="`hostname`"
+KEYSDIR="/etc/ntp.keys.d"
+if ! [ -e "$KEYSDIR/ntpkey_cert_$h" ] ||
+   ! [ -e "$KEYSDIR/ntpkey_host_$h" ] ||
+   ! [ -e "$KEYSDIR/ntpkey_iff_$h" ]; then
+	# on a "server" we would have to add -T to the ntp-keygen call
+	# and then run something like this:
+	#
+	### sed -e 's/^[[:space:]]*#//' << 'EOF'
+	# cd "$KEYSDIR" &&
+	# RANDFILE=/dev/urandom /usr/sbin/ntp-keygen -T -I -H -c RSA-SHA1 -m 1024 &&
+	# RANDFILE=/dev/urandom ntp-keygen -q `hostname` -e | (
+	#        read l; echo "$l";
+	#        read l; echo "$l";
+	#        echo
+	#        echo "# This is the public version of this 'private' key -"
+	#        echo "# the private data has been replaced by 0x01."
+	#        echo "# (just ask 'openssl dsa -text < foo.pub')"
+	#        echo
+	#        openssl dsa -passin `hostname` -passin pass:`hostname` )  > ntpkey_iff_`hostname`.pub
+	#
+	#
+	# So that we can copy that .pub to all the clients that need it (don't
+	# call it .pub on the client then)
+	#
+	# on the client this is all we need:
+	if [ -x /usr/sbin/ntp-keygen ] ; then
+		[ -d "$KEYSDIR" ] || install -d -o root -g ntp -m 770 "$KEYSDIR"
+		( cd "$KEYSDIR" && RANDFILE=/dev/urandom /usr/sbin/ntp-keygen -I -H -c RSA-SHA1 -m 1024 )
+	fi
+fi
diff --git a/modules/ntp/files/ntpkey_iff_busoni.pub b/modules/ntp/files/ntpkey_iff_busoni.pub
new file mode 100644
index 000000000..d1a8743e6
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_busoni.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_busoni.3492505947
+# Fri Sep  3 12:32:27 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCnnKFu3iaMXhs1Hs1GapryKEp/PUCdwHPeT1MfOWPJ+93UpZ9g
+vWxo7/GaFOHNoKQJnWOrfUMbtmJcjuc1+RFu+Xfmz5M1XcTM8tvVjMGrivT2nRSL
+32w0KPw423Etlq0tGuvCpreez42BACSW8y0UYXGZaqyC85JWU1Y/GOBIewIVAJTy
+RyGaDKqsMP00xX3pR5uz9TljAoGAIyF2RsHqsN1sKXXYTqG66ufe1kFE7eXeFGbb
+6iwE7IOcnCJMaPidr0d6gYbzR56S8WD3AqZ1HGKuV0825ZuW7xWlpDWgKwSKV9fT
+GuXnN3+zQUQ+9iLn/f77+hMl/QPHtRk3q0r9ZfhN48JCVsOYkUlA4Yf+6I2nZaYk
+jnxL34MCgYB2e7I6Gp0SvTPuxPVkbScxAEEyz2A9UGhdg7p7Niv6D9OMIWh1DMQS
+PDbY/7UESoxRmlKDQK0SXwL3r3IFXTTyHBLLZjT6QaSZiJ7g54JhmSmgBRZVBqop
+Tldvb/h1N/gLOobcX/0nMzPptyoduD4muy3hUPfH7UFwLDXaVmLhRgIBAQ==
+-----END DSA PRIVATE KEY-----
diff --git a/modules/ntp/files/ntpkey_iff_merikanto.pub b/modules/ntp/files/ntpkey_iff_merikanto.pub
new file mode 100644
index 000000000..ce9a6022e
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_merikanto.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_merikanto.3492505905
+# Fri Sep  3 12:31:46 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCWWLVyJ6HUVVEqOHxj7Iw+hZGaw+1Lzbugw4AwYIQWy/0PVN1j
+zyAEA+dd5JcOiZ83u83mnljRIof780ZshZo8jx0E4Xf+B/yr+/OKUiaCh+ZhDsXz
+XSvhIDPS/YMpVeDqEiEeQMnHy91IIsdAp+mY28eQ9YrL2WSlv2DZ+qIAiQIVAOQd
+lg0FvFrRL4odQCGOue0wQHKhAoGASb1auh2h+g1dLvSAkw4fUYRq06cBWnmeUC31
+KZOBAnElcg+sYyqkrmZe6U0aSZFt/mWvTk2gdoZVA+ITGfsi4GH5LOc0UHp4AsyH
+e31dpQgzceZHhXj+hPGfKjH2cQunZW+eJlsXBKKY5J2dakA6hPStsT7kpejAsoLm
+mxxffZgCgYA0PJBuVqLgKHKxncCHDC9DPq+dJ8b62hrXFB11Sb7pJs0qWtJpLD1J
+FdaiZeUmBwFRgGosU/Gb44yXBNjIr1IYlaDIE+hxz7xByKj3Vi5wZh7KylW0Em4v
+WefQlojNBsymYoDSKSFw1RX7dPKEaL+Nkuz/NvPhVxBd2EzH5uHmEAIBAQ==
+-----END DSA PRIVATE KEY-----
diff --git a/modules/ntp/files/ntpkey_iff_orff.pub b/modules/ntp/files/ntpkey_iff_orff.pub
new file mode 100644
index 000000000..1953db4f7
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_orff.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_orff.3492505946
