reorganized common repo, some minor modules improvements

modules/conf_ssh.sh

@@ -11,7 +11,7 @@
 #   none
 # ------------------------------------------------------------------------------
 
-export VER_conf_ssh="0.0.1"
+export VER_conf_ssh="0.1.0"
 export DEP_conf_ssh="upgrade_dist"
 
 conf_ssh()
@@ -27,6 +27,7 @@ conf_ssh()
         backupdist $f
         installfile ssh/$(basename $f) /etc/ssh/$(basename $f)
     done
+    sed -i -e "s/@SSHD_PERMITROOT_RANGE@/$SSHD_PERMITROOT_RANGE/" /etc/ssh/sshd_config
 
     prnt I "Démarrage du sevice ssh..."
     svc_start ssh

modules/install_pkg.sh

@@ -28,8 +28,8 @@ install_pkg()
     if [[ -n PKGS_BLACKLIST ]]; then
         for pkg in $PKGS_BLACKLIST; do
             prnt I "Mise du paquet $pkg en liste noire..."
-            local dest=/etc/apt/preferences.d/blacklist_$pkg.conf
+            local dest=/etc/apt/preferences.d/blacklist_$pkg
-            installfile blacklist.conf $dest &&
+            installfile pkgman/blacklist.conf $dest &&
                 sed -i -e "s/@pkg@/pkg/" $dest
 
             # If blacklisted we suppose uninstall as well (if neeeded)
@@ -65,6 +65,7 @@ precheck_install_pkg()
     else
         prnt I "$(echo $PKGSEL | wc -w) paquets additionels seront installés."
     fi
+    file_exists pkgman/blacklist.conf
 }
 
 export -f install_pkg

modules/install_profile.sh

@@ -8,8 +8,8 @@
 # https://opensource.org/licenses/BSD-3-Clause
 # ------------------------------------------------------------------------------
 
-export VER_install_profile="0.0.3"
+export VER_install_profile="0.0.4"
-export DEP_install_profile="install_pkg auth"
+export DEP_install_profile="install_pkg"
 
 install_profile()
 {

modules/patch_snmp.sh

@@ -17,7 +17,8 @@ patch_snmp()
     backupdist /etc/snmp/snmpd.conf /etc/default/snmpd \
         /lib/systemd/system/snmpd.service /etc/init.d/snmpd
     installfile snmpd/snmpd.conf /etc/snmp/snmpd.conf
-    installfile snmpd/snmpd.init /etc/init.d/snmpd
+    # No longer required with Debian >= 11 or Devuan >= 4
+    # installfile snmpd/snmpd.init /etc/init.d/snmpd
     installfile snmpd/snmpd.default /etc/default/snmpd
     if [[ -e /lib/systemd/system/snmpd.service ]]; then
         installfile snmpd/snmpd.service /lib/systemd/system/snmpd.service

modules/upgrade_dist.sh

@@ -31,11 +31,11 @@ upgrade_dist()
     echo 'APT::AutoRemove::RecommendsImportant "false";' >> $norecommends
     echo 'APT::AutoRemove::SuggestsImportant "false";' >> $norecommends
 
-    prnt I "Configuration du proxy pour APT..."
+    prnt I "Configuring proxy for APT..."
     if [[ -n $PROXYAPT ]]; then
         if [[ ! -d $(dirname $proxyfile) ]]; then
             mkdir -pv $(dirname $proxyfile) || (
-                prnt E "Impossiblle de créer le répertoire d'accueil pour la configuration d'APT."
+                prnt E "Impossible to create directory to receive APT configuration."
                 die 60
             )
         fi
@@ -45,32 +45,32 @@ upgrade_dist()
         echo "# Generated automatically on $(stdtime) by $0" > $proxyfile
         echo "Acquire::http::Proxy \"http://${http_proxy}\";" >> $proxyfile
     else
-        prnt I "Pas de proxy configuré, ne fait rien."
+        prnt I "No proxy configured, nothing to do."
     fi
 
     # Remplace source.list from dist with ours (be smarter)
     installfile "pkgman/${SYS_DIST}_${SYS_VER}.list" /etc/apt/sources.list
 
-    prnt I "Mise à jour de la liste des paquets..."
+    prnt I "Updating package list..."
     pkgupdt
 
-    prnt I "Application des mises à jour de paquets..."
+    prnt I "Applying packages upgrades..."
     pkgupgd
 
