From c74af55d874504356d56864f46302bec172c5b08 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Thu, 7 Mar 2024 14:24:05 -0500
Subject: [PATCH] Fully split ntp and ntpsec configs

And fix ntpsec config to properly work in Debian 12+.
---
 roles/base/tasks/main.yml                   | 26 +++++++++++------
 roles/base/templates/etc/ntpsec/ntp.conf.j2 | 31 +++++++++++++++++++++
 2 files changed, 49 insertions(+), 8 deletions(-)
 create mode 100644 roles/base/templates/etc/ntpsec/ntp.conf.j2

diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 1a52e5c..bc78400 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -536,7 +536,7 @@
   tags: base-mta
 
 # ntp
-- name: write the NTP config file
+- name: write the NTP config file on Debian < 12
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -544,17 +544,27 @@
     - restart ntp
   with_items:
     - { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
+  when: debian_version|int < 12
   tags: base-time
 
-- name: add link to ntpsec config on Debian 12+
-  file:
-    state: link
-    src: /etc/ntp.conf
-    dest: /etc/ntpsec/ntp.conf
-    force: yes
-  when: debian_version|int >= 12
+- name: write the NTP config file on Debian >= 12
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
   notify:
     - restart ntp
+  with_items:
+    - { src: "etc/ntpsec/ntp.conf.j2", dest: "/etc/ntpsec/ntp.conf" }
+  when: debian_version|int >= 12
+  tags: base-time
+
+- name: clean up old NTP config file on Debian >= 12
+  file:
+    dest: /etc/ntp.conf
+    state: absent
+  notify:
+    - restart ntp
+  when: debian_version|int >= 12
   tags: base-time
 
 # ssl
diff --git a/roles/base/templates/etc/ntpsec/ntp.conf.j2 b/roles/base/templates/etc/ntpsec/ntp.conf.j2
new file mode 100644
index 0000000..cc5398d
--- /dev/null
+++ b/roles/base/templates/etc/ntpsec/ntp.conf.j2
@@ -0,0 +1,31 @@
+# Main NTP configuration (NTPSEC)
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+statsdir  /var/lib/ntpsec
+
+statistics loopstats peerstats clockstats
+
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Enable orphan mode if cluster cannot connect to the Internet
+tos orphan 6
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+
+# NTP masters
+{% for server in ntp_servers %}
+server {{ server }} iburst
+{% endfor %}
+
+# Local PVC cluster
+{% for node in pvc_nodes %}
+peer {{ node.cluster_ip }}  # {{ node.hostname }}.{{ pvc_cluster_domain }}
+{% endfor %}
+
+restrict -4 default nomodify
+restrict -6 default nomodify
+restrict 127.0.0.1
+restrict ::1