ntpd: Added option to disable strict ACLs for isc-ntpd

ntpd/manifests/init.pp

@@ -6,6 +6,11 @@
 #       Array of NTP servers using [] will disable external servers.
 #       Defaults to pool.ntp.org.
 #
+#   $ntp_strict:
+#       When set to "false", permit time synchronization by default. Required
+#       for pool.ntp.org or similar server names which have multiple addresses.
+#       Defaults to "true".
+#
 #   $ntp_client_networks:
 #       Array of networks that are allowed to query this server in format
 #       [ "192.168.1.0/255.255.255.0", "192.168.2.0/255.255.255.0", ] or
@@ -17,6 +22,10 @@ class ntpd {
         $ntp_server = ["pool.ntp.org"]
     }
 
+    if !$ntp_strict {
+        $ntp_strict = "true"
+    }
+
     case $::operatingsystem {
         "fedora": {
             case $::operatingsystemrelease {

ntpd/templates/ntp.conf.erb

@@ -3,13 +3,20 @@
 tinker panic 0
 
 <% end -%>
+<% if @ntp_strict == "true" -%>
 # By default deny everything.
 restrict -4 default ignore
 restrict -6 default ignore
+<% else -%>
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict -4 default nomodify notrap nopeer noquery
+restrict -6 default nomodify notrap nopeer noquery
+<% end -%>
 
 # Local users may interrogate the ntp server more closely.
-restrict 127.0.0.1
+restrict 127.0.0.1 nomodify
-restrict ::1
+restrict ::1 nomodify
 
 # Drift file.
 driftfile /var/lib/ntp/ntp.drift
@@ -17,7 +24,9 @@ driftfile /var/lib/ntp/ntp.drift
 # Remote servers.
 <% @ntp_server.each do |server| -%>
 server <%= server %>
+<%   if @ntp_strict == "true" -%>
 restrict <%= server %> nomodify notrap nopeer noquery
+<%   end -%>
 <% end -%>
 <% if @is_virtual == "false" -%>