-    prnt I "Suppression des paquets résiduels..."
+    prnt I "Deleting no longer needed packages..."
     pkgautorm
 }
 
 precheck_upgrade_dist()
 {
-    prnt I "Vérification du réseau..."
+    prnt I "Checking network connectivity..."
 
     if [[ $(noerror wget -q --tries=10 --timeout=20 --spider http://www.cnrs.fr) != 0 ]]; then
         prnt E "It seems network configuration is not functionnal! Giving up."
         die 160
     fi
     if [[ -n $PROXYAPT && -z $PROXYAPT_PORT ]]; then
-        prnt E "Un serveur proxy a été spécifié mais pas son port d'usage."
+        prnt E "A proxy server have been specified but not its working port."
         die 160
     fi
     file_exists pkgman/${SYS_DIST}_${SYS_VER}.list

repo/common/cmk/check_mk

@@ -0,0 +1,39 @@
+# Copyright (C) 2019 tribe29 GmbH - License: GNU General Public License v2
+# This file is part of Checkmk (https://checkmk.com). It is subject to the terms and
+# conditions defined in the file COPYING, which is part of this source code package.
+
+service check_mk
+{
+	type           = UNLISTED
+	port           = 6556
+	socket_type    = stream
+	protocol       = tcp
+	wait           = no
+	user           = root
+	server         = /usr/bin/check_mk_agent
+
+        # To avoid intentional or unintentional overload due to too many parallel
+        # queries from one source we set this parameter. It limits the number of
+        # concurrent connections per source address. If you need more requests
+        # per source system, you can of course increase or remove this value
+        # (https://github.com/tribe29/checkmk/pull/157)
+        per_source     = 3
+
+        # listen on IPv4 AND IPv6 when available on this host
+        #flags          = IPv6
+
+	# If you use fully redundant monitoring and poll the client
+	# from more then one monitoring servers in parallel you might
+	# want to use the agent cache wrapper:
+	#server         = /usr/bin/check_mk_caching_agent
+
+	# configure the IP address(es) of your Nagios server here:
+	only_from      = 127.0.0.1 192.168.1.201
+
+	# Don't be too verbose. Don't log every check. This might be
+	# commented out for debugging. If this option is commented out
+	# the default options will be used for this service.
+	log_on_success =
+
+	disable        = no
+}

repo/common/cmk/mk_apt

@@ -0,0 +1,53 @@
+#!/bin/bash
+# Copyright (C) 2019 tribe29 GmbH - License: GNU General Public License v2
+# This file is part of Checkmk (https://checkmk.com). It is subject to the terms and
+# conditions defined in the file COPYING, which is part of this source code package.
+
+# Reason for this no-op: shellcheck disable=... before the first command disables the error for the
+# entire script.
+:
+
+# Disable unused variable error (needed to keep track of version)
+# shellcheck disable=SC2034
+CMK_VERSION="2.0.0p3"
+
+# Check for APT updates (Debian, Ubuntu)
+# TODO:
+# Einstellungen:
+# - upgrade oder dist-upgrade
+# - vorher ein update machen
+# Bakery:
+# - Bakelet anlegen
+# - Async-Zeit einstellbar machen und das Ding immer async laufen lassen
+# Check programmieren:
+#   * Schwellwerte auf Anzahlen
+#   * Regexen auf Pakete, die zu CRIT/WARN führen
+# - Graph malen mit zwei Kurven
+
+# This variable can either be "upgrade" or "dist-upgrade"
+UPGRADE=upgrade
+DO_UPDATE=yes
+
+
+function check_apt_update {
+    if [ "$DO_UPDATE" = yes ] ; then
+        # NOTE: Even with -qq, apt-get update can output several lines to
+        # stderr, e.g.:
+        #
+        # W: There is no public key available for the following key IDs:
+        # 1397BC53640DB551
+        apt-get update -qq 2> /dev/null
+    fi
+    apt-get -o 'Debug::NoLocking=true' -o 'APT::Get::Show-User-Simulation-Note=false' -s -qq "$UPGRADE" | grep -v '^Conf'
+}
+
+
+if type apt-get > /dev/null ; then
+    echo '<<<apt:sep(0)>>>'
+    out=$(check_apt_update)
+    if [ -z "$out" ]; then
+        echo "No updates pending for installation"
+    else
+        echo "$out"
+    fi
+fi

