# {{ ansible_managed }} # # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make # your changes take effect. John Hasler 1998-2008 # See www.pool.ntp.org for an explanation of these servers. Please # consider joining the project if possible. If you can't or don't want to # use these servers I suggest that you try your ISP's nameservers. We mark # the servers 'offline' so that chronyd won't try to connect when the link # is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc # commands to switch it on when a dialup link comes up and off when it goes # down. Code in /etc/init.d/chrony attempts to determine whether or not # the link is up at boot time and set the online status accordingly. If # you have an always-on connection such as cable omit the 'offline' # directive and chronyd will default to online. # # Note that if Chrony tries to go "online" and dns lookup of the servers # fails they will be discarded. Thus under some circumstances it is # better to use IP numbers than host names. {% for ntp_server in security_ntp_servers %} server {{ ntp_server }} {{ security_ntp_server_options }} {% endfor %} # Look here for the admin password needed for chronyc. The initial # password is generated by a random process at install time. You may # change it if you wish. keyfile {{ chrony_key_file }} # Set runtime command key. Note that if you change the key (not the # password) to anything other than 1 you will need to edit # /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony # and /etc/cron.weekly/chrony as these scripts use it to get the password. commandkey 1 # I moved the driftfile to /var/lib/chrony to comply with the Debian # filesystem standard. driftfile /var/lib/chrony/chrony.drift # Comment this line out to turn off logging. log tracking measurements statistics logdir /var/log/chrony # Stop bad estimates upsetting machine clock. maxupdateskew 100.0 # Dump measurements when daemon exits. dumponexit # Specify directory for dumping measurements. dumpdir /var/lib/chrony # Let computer be a server when it is unsynchronised. local stratum 10 # Allow computers on the unrouted nets to use the server. {% for subnet in security_allowed_ntp_subnets %} allow {{ subnet }} {% endfor %} # This directive forces `chronyd' to send a message to syslog if it # makes a system clock adjustment larger than a threshold value in seconds. logchange 0.5 # Adjust the clock on startup if difference is larger than 1 sec. makestep 1 3 # This directive defines an email address to which mail should be sent # if chronyd applies a correction exceeding a particular threshold to the # system clock. # mailonchange root@localhost 0.5 {% if security_ntp_sync_rtc | bool %} # The rtcsync directive enables a mode where the system time is periodically # copied to the real time clock (RTC). # On Linux the RTC copy is performed by the kernel every 11 minutes. This # directive cannot be used when the normal RTC tracking is enabled, i.e. when # the rtcfile directive is used. rtcsync {% endif %} # If the last line of this file reads 'rtconutc' chrony will assume that # the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent # chrony will assume local time. The line (if any) was written by the # chrony postinst based on what it found in /etc/default/rcS. You may # change it if necessary. rtconutc {% if security_ntp_bind_local_interfaces_only | bool %} # Listen for NTP requests only on local interfaces. port 0 bindcmdaddress 127.0.0.1 bindcmdaddress ::1 {% endif %}