# Barix configuration interface
# (c) 2025 Barix AG
#
# meta-file for automatic config-file generation
# 17 Oct 2025 changes:
# - moved the default restrictions out of the condition for "system" = "$owner". This way they are really defaults in all cases
# - removed disable server - not valid option
# - removed disable monitor - this has been fixed in version 4.2.7p26. released 24 Apr 2010:
# 	https://www.ntp.org/support/securitynotice/ntpbug1532/
# - removed ntp server pools restrictions - default restrictions already cover all IPV4 and IPV6 addresses
# - added limited flag - kod does not work without it
# - removed the restricts= - Was not used correctly and now is no longer needed
# - improved indentation
# 20 Oct 2025 changes:
# - moved default to be the first parameter after the address family
# 27 Oct 2025 changes:
# - returned disable monitor
# - removed kod and limited flags - not compatible with disable monitor
# - added ignore flag to the default restrictions
# - added restrict source - those overwrite defaults, and are required for correct NTP operation
# - improved readability

# destination file for the configuration (absolute path)
DST_FILE=/etc/ntp.conf

# template file located in /barix/config/templates/templates (no template)
TEMPLATE_FILE=

# comments are prefixed with this character
COMMENT_PREFIX="#"

# function to create the dynamic content
DYNAMIC_CONTENT_FN=create_dynamic_config

# function to create dynamic content
function create_dynamic_config()
{
	# the tinker command must be first
	echo -e "
# Do not panic on big time differences and sync to NTP always
tinker panic 0"

	echo -e "
# Disable misuse of NTP via DDoS attacks using the monitor command (reflection attack)
# http://support.ntp.org/bin/view/Main/SecurityNotice
# https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300/
# Fixed in version 4.2.7p26. released 24 Apr 2010, https://www.ntp.org/support/securitynotice/ntpbug1532/
# But keep for disabling the legacy MON_GETLIST command
disable monitor
"

	# Block all external access
	echo "restrict -4 default notrap nomodify nopeer noquery ignore"
	echo "restrict -6 default notrap nomodify nopeer noquery ignore"

	# Allow localhost access
	echo "restrict 127.0.0.1"
	echo "restrict ::1"

	# servers
	owner=`cfg_print_param ntp.source.owner`
	srv4=`cfg_print_param ntp.source.server4`

	echo -e "\n# Restrict the source addresses, while allowing normal operation"
	echo "restrict source notrap nomodify noquery"
	
	restricts="#Exchange to the configured servers, but do not allow configuration\n"

	if [ "system" = "$owner" ]; then
		if [ "$srv4" ] ; then
			# for soundscape use portal as NTP server
			echo "server $srv4 iburst"
			restricts+="restrict $srv4 notrap nomodify\n"
		else
			# normal situation: populate the ntp.conf

			echo -e "\n# Add configured NTP servers"

			# with all the available entries
			for nr in 1 2 3 ; do
				server=`cfg_print_param ntp.source.server$nr`
				if [ $server ] ; then  
					echo "pool $server iburst"
					# Allow servers you're syncing to, but don't let them control or query
					restricts+="restrict $server notrap nomodify noquery\n"
				fi
			done
			
		fi
	elif [ "application" = "$owner" ]; then
		# for Store & Play use the NTP server set in player.cfg
		
		echo "# Store & Play NTP config"
		for nr in 1 2 3 ; do                                            
			server=`cfg_print_param ntp.source.server_app$nr`           
			if [ $server ] ; then  
				echo "server $server iburst"
				restricts+="restrict $server notrap nomodify\n"
			fi
		done                 
	fi
	# echo -e "\n$restricts"
}