repo/common/pkgman/devuan_3.list

@@ -0,0 +1,9 @@
+# 
+deb http://fr.deb.devuan.org/merged beowulf main contrib non-free
+deb-src http://fr.deb.devuan.org/merged beowulf main contrib non-free
+
+deb http://fr.deb.devuan.org/merged beowulf-updates main contrib non-free
+deb-src http://fr.deb.devuan.org/merged beowulf-updates main contrib non-free
+
+deb http://fr.deb.devuan.org/merged beowulf-backports main contrib non-free
+deb-src http://fr.deb.devuan.org/merged beowulf-backports main contrib non-free

repo/common/pkgman/devuan_4.list

@@ -0,0 +1,9 @@
+# 
+deb http://fr.deb.devuan.org/merged chimaera main contrib non-free
+deb-src http://fr.deb.devuan.org/merged chimaera main contrib non-free
+
+deb http://fr.deb.devuan.org/merged chimaera-updates main contrib non-free
+deb-src http://fr.deb.devuan.org/merged chimaera-updates main contrib non-free
+
+deb http://fr.deb.devuan.org/merged chimaera-backports main contrib non-free
+deb-src http://fr.deb.devuan.org/merged chimaera-backports main contrib non-free

repo/common/postfix/main.cf

@@ -36,7 +36,7 @@ alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = false
-relayhost = [smtp.legos.obs-mip.fr]
+relayhost = [@MAIL_RELAY@]
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +

repo/common/profile/profile

@@ -471,7 +471,7 @@ rmspc () {
                 echo
                 echo "Options:"
                 echo "	-h, --help		Display that help screen"
-                echo "	-r, --recursive		Treat subdiretories of the given directories"
+                echo "	-r, --recursive		Treat subdirectories of the given directory"
                 echo "	-c, --subst-char	Change the replacement character (default is underscore)"
                 echo "	-v, --verbose		Display what is being done"
                 echo "	-s, --shell		Do nothing and display commands that would be executed"
@@ -858,8 +858,8 @@ export taz
 # Display system genal information
 # ------------------------------------------------------------------------------
 showinfo() {
-    echo ""
+    echo -e "\n"
-    figlet $(hostname) -t -k
+    figlet -f ansi_shadow $(hostname) -t -k
     echo ""
     neofetch
 }

