Merge pull request #121 from dulin/fix-chrony

Fixed chrony configuration options

defaults/main.yml

@@ -449,6 +449,9 @@ rhel9cis_time_synchronization_servers:
     - 2.pool.ntp.org
     - 3.pool.ntp.org
 rhel9cis_chrony_server_options: "minpoll 8"
+rhel9cis_chrony_server_rtcsync: false
+rhel9cis_chrony_server_makestep: "1.0 3"
+rhel9cis_chrony_server_minsources: 2
 
 ### 2.2 Special Purposes
 ##### Service configuration booleans set true to keep service

templates/etc/chrony.conf.j2

@@ -1,4 +1,4 @@
-## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+## {{ ansible_managed }}
 
 # This the default chrony.conf file for the Debian chrony package.  After
 # editing this file use the command 'invoke-rc.d chrony restart' to make
@@ -27,19 +27,21 @@ server {{ server }} {{ rhel9cis_chrony_server_options }}
 # password is generated by a random process at install time.  You may
 # change it if you wish.
 
-keyfile /etc/chrony/chrony.keys
+keyfile /etc/chrony.keys
 
-# Set runtime command key.  Note that if you change the key (not the
+# Record the rate at which the system clock gains/losses time.
-# password) to anything other than 1 you will need to edit
+driftfile /var/lib/chrony/drift
-# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
-# and /etc/cron.weekly/chrony as these scripts use it to get the password.
 
-commandkey 1
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep {{ rhel9cis_chrony_server_makestep }}
 
-# I moved the driftfile to /var/lib/chrony to comply with the Debian
+# Enable kernel synchronization of the real-time clock (RTC).
-# filesystem standard.
+{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync
 
-driftfile /var/lib/chrony/chrony.drift
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+minsources {{ rhel9cis_chrony_server_minsources }}
 
 # Comment this line out to turn off logging.