ef1b417032
when setting security_ntp_sync_rtc to true, chrony will sync rtc every 11 minutes. using rtcfile + rtcautotrim locks access to rtc clock for other tools, like hwclock or timedatectl so it's hard to validate that the clock is really synced. Change-Id: I72fd18d36ab139d7140281374b5c2b89f7cb460a
107 lines
3.6 KiB
Django/Jinja
107 lines
3.6 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
#
|
|
# This the default chrony.conf file for the Debian chrony package. After
|
|
# editing this file use the command 'invoke-rc.d chrony restart' to make
|
|
# your changes take effect. John Hasler <jhasler@debian.org> 1998-2008
|
|
|
|
# See www.pool.ntp.org for an explanation of these servers. Please
|
|
# consider joining the project if possible. If you can't or don't want to
|
|
# use these servers I suggest that you try your ISP's nameservers. We mark
|
|
# the servers 'offline' so that chronyd won't try to connect when the link
|
|
# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
|
|
# commands to switch it on when a dialup link comes up and off when it goes
|
|
# down. Code in /etc/init.d/chrony attempts to determine whether or not
|
|
# the link is up at boot time and set the online status accordingly. If
|
|
# you have an always-on connection such as cable omit the 'offline'
|
|
# directive and chronyd will default to online.
|
|
#
|
|
# Note that if Chrony tries to go "online" and dns lookup of the servers
|
|
# fails they will be discarded. Thus under some circumstances it is
|
|
# better to use IP numbers than host names.
|
|
|
|
{% for ntp_server in security_ntp_servers %}
|
|
server {{ ntp_server }} {{ security_ntp_server_options }}
|
|
{% endfor %}
|
|
|
|
# Look here for the admin password needed for chronyc. The initial
|
|
# password is generated by a random process at install time. You may
|
|
# change it if you wish.
|
|
|
|
keyfile {{ chrony_key_file }}
|
|
|
|
# Set runtime command key. Note that if you change the key (not the
|
|
# password) to anything other than 1 you will need to edit
|
|
# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
|
|
# and /etc/cron.weekly/chrony as these scripts use it to get the password.
|
|
|
|
commandkey 1
|
|
|
|
# I moved the driftfile to /var/lib/chrony to comply with the Debian
|
|
# filesystem standard.
|
|
|
|
driftfile /var/lib/chrony/chrony.drift
|
|
|
|
# Comment this line out to turn off logging.
|
|
|
|
log tracking measurements statistics
|
|
logdir /var/log/chrony
|
|
|
|
# Stop bad estimates upsetting machine clock.
|
|
|
|
maxupdateskew 100.0
|
|
|
|
# Dump measurements when daemon exits.
|
|
|
|
dumponexit
|
|
|
|
# Specify directory for dumping measurements.
|
|
|
|
dumpdir /var/lib/chrony
|
|
|
|
# Let computer be a server when it is unsynchronised.
|
|
|
|
local stratum 10
|
|
|
|
# Allow computers on the unrouted nets to use the server.
|
|
|
|
{% for subnet in security_allowed_ntp_subnets %}
|
|
allow {{ subnet }}
|
|
{% endfor %}
|
|
|
|
# This directive forces `chronyd' to send a message to syslog if it
|
|
# makes a system clock adjustment larger than a threshold value in seconds.
|
|
|
|
logchange 0.5
|
|
|
|
# Adjust the clock on startup if difference is larger than 1 sec.
|
|
makestep 1 3
|
|
|
|
# This directive defines an email address to which mail should be sent
|
|
# if chronyd applies a correction exceeding a particular threshold to the
|
|
# system clock.
|
|
|
|
# mailonchange root@localhost 0.5
|
|
|
|
{% if security_ntp_sync_rtc | bool %}
|
|
# The rtcsync directive enables a mode where the system time is periodically
|
|
# copied to the real time clock (RTC).
|
|
# On Linux the RTC copy is performed by the kernel every 11 minutes. This
|
|
# directive cannot be used when the normal RTC tracking is enabled, i.e. when
|
|
# the rtcfile directive is used.
|
|
rtcsync
|
|
{% endif %}
|
|
|
|
# If the last line of this file reads 'rtconutc' chrony will assume that
|
|
# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent
|
|
# chrony will assume local time. The line (if any) was written by the
|
|
# chrony postinst based on what it found in /etc/default/rcS. You may
|
|
# change it if necessary.
|
|
rtconutc
|
|
|
|
{% if security_ntp_bind_local_interfaces_only | bool %}
|
|
# Listen for NTP requests only on local interfaces.
|
|
port 0
|
|
bindcmdaddress 127.0.0.1
|
|
bindcmdaddress ::1
|
|
{% endif %}
|