+# Fri Sep  3 12:32:27 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCPMl5UYkQV+TKXIOo4ySk9B6/WOFTbbofkv9zU9BsXZx3dqBL4
+uDorS+8BawWZcaBRvl1FiG31wcDq2/ltCthIqtUqcY8OvStYpdncBNOwWfzI+iQp
+9FWg18xG9qufgkm7GOK0jSPxSg5WkkpbzDVJGtamrcM3dTfl8uD54/yqpwIVAMfA
+kSN8n3ULsmOXZ809hmsMAeuvAoGAbsjJi/trgqnmjzqB3qcPinH2ljzPX9VUCHKp
+7zZlfR3iICKTXUJSLYzoT3IWtPJuLacNpCMr641QOypHYeXhSyF4SXtNf6RTtHKU
+FgWFtrBI0TO6P1oUdUUUYGo4mf90vIA/PgH0XqGupqV5k8tWU1Nkldqkdv1V8DRZ
+/mTooYYCgYBm/1vSho/CA6ObMdCkbWZUefe6oRrOqOUKH6gWSjh4FchD8CpXuPfi
+NLgnWIW3kmvunuRfLofxg1fvyOLLbBsvMt3sP60DX3ZAAmliaoQSmpRhHQJ5MRlW
+N1YhIacmH/E/b0Pt69AEI8y2qaZ/dytdUgqhP3FiIP8xUWmgBKQ3YAIBAQ==
+-----END DSA PRIVATE KEY-----
diff --git a/modules/ntp/files/ntpkey_iff_ravel.pub b/modules/ntp/files/ntpkey_iff_ravel.pub
new file mode 100644
index 000000000..e74783d14
--- /dev/null
+++ b/modules/ntp/files/ntpkey_iff_ravel.pub
@@ -0,0 +1,18 @@
+# ntpkey_IFFkey_ravel.3492505946
+# Fri Sep  3 12:32:26 2010
+
+# This is the public version of this 'private' key -
+# the private data has been replaced by 0x01.
+# (just ask 'openssl dsa -text < foo.pub')
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBpwIBAAKBgQCcDkgB/G7gg7ZMwmfpUNwn56i2bc6OMKEJyPDPB3Y9l70VKC6U
+p6O5sl1S31aSTDANiUwnai0BXWBymiRRzaoSnRKQsHbhWSSUAsvChHMBgh01qlAc
++DORJUUndgk+G3Pwfh88Xsw4+nnJxhneGskYm0SmAiDKtwZhuo7P7DajWwIVAOCs
+es4iYundrvhIpQNHV0L37lClAoGAfWso0vkpwJUyNxYQ+H/EQscw/WIX7+2DtqRG
+szsdSn3WlcFaI0JAws1EsYwfIENzUf38GDymlr+kxc6Ejzsv4Gxp1bGxGr7WNLbL
+OXxxWRISxfwcvpOqKYlrPn6uMQAT7GYqLRuQAt0BwyqaRVR5hB72Q3OiUqQaEZEf
+KfYGoM8CgYAIC5W2EQGy4fjORmxeE4Dl8GB33FX1BWqiMHMTJkso6FUcD9pudKN9
+gfP0JSriXONUt3Bup0dolgzmSW8/oOMe16l4VtXXctVjt+5UUqfJNfpFyR47NkSC
+/JkHPZVvdZa3eFacf9koBEvz6Fb5K8mhuwSUKqVWBlesBNVexOIJ/QIBAQ==
+-----END DSA PRIVATE KEY-----
diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp
index dfc151790..730fbea60 100644
--- a/modules/ntp/manifests/init.pp
+++ b/modules/ntp/manifests/init.pp
@@ -1,35 +1,92 @@
 class ntp {
-	package { ntp: ensure => installed }
-	file {	"/var/lib/ntp/":
-			ensure  => directory,
-			owner   => ntp,
-			group   => ntp,
-			mode    => 755
-			;
-		"/var/lib/ntpstats":
-			ensure  => directory,
-			owner   => ntp,
-			group   => ntp,
-			mode    => 755
-			;
-		"/etc/ntp.conf":
-			owner   => root,
-			group   => root,
-			mode    => 444,
-			content => template("ntp/ntp.conf"),
-			notify  => Exec["ntp restart"],
-			require => Package["ntp"]
-			;
-	}
-	exec { "ntp restart":
-		path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-		refreshonly => true,
-	}
-        @ferm::rule { "dsa-ntp":
-                domain          => "(ip ip6)",
-                description     => "Allow ntp access",
-                rule            => "&SERVICE(udp, 123)"
+    package { ntp: ensure => installed }
+    file {
+        "/var/lib/ntp/":
+            ensure  => directory,
+            owner   => ntp,
+            group   => ntp,
+            mode    => 755
+            ;
+        "/var/lib/ntpstats":
+            ensure  => directory,
+            owner   => ntp,
+            group   => ntp,
+            mode    => 755
+            ;
+        "/etc/ntp.conf":
+            owner   => root,
+            group   => root,
+            mode    => 444,
+            content => template("ntp/ntp.conf"),
+            notify  => Exec["ntp restart"],
+            require => Package["ntp"]
+            ;
+        "/etc/ntp.keys.d":
+            owner   => root,
