Add chrony, systemd-timesyncd tasks ✨

alivx · Jan 11, 2021 · 6e93297 · 6e93297
1 parent 838ad62
commit 6e93297
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 7 deletions.
diff --git a/files/templates/chrony.conf.j2 b/files/templates/chrony.conf.j2
@@ -0,0 +1,59 @@
+# {{ ansible_managed }}
+
+driftfile {{ chrony_driftfile }}
+
+{% for server in chronyservers_preferred %}
+{% if server is search('pool') %}
+pool {{ server }} iburst prefer
+{% else %}
+server {{ server }} iburst prefer
+{% endif %}
+{% endfor %}
+{% for server in chronyservers %}
+{% if server is search('pool') %}
+pool {{ server }} iburst
+{% else %}
+server {{ server }} iburst
+{% endif %}
+{% endfor %}
+
+# Ignore stratum in source selection.
+stratumweight 0
+
+# Record the rate at which the system clock gains/losses time.
+driftfile {{ chrony_driftfile }}
+
+# Enable kernel RTC synchronization.
+rtcsync
+
+# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
+# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
+hwclockfile /etc/adjtime
+
+# In first three updates step the system clock instead of slew
+# if the adjustment is larger than 10 seconds.
+makestep 10 3
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# Allow NTP client access from local network.
+#allow 192.168/16
+
+# Listen for commands only on localhost.
+bindcmdaddress 127.0.0.1
+bindcmdaddress ::1
+
+# Serve time even if not synchronized to any NTP server.
+#local stratum 10
+
+keyfile {{ chrony_keys }}
+
+# Disable logging of client accesses.
+noclientlog
+
+# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
+logchange 0.5
+
+logdir {{ chrony_log_dir }}
+#log measurements statistics tracking
diff --git a/files/templates/greeter.dconf-defaults.j2 b/files/templates/greeter.dconf-defaults.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # These are the options for the greeter session that can be set 
 # through GSettings. Any GSettings setting that is used by the 
 # greeter session can be set here.

diff --git a/files/templates/ntp.conf.j2 b/files/templates/ntp.conf.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
 driftfile /var/lib/ntp/ntp.drift

diff --git a/files/templates/timesyncd.conf.j2 b/files/templates/timesyncd.conf.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Time]
+NTP={{ timesync_ntp_hosts | default("") | join(" ") }}
+FallbackNTP={{ timesync_fallback_ntp_hosts | join(" ") }}
diff --git a/tasks/section_2_Services.yaml b/tasks/section_2_Services.yaml
@@ -58,6 +58,8 @@
         name: "ntp"
         state: started
         enabled: true
+  when: "{{enableNTP}}"
+
   tags:
     - section2
     - level_1_server
@@ -72,17 +74,54 @@
 # This recommendation only applies if timesyncd is in use on the system
 # Only one time synchronization method should be in use on the system
 - name: 2.2.1.2 Ensure systemd-timesyncd is configured
-  debug:
-    msg: Skip this, since we are using ntp
+  block:
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | install systemd-timesyncd
+      apt:
+         name: systemd-timesyncd
+         state: present
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | set timezone
+      timezone:
+        name: "{{ timesync_timezone }}"
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Configure systemd-timesyncd
+      template:
+        src:  files/templates/timesyncd.conf.j2
+        dest: /etc/systemd/timesyncd.conf
+        mode: 0644
+        owner: root
+        group: root
+      notify: reloadTimesyncd
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Start and enable systemd-timesyncd
+      service:
+        name: systemd-timesyncd.service
+        enabled: yes
+        state: started
+  when: "{{enable_systemdtimesyncd}} == True"
   tags:
     - section2
     - level_1_server
     - level_1_workstation
     - 2.2.1.2
 # 2.2.1.3 Ensure chrony is configured
 - name: 2.2.1.3 Ensure chrony is configured
-  debug:
-    msg: Skip this, since we are using ntp
+  block:
+    - name: 2.2.1.3 Ensure chrony is configured | Install Chrony
+      apt:
+        name: "chrony"
+        state: present
+    - name: 2.2.1.3 Ensure chrony is configured | Start Chrony service
+      service:
+        name: "chrony"
+        state: started
+        enabled: yes
+    - name: 2.2.1.3 Ensure chrony is configured | Generate configuration
+      template:
+        src: files/templates/chrony.conf.j2
+        dest: "/etc/chrony/chrony.conf"
+        owner: root
+        group: root
+        mode: 0644
+      notify: RestartChronyservice
+  when: "{{chronyEnable}} == True"
   tags:
     - section2
     - level_1_server
@@ -452,9 +491,18 @@
     msg: >
       Run the following command:
       $ lsof -i -P -n | grep -v "(ESTABLISHED)"
-      Review the output to ensure that all services listed are required on the system. If a listed
-      service is not required, remove the package containing the service. If the package
-      containing a non-essential service is required, stop and mask the non-essential service.
+        Review the output to ensure that all services listed are required on the system. If a listed
+        service is not required, remove the package containing the service. If the package
+        containing a non-essential service is required, stop and mask the non-essential service.
+        Code Meaning 
+        S File size differs. 
+        M File mode differs (includes permissions and file type). 
+        5 The MD5 checksum differs. 
+        D The major and minor version numbers differ on a device file. 
+        L A mismatch occurs in a link. 
+        U The file ownership differs. 
+        G The file group owner differs. 
+        T The file time (mtime) differs.
   tags:
     - section2
     - level_1_server