repo/common/snmpd/snmpd.conf

@@ -0,0 +1,196 @@
+###############################################################################
+#
+# EXAMPLE.conf:
+#   An example configuration file for configuring the Net-SNMP agent ('snmpd')
+#   See the 'snmpd.conf(5)' man page for details
+#
+#  Some entries are deliberately commented out, and will need to be explicitly activated
+#
+###############################################################################
+#
+#  AGENT BEHAVIOUR
+#
+
+#  Listen for connections from the local system only
+#agentAddress  udp:127.0.0.1:161
+#  Listen for connections on all interfaces (both IPv4 *and* IPv6)
+#agentAddress udp:161,udp6:[::1]:161
+agentAddress udp:161
+rocommunity nagios 192.168.1.201/32
+
+
+###############################################################################
+#
+#  SNMPv3 AUTHENTICATION
+#
+#  Note that these particular settings don't actually belong here.
+#  They should be copied to the file /var/lib/snmp/snmpd.conf
+#     and the passwords changed, before being uncommented in that file *only*.
+#  Then restart the agent
+
+#  createUser authOnlyUser  MD5 "remember to change this password"
+#  createUser authPrivUser  SHA "remember to change this one too"  DES
+#  createUser internalUser  MD5 "this is only ever used internally, but still change the password"
+
+#  If you also change the usernames (which might be sensible),
+#  then remember to update the other occurances in this example config file to match.
+
+
+
+###############################################################################
+#
+#  ACCESS CONTROL
+#
+
+                                                 #  system + hrSystem groups only
+view   systemonly  included   .1.3.6.1.2.1.1
+view   systemonly  included   .1.3.6.1.2.1.25.1
+
+                                                 #  Full access from the local host
+#rocommunity public  localhost
+                                                 #  Default access to basic system info
+ rocommunity public  default    -V systemonly
+                                                 #  rocommunity6 is for IPv6
+ rocommunity6 public  default   -V systemonly
+
+                                                 #  Full access from an example network
+                                                 #     Adjust this network address to match your local
+                                                 #     settings, change the community string,
+                                                 #     and check the 'agentAddress' setting above
+#rocommunity secret  10.0.0.0/16
+
+                                                 #  Full read-only access for SNMPv3
+ rouser   authOnlyUser
+                                                 #  Full write access for encrypted requests
+                                                 #     Remember to activate the 'createUser' lines above
+#rwuser   authPrivUser   priv
+
+#  It's no longer typically necessary to use the full 'com2sec/group/access' configuration
+#  r[ow]user and r[ow]community, together with suitable views, should cover most requirements
+
+
+
+###############################################################################
+#
+#  SYSTEM INFORMATION
+#
+
+#  Note that setting these values here, results in the corresponding MIB objects being 'read-only'
+#  See snmpd.conf(5) for more details
+sysLocation    Sitting on the Dock of the Bay
+sysContact     Me <me@example.org>
+                                                 # Application + End-to-End layers
+sysServices    72
+
+
+#
+#  Process Monitoring
+#
+                               # At least one  'mountd' process
+proc  mountd
+                               # No more than 4 'ntalkd' processes - 0 is OK
+proc  ntalkd    4
+                               # At least one 'sendmail' process, but no more than 10
+proc  sendmail 10 1
+
+#  Walk the UCD-SNMP-MIB::prTable to see the resulting output
+#  Note that this table will be empty if there are no "proc" entries in the snmpd.conf file
+
+
+#
+#  Disk Monitoring
+#
+                               # 10MBs required on root disk, 5% free on /var, 10% free on all other disks
+disk       /     10000
+disk       /var  5%
+includeAllDisks  10%
+
+#  Walk the UCD-SNMP-MIB::dskTable to see the resulting output
+#  Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
+
+
+#
+#  System Load
+#
+                               # Unacceptable 1-, 5-, and 15-minute load averages
+load   12 10 5
+
+#  Walk the UCD-SNMP-MIB::laTable to see the resulting output
+#  Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
+
+
+
+###############################################################################
+#
+#  ACTIVE MONITORING
+#
+
+                                    #   send SNMPv1  traps
+ trapsink     localhost public
+                                    #   send SNMPv2c traps
+#trap2sink    localhost public
+                                    #   send SNMPv2c INFORMs
+#informsink   localhost public
+
+#  Note that you typically only want *one* of these three lines
+#  Uncommenting two (or all three) will result in multiple copies of each notification.
+
+
+#
+#  Event MIB - automatically generate alerts
+#
+                                   # Remember to activate the 'createUser' lines above
+iquerySecName   internalUser       
+rouser          internalUser
+                                   # generate traps on UCD error conditions
+defaultMonitors          yes
+                                   # generate traps on linkUp/Down
+linkUpDownNotifications  yes
+
+
+
+###############################################################################
+#
+#  EXTENDING THE AGENT
+#
+
+#
+#  Arbitrary extension commands
+#
+ extend    test1   /bin/echo  Hello, world!
+ extend-sh test2   echo Hello, world! ; echo Hi there ; exit 35
+#extend-sh test3   /bin/sh /tmp/shtest
+
+#  Note that this last entry requires the script '/tmp/shtest' to be created first,
+#    containing the same three shell commands, before the line is uncommented
+
+#  Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table
+#     and nsExtendOutput2Table) to see the resulting output
+
+#  Note that the "extend" directive supercedes the previous "exec" and "sh" directives
+#  However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
+#     as well as the fuller results in the above tables.
+
+
+#
+#  "Pass-through" MIB extension command
+#
+#pass .1.3.6.1.4.1.8072.2.255  /bin/sh       PREFIX/local/passtest
+#pass .1.3.6.1.4.1.8072.2.255  /usr/bin/perl PREFIX/local/passtest.pl
+
+# Note that this requires one of the two 'passtest' scripts to be installed first,
+#    before the appropriate line is uncommented.
+# These scripts can be found in the 'local' directory of the source distribution,
+#     and are not installed automatically.
+
+#  Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output
+
+
+#
+#  AgentX Sub-agents
+#
+                                           #  Run as an AgentX master agent
+ master          agentx
+                                           #  Listen for network connections (from localhost)
+                                           #    rather than the default named socket /var/agentx/master
+#agentXSocket    tcp:localhost:705