+            group   => ntp,
+            mode    => 750,
+            ensure  => directory,
+            ;
+    }
+    case extractnodeinfo($nodeinfo, 'timeserver') {
+        'true': { }
+        default: {
+            file {
+                "/etc/default/ntp":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/etc-default-ntp" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+
+                "/etc/ntp.keys.d/ntpkey_iff_merikanto":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_merikanto.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+                "/etc/ntp.keys.d/ntpkey_iff_orff":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_orff.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+                "/etc/ntp.keys.d/ntpkey_iff_ravel":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_ravel.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+                "/etc/ntp.keys.d/ntpkey_iff_busoni":
+                    owner   => root,
+                    group   => root,
+                    mode    => 444,
+                    source  => [ "puppet:///ntp/ntpkey_iff_busoni.pub" ],
+                    require => Package["ntp"],
+                    notify  => Exec["ntp restart"],
+                    ;
+            }
         }
+    }
+
+
+    exec { "ntp restart":
+        path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+        refreshonly => true,
+    }
+    @ferm::rule { "dsa-ntp":
+        domain          => "(ip ip6)",
+        description     => "Allow ntp access",
+        rule            => "&SERVICE(udp, 123)"
+    }
 }
 # vim:set et:
 # vim:set sts=4 ts=4:
diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf
index c7790ac41..1cf5999f2 100644
--- a/modules/ntp/templates/ntp.conf
+++ b/modules/ntp/templates/ntp.conf
@@ -11,22 +11,31 @@ filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 
-<% case fqdn
-	when /geo[123].debian.org/:
--%>
+crypto randfile /dev/urandom
+keysdir /etc/ntp.keys.d
+
+<% if nodeinfo['timeserver'] -%>
 server 0.debian.pool.ntp.org iburst dynamic
 server 1.debian.pool.ntp.org iburst dynamic
 server 2.debian.pool.ntp.org iburst dynamic
 server 3.debian.pool.ntp.org iburst dynamic
-<%	when "ancina.debian.org": -%>
+<% elsif fqdn == "ancina.debian.org" -%>
 server ntp.ugent.be iburst dynamic
-<%	when /(widor|argento).debian.org/: -%>
-server 195.49.152.213 iburst
-server 195.49.152.37 iburst
-<%	else -%>
-server geo1.debian.org iburst dynamic
-server geo2.debian.org iburst dynamic
-server geo3.debian.org iburst dynamic
+<% elsif nodeinfo['misc']['natted'] -%>
+# autokey doesn't work behind nat
+server merikanto.debian.org iburst
+server orff.debian.org      iburst
+server ravel.debian.org     iburst
+server busoni.debian.org    iburst
+<% else -%>
+server merikanto.debian.org iburst autokey
+server orff.debian.org      iburst autokey
+server ravel.debian.org     iburst autokey
+server busoni.debian.org    iburst autokey
+restrict merikanto.debian.org notrust nomodify notrap ntpport
+restrict orff.debian.org      notrust nomodify notrap ntpport
+restrict ravel.debian.org     notrust nomodify notrap ntpport
+restrict busoni.debian.org    notrust nomodify notrap ntpport
 <% end -%>
 
 restrict -4 default kod notrap nomodify nopeer noquery
@@ -34,3 +43,7 @@ restrict -6 default kod notrap nomodify nopeer noquery
 
 restrict 127.0.0.1
 restrict ::1
+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
-- 
2.20.1