Add NTS support (#83)

* Fix templates to check iburst value

Fixes #70.

* Add prefer and trust options

Fixes #61.

* Add NTS support

README.md

@@ -34,6 +34,15 @@ timesync_ntp_servers:
     pool: no                    # Flag indicating that each resolved address
                                 # of the hostname is a separate NTP server
                                 # (default no)
+    nts: no                     # Flag enabling Network Time Security (NTS)
+                                # authentication mechanism (default no,
+                                # supported only with chrony >= 4.0)
+    prefer: no                  # Flag marking the source to be preferred for
+                                # synchronization over other sources
+                                # (default no)
+    trust: no                   # Flag marking the source to be trusted over
+                                # sources that don't have this flag
+                                # (default no)
     xleave: no                  # Flag enabling interleaved mode (default no)
     filter: 1                   # Number of NTP measurements per clock update
                                 # (default 1)

templates/chrony.conf.j2

@@ -5,7 +5,10 @@
 value['hostname'] }}{{
 ' minpoll {0}'.format(value['minpoll']) if 'minpoll' in value else '' }}{{
 ' maxpoll {0}'.format(value['maxpoll']) if 'maxpoll' in value else '' }}{{
-' iburst' if 'iburst' in value and value else '' }}{{
+' nts' if 'nts' in value and value['nts'] else '' }}{{
+' iburst' if 'iburst' in value and value['iburst'] else '' }}{{
+' prefer' if 'prefer' in value and value['prefer'] else '' }}{{
+' trust' if 'trust' in value and value['trust'] else '' }}{{
 ' xleave' if __timesync_chrony_version is version('3.0', '>=') and
         'xleave' in value and value['xleave'] else '' }}{{
 ' filter {0}'.format(value['filter'])
@@ -65,6 +68,11 @@ commandkey 1
 # Generate command key if missing.
 generatecommandkey
 
+{% endif %}
+{% if __timesync_chrony_version is version('4.0', '>=') %}
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
 {% endif %}
 {% if timesync_max_distance != 0 %}
 # Limit maximum root distance.

templates/ntp.conf.j2

@@ -5,7 +5,13 @@
 value['hostname'] }}{{
 ' minpoll {0}'.format(value['minpoll']) if 'minpoll' in value else '' }}{{
 ' maxpoll {0}'.format(value['maxpoll']) if 'maxpoll' in value else '' }}{{
-' iburst' if 'iburst' in value and value else '' }}
+' iburst' if 'iburst' in value and value['iburst'] else '' }}{{
+' prefer' if 'prefer' in value and value['prefer'] else '' }}{{
+' true' if 'trust' in value and value['trust'] else '' }}
+{% if 'nts' in value and value['nts'] %}
+# Disable clock control due to missing NTS support.
+disable ntp
+{% endif %}
 {% endfor %}
 
 driftfile /var/lib/ntp/drift

tests/tests_ntp.yml

@@ -4,13 +4,17 @@
     timesync_ntp_servers:
       - hostname: 172.16.123.1
       - hostname: 172.16.123.2
-        iburst: yes
+        iburst: no
+        prefer: no
+        trust: no
         minpoll: 4
       - hostname: 172.16.123.3
         pool: yes
         iburst: yes
         minpoll: 4
         maxpoll: 6
+        prefer: yes
+        trust: yes
         xleave: yes
         filter: 3
     timesync_step_threshold: 0.01
@@ -45,14 +49,34 @@
           when: "'LastRx' in sources.stdout"
           register: chrony_conf_encoded
 
+        - name: Fetch ntp.conf file
+          slurp:
+            src: /etc/ntp.conf
+          when: "'LastRx' not in sources.stdout"
+          register: ntp_conf_encoded
+
         - name: Decode chrony.conf file
           set_fact:
             chrony_conf: "{{ chrony_conf_encoded.content | b64decode }}"
           when: chrony_conf_encoded is not skipped
 
+        - name: Decode ntp.conf file
+          set_fact:
+            ntp_conf: "{{ ntp_conf_encoded.content | b64decode }}"
+          when: ntp_conf_encoded is not skipped
+
         - name: Check chrony.conf file
           assert:
             that:
+              - chrony_conf is not search('172\.16\.123\.1.*iburst')
+              - chrony_conf is not search('172\.16\.123\.2.*iburst')
+              - chrony_conf is search('172\.16\.123\.3.*iburst')
+              - chrony_conf is not search('172\.16\.123\.1.*prefer')
+              - chrony_conf is not search('172\.16\.123\.2.*prefer')
+              - chrony_conf is search('172\.16\.123\.3.*prefer')
+              - chrony_conf is not search('172\.16\.123\.1.*trust')
+              - chrony_conf is not search('172\.16\.123\.2.*trust')
+              - chrony_conf is search('172\.16\.123\.3.*trust')
               - chrony_conf is not search('172\.16\.123\.1.*xleave')
               - chrony_conf is not search('172\.16\.123\.2.*xleave')
               - chrony_conf is search('172\.16\.123\.3.*xleave') ==
@@ -66,4 +90,18 @@
               - chrony_conf is search('hwtimestamp .* minpoll 0') ==
                 __timesync_chrony_version is version('3.1', '>=')
           when: chrony_conf is defined
+
+        - name: Check ntp.conf file
+          assert:
+            that:
+              - ntp_conf is not search('172\.16\.123\.1.*iburst')
+              - ntp_conf is not search('172\.16\.123\.2.*iburst')
+              - ntp_conf is search('172\.16\.123\.3.*iburst')
+              - ntp_conf is not search('172\.16\.123\.1.*prefer')
+              - ntp_conf is not search('172\.16\.123\.2.*prefer')
+              - ntp_conf is search('172\.16\.123\.3.*prefer')
+              - ntp_conf is not search('172\.16\.123\.1.*true')
+              - ntp_conf is not search('172\.16\.123\.2.*true')
+              - ntp_conf is search('172\.16\.123\.3.*true')
+          when: ntp_conf is defined
       tags: tests::verify