ansible-hardening/templates/chrony.conf.j2

# {{ ansible_managed }}
#
# This the default chrony.conf file for the Debian chrony package.  After
# editing this file use the command 'invoke-rc.d chrony restart' to make
# your changes take effect.  John Hasler <jhasler@debian.org> 1998-2008

# See www.pool.ntp.org for an explanation of these servers.  Please
# consider joining the project if possible.  If you can't or don't want to
# use these servers I suggest that you try your ISP's nameservers.  We mark
# the servers 'offline' so that chronyd won't try to connect when the link
# is down.  Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
# commands to switch it on when a dialup link comes up and off when it goes
# down.  Code in /etc/init.d/chrony attempts to determine whether or not
# the link is up at boot time and set the online status accordingly.  If
# you have an always-on connection such as cable omit the 'offline'
# directive and chronyd will default to online.
#
# Note that if Chrony tries to go "online" and dns lookup of the servers
# fails they will be discarded.  Thus under some circumstances it is
# better to use IP numbers than host names.

{% for ntp_server in security_ntp_servers %}
server {{ ntp_server }} offline maxpoll 10 minpoll 8
{% endfor %}

# Look here for the admin password needed for chronyc.  The initial
# password is generated by a random process at install time.  You may
# change it if you wish.

keyfile /etc/chrony/chrony.keys

# Set runtime command key.  Note that if you change the key (not the
# password) to anything other than 1 you will need to edit
# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
# and /etc/cron.weekly/chrony as these scripts use it to get the password.

commandkey 1

# I moved the driftfile to /var/lib/chrony to comply with the Debian
# filesystem standard.

driftfile /var/lib/chrony/chrony.drift

# Comment this line out to turn off logging.

log tracking measurements statistics
logdir /var/log/chrony

# Stop bad estimates upsetting machine clock.

maxupdateskew 100.0

# Dump measurements when daemon exits.

dumponexit

# Specify directory for dumping measurements.

dumpdir /var/lib/chrony

# Let computer be a server when it is unsynchronised.

local stratum 10

# Allow computers on the unrouted nets to use the server.

{% for subnet in security_allowed_ntp_subnets %}
allow {{ subnet }}
{% endfor %}

# This directive forces `chronyd' to send a message to syslog if it
# makes a system clock adjustment larger than a threshold value in seconds.

logchange 0.5

# This directive defines an email address to which mail should be sent
# if chronyd applies a correction exceeding a particular threshold to the
# system clock.

# mailonchange root@localhost 0.5

# This directive tells chrony to regulate the real-time clock and tells it
# Where to store related data.  It may not work on some newer motherboards
# that use the HPET real-time clock.  It requires enhanced real-time
# support in the kernel.  I've commented it out because with certain
# combinations of motherboard and kernel it is reported to cause lockups.

# rtcfile /var/lib/chrony/chrony.rtc

# If the last line of this file reads 'rtconutc' chrony will assume that
# the CMOS clock is on UTC (GMT).  If it reads '# rtconutc' or is absent
# chrony will assume local time.  The line (if any) was written by the
# chrony postinst based on what it found in /etc/default/rcS.  You may
# change it if necessary.
rtconutc

{% if security_ntp_bind_local_interfaces_only | bool %}
# Listen for NTP requests only on local interfaces.
bindaddress 127.0.0.1
{% if not security_disable_ipv6 | bool %}
bindaddress ::1
{% endif %}
{% endif %}