The ff-supernode role does now also install and configure ntp

roles/ff-supernode/tasks/debian.yml

@@ -3,6 +3,7 @@
   with_items:
   - wget
   - supervisor
+  - ntp
 
 - name: Install backport kernel for Debian wheezy
   apt: name=linux-image-amd64 default_release=wheezy-backports state=latest

roles/ff-supernode/tasks/main.yml

@@ -19,4 +19,7 @@
 - name: Create supervisor services
   template: src=supervisor.service.j2 dest=/etc/supervisor/conf.d/{{item.name}}.conf
   with_items: "{{supervisor_services}}"
-  notify: Restart supervisor
+  notify: Restart supervisor
+
+- name: Install ntp.conf
+  template: src=ntp.conf.j2 dest=/etc/ntp.conf

roles/ff-supernode/templates/ntp.conf.j2

@@ -0,0 +1,67 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# listen on if
+interface ignore wildcard
+interface listen bat0
+interface listen eth0
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+server 0.debian.pool.ntp.org iburst
+server 1.debian.pool.ntp.org iburst
+server 2.debian.pool.ntp.org iburst
+server 3.debian.pool.ntp.org iburst
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+# restrict -4 default kod notrap nomodify nopeer noquery
+# restrict -6 default kod notrap nomodify nopeer noquery
+restrict -4 default ignore
+restrict -6 default ignore
+
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# allow from ff-do-subnets
+restrict {{supernode_mesh_ipv4|ipaddr('network')}} mask {{supernode_mesh_ipv4|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
+restrict {{supernode_mesh_ipv6|ipaddr('network')}} mask {{supernode_mesh_ipv6|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient

test/integration/supernode/serverspec/test_spec.rb

@@ -20,4 +20,13 @@ end
 describe port(53) do
   it { should be_listening.with('udp') }
   it { should be_listening.with('udp6') }
+end
+
+describe process('ntpd') do
+  it { should be_running }
+end
+
+describe port(123) do
+  it { should be_listening.with('udp') }
+  it { should be_listening.with('udp') }
 end