#----------------------------------------------------------------------- # /etc/ntp.conf for interval # Sources: # https://www.ntpsec.org/white-papers/stratum-1-microserver-howto/ # http://www.catb.org/gpsd/gpsd-time-service-howto.html # Gary E Miller posts and his public ntp.conf instances #----------------------------------------------------------------------- # Drift file. # Ensure that the directory exists, and is writable by whichever user # the ntpd daemon runs as. driftfile /var/lib/ntp/ntp.drift # Leap-seconds file. # Updated via cronjob twice a year. leapfile /etc/ntp/leap-seconds.list # Keys. keys /etc/ntp/keys # Authentication trustedkey 1 2 3 4 controlkey 1 # TOS. # # minsane: ref https://support.ntp.org/bin/view/Support/StartingNTP4#Section_7.1.4.3.1. # ref https://support.ntp.org/bin/view/Support/StartingNTP4#Section_7.1.4.3.1. # ref http://lists.ntp.org/pipermail/questions/2003-September/000737.html # Note: total number of servers, *not* including noselect servers # This may be a bug. Until clarified, skip 'minsane'. # # orphan: ref http://support.ntp.org/bin/view/Support/OrphanMode # and https://www.eecis.udel.edu/~mills/ntp/html/orphan.html # and https://docs.ntpsec.org/latest/orphan.html # # tos minsane 3 orphan 6 tos orphan 6 #----------------------------------------------------------------------- # GEM logs/stats suggestion statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable logfile /var/log/ntpd.log logconfig =syncall +clockall +peerall +sysall #----------------------------------------------------------------------- # Restrictions. # Last match - less specific to more specific # By default, exchange time with everybody, but don't allow configuration. restrict default kod limited nomodify nopeer noquery restrict -6 default kod limited nomodify nopeer noquery # Local subnets can see a subset. # Note: 'notrap' usually included here, but ignored by ntpsec (traps not supported) restrict 192.168.0.0 mask 255.255.0.0 nomodify nopeer restrict 10.0.0.0 mask 255.0.0.0 nomodify nopeer restrict 172.16.0.0 mask 255.240.0.0 nomodify nopeer # Allow peers. restrict 192.168.254.55 nomodify # Local users may interrogate the NTP server more closely. restrict 127.0.0.1 restrict -6 ::1 #----------------------------------------------------------------------- # Servers and peers # From GPSD docs: # Check servers # If you have no other local chimers to help NTP perform sanity checks # then you can use some public chimers from the NTP public pool: # http://www.pool.ntp.org/en/ # # iburst tells it to send the first few requests at 2 second intervals rather # than wait for the poll interval which defaults to 64 seconds. That greatly # speeds up the time for ntpd to set the system time and start responding to # requests. # # Notice we use the 'us' country code servers, otherwise we might get # pool servers from opposite sides of the planet accuracy would likely # be poor. If you are not in the USA, then it will probably work to # change the 'us' to your two letter country code. # # Major Internet-using countries with pools include: # us gb de fr ru au at ca cn jp de fi it be br cz hk # # If you don't know your country code, find it at # # https://en.wikipedia.org/wiki/ISO_3166-1 # # and then try pinging prepending it to ".pool.ntp.org" and pinging that. # hostname. If you get a response, you can use it. #----------------------------------- # From GEM: # The order of servers and peers in ntp.conf matters. # # On startup ntpd will take the first time it gets to set the system # clock. If this first time is an imprecise clock, say derived from # NMEA, then ntpd may takes days to restabilize. # # The first time ntpd acquires will tend to be the ones higher up in # the file with the lowest maxpoll. # # So to work around this ntpd glitch put your best time sources high # in the ntp.conf file, with your shortest maxpoll and your worst one # at the bottom with higher maxpolls. # # A bug is open for this behavior: # https://gitlab.com/NTPsec/ntpsec/issues/68 #----------------------------------- # GPS PPS reference (NTP1) # First, calibrate by syncing with high-quality peers, monitoring PPS # without using it (noselect) #refclock shm unit 1 maxpoll 4 refid PPS flag4 1 noselect # After calibration, switch to 'prefer' refclock shm unit 1 maxpoll 4 refid PPS flag4 1 prefer #----------------------------------- # Peers # NOTE: 'peer' directive is not distinct in ntpsec (quietly drops to 'server' mode)! # Ref: https://gitlab.com/NTPsec/ntpsec/issues/482 # # tackleberry peer 192.168.254.55 key 3 #----------------------------------- # General servers #pool us.pool.ntp.org iburst server tock.usshc.com iburst server tick.apple.com iburst # jikan.ae7.st - included by IP as a DNS-outage hedge server 166.70.136.35 iburst server ntp.gci.net iburst noselect server clock.sjc.he.net iburst # ACS (Alaska) server ntp1.acsalaska.net iburst noselect server ntp2.acsalaska.net iburst noselect server ntp3.acsalaska.net iburst noselect # Anastrophe - courtesy access granted 2018-03-04, runs NTPsec server ntpsec.anastrophe.com iburst noselect # Whitestone (Alaska) server 31.207.56.54 iburst noselect server 31.207.56.55 iburst noselect # UAF (Alaska) -likely ACL'd? #server ntp.alaska.edu iburst noselect # Other public (monitor/noselect only) server time.apple.com iburst noselect server time.windows.com iburst noselect # FPGA-based server ntp.nict.jp iburst noselect server ntp.se iburst noselect #----------------------------------- # GPS Serial data reference (NTP0) # Drop 'noselect' after calibration of 'time1' value. # Calibrate using /usr/local/src/gpsd/contrib/ntpoffset #refclock shm unit 0 maxpoll 4 time1 .XXXXX refid GPS flag4 1 #refclock shm unit 0 maxpoll 4 refid GPS flag4 1 noselect refclock shm unit 0 maxpoll 4 time1 .1568 refid GPS flag4 1 # end #-----------------------------------------------------------------------