> On Jan 29, 2015, at 10:10 AM, Theo de Raadt <dera...@cvs.openbsd.org> wrote: > >> Basically for the sake of automated deployments it would be nice / clean >> to be able to do : >> >> includeservers /path/to/file >> >> And then read them all from the file. And the same file would be used >> as a table in pf.conf for NTP FW rules. One server per line. >> >> This would make initial deployments easier to automate (no need to >> programmatically alter the config file), and then if you need to change >> your NTP servers post-deployment it is cleaner as well with less chance >> of human error. i.e. changing pf.conf is riskier than changing ntpd.conf > > I do not see much value in these nested include mechanisms. Honestly, > OpenBSD is now shipping without a ntpd.conf file. You create this > file, thus you own it. Having you create a file (ntpd.conf) which > points to another file (/etc/serverlist?) you also create, that is > kind of crazy. > > /etc/pf.conf is also on my list for removal as well, so that it > becomes more of a user-owned file. The idea here is that you would > look at the examples, and then create your own, and upgrades / > sysmerge would not touch your file. > > I believe if we do this right, it will prod people towards creating > narrower role-specific configurations for their machines. >
having simpler config models, and narrow roles would be a good thing. -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]