repo/common/snmpd/snmpd.default

@@ -0,0 +1,12 @@
+# This file controls the behaviour of /etc/init.d/snmpd
+# but not of the corresponding systemd service file.
+# If needed, create an override file in
+# /etc/systemd/system/snmpd.service.d/local.conf
+# see man 5 systemd.unit and man 5 systemd.service
+
+# Don't load any MIBs by default.
+# You might comment this lines once you have the MIBs downloaded.
+# export MIBS=
+
+# snmpd options (use syslog priority warning, close stdin/out/err).
+SNMPDOPTS='-LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'

repo/common/snmpd/snmpd.init

@@ -0,0 +1,44 @@
+#!/bin/sh
+# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing.
+if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then
+    set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script
+fi
+### BEGIN INIT INFO
+# Provides:           snmpd
+# Required-Start:     $network $remote_fs $syslog
+# Required-Stop:      $network $remote_fs $syslog
+# Default-Start:      2 3 4 5
+# Default-Stop:       0 1 6
+# Short-Description:  SNMP agents
+# Description:        NET SNMP (Simple Network Management Protocol) Agents
+### END INIT INFO
+#
+# Author:    Jochen Friedrich <jochen@scram.de>
+#
+
+DESC="SNMP Services"
+DAEMON=/usr/sbin/snmpd
+PIDFILE="/run/snmpd.pid"
+
+[ -f /etc/default/snmpd ] && . /etc/default/snmpd
+
+# Defaults
+OLD_MIBS_DIR="/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp"
+MIBS_DIR="/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf"
+export MIBDIRS="$MIBS_DIR:$OLD_MIBS_DIR"
+
+DEFAULT_SNMPDOPTS="-Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf"
+[ -z "$SNMPDOPTS" ] && SNMPDOPTS=$DEFAULT_SNMPDOPTS
+
+DAEMON_ARGS="$SNMPDOPTS -p $PIDFILE"
+
+do_start_prepare()
+{
+    	# remove old symlink with previous version
+    	if [ -L /var/run/agentx ]; then
+		rm -f /var/run/agentx
+	fi
+	if [ ! -d /var/run/agentx ]; then
+		mkdir -p /var/run/agentx
+	fi
+}

repo/common/snmpd/snmpd.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Simple Network Management Protocol (SNMP) Daemon.
+After=network.target
+ConditionPathExists=/etc/snmp/snmpd.conf
+
+[Service]
+Environment="MIBSDIR=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp"
+Environment="MIBS="
+Type=simple
+ExecStartPre=/bin/mkdir -p /var/run/agentx
+ExecStart=/usr/sbin/snmpd -LSwd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -f -p /run/snmpd.pid
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

repo/common/ssh/sshd_config

@@ -26,6 +26,6 @@ PrintLastLog                    yes
 TCPKeepAlive                    yes
 AcceptEnv                       LANG LC_*
 AllowTcpForwarding              no
-Match   Address                 10.3.0.0/16
+Match   Address                 @SSHD_PERMITROOT_RANGE@
         PermitRootLogin         yes
 

repo/hosts/cagua/ntp.conf

@@ -0,0 +1,64 @@
+*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+server ntp.laas.fr			iburst
+server ntp.sophia.cnrs.fr		iburst
+server ntp2.emn.fr			iburst
+server delphi.phys.univ-tours.fr	iburst
+server ntp.crashdump.fr			iburst
+server ntp.ilianum.com			iburst
+server ntp.unice.fr			iburst
+server ntp.accelance.net		iburst
+server ntp.deuza.net			iburst
+server ntp1.jussieu.fr			iburst
+server time.resolvlab.com		iburst
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 192.168.1.0/24
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+restrict 192.168.0.0 mask 255.255.0.0 trust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+broadcast 192.168.1.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient

repo/hosts/didicas/ntp.conf

@@ -0,0 +1,64 @@
+*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+server ntp.laas.fr			iburst
+server ntp.sophia.cnrs.fr		iburst
+server ntp2.emn.fr			iburst
+server delphi.phys.univ-tours.fr	iburst
+server ntp.crashdump.fr			iburst
+server ntp.ilianum.com			iburst
+server ntp.unice.fr			iburst
+server ntp.accelance.net		iburst
+server ntp.deuza.net			iburst
+server ntp1.jussieu.fr			iburst
+server time.resolvlab.com		iburst
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 192.168.1.0/24
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+restrict 192.168.0.0 mask 255.255.0.0 trust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+broadcast 192.168.1.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient

repo/hosts/vm-cups4/debian_bulleyes.list

@@ -1 +0,0 @@
-../../common/debian_bulleyes.list