diff options
Diffstat (limited to 'deploy')
3 files changed, 110 insertions, 1 deletions
diff --git a/deploy/adapters/ansible/roles/config-osa/files/chrony.conf.j2 b/deploy/adapters/ansible/roles/config-osa/files/chrony.conf.j2 new file mode 100644 index 00000000..1c2443e0 --- /dev/null +++ b/deploy/adapters/ansible/roles/config-osa/files/chrony.conf.j2 @@ -0,0 +1,104 @@ +# {{ ansible_managed }} +# +# This the default chrony.conf file for the Debian chrony package. After +# editing this file use the command 'invoke-rc.d chrony restart' to make +# your changes take effect. John Hasler <jhasler@debian.org> 1998-2008 + +# See www.pool.ntp.org for an explanation of these servers. Please +# consider joining the project if possible. If you can't or don't want to +# use these servers I suggest that you try your ISP's nameservers. We mark +# the servers 'offline' so that chronyd won't try to connect when the link +# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc +# commands to switch it on when a dialup link comes up and off when it goes +# down. Code in /etc/init.d/chrony attempts to determine whether or not +# the link is up at boot time and set the online status accordingly. If +# you have an always-on connection such as cable omit the 'offline' +# directive and chronyd will default to online. +# +# Note that if Chrony tries to go "online" and dns lookup of the servers +# fails they will be discarded. Thus under some circumstances it is +# better to use IP numbers than host names. + +{% for ntp_server in security_ntp_servers %} +server {{ ntp_server }} maxpoll 10 minpoll 8 +{% endfor %} + +# Look here for the admin password needed for chronyc. The initial +# password is generated by a random process at install time. You may +# change it if you wish. + +keyfile /etc/chrony/chrony.keys + +# Set runtime command key. Note that if you change the key (not the +# password) to anything other than 1 you will need to edit +# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony +# and /etc/cron.weekly/chrony as these scripts use it to get the password. + +commandkey 1 + +# I moved the driftfile to /var/lib/chrony to comply with the Debian +# filesystem standard. + +driftfile /var/lib/chrony/chrony.drift + +# Comment this line out to turn off logging. + +log tracking measurements statistics +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. + +maxupdateskew 100.0 + +# Dump measurements when daemon exits. + +dumponexit + +# Specify directory for dumping measurements. + +dumpdir /var/lib/chrony + +# Let computer be a server when it is unsynchronised. + +local stratum 10 + +# Allow computers on the unrouted nets to use the server. + +{% for subnet in security_allowed_ntp_subnets %} +allow {{ subnet }} +{% endfor %} + +# This directive forces `chronyd' to send a message to syslog if it +# makes a system clock adjustment larger than a threshold value in seconds. + +logchange 0.5 + +# This directive defines an email address to which mail should be sent +# if chronyd applies a correction exceeding a particular threshold to the +# system clock. + +# mailonchange root@localhost 0.5 + +# This directive tells chrony to regulate the real-time clock and tells it +# Where to store related data. It may not work on some newer motherboards +# that use the HPET real-time clock. It requires enhanced real-time +# support in the kernel. I've commented it out because with certain +# combinations of motherboard and kernel it is reported to cause lockups. + +# rtcfile /var/lib/chrony/chrony.rtc + +# If the last line of this file reads 'rtconutc' chrony will assume that +# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent +# chrony will assume local time. The line (if any) was written by the +# chrony postinst based on what it found in /etc/default/rcS. You may +# change it if necessary. +rtconutc + +{% if security_ntp_bind_local_interfaces_only | bool %} +# Listen for NTP requests only on local interfaces. +port 0 +bindcmdaddress 127.0.0.1 +{% if not security_disable_ipv6 | bool %} +bindcmdaddress ::1 +{% endif %} +{% endif %} diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml index 4fd5dd83..f9eef749 100755 --- a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml +++ b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml @@ -101,6 +101,11 @@ delay: 10 when: hostvars[hostvars[inventory_hostname]['groups']['controller'][0]]['local_mirror'] == 'CentOS' +- name: copy chrony.conf + copy: + src: chrony.conf.j2 + dest: /etc/ansible/roles/ansible-hardening/templates/ + - name: update the directory of chrony key lineinfile: dest: /etc/ansible/roles/ansible-hardening/templates/chrony.conf.j2 diff --git a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 index 5fa999a5..130b5ad1 100644 --- a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 +++ b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 @@ -65,4 +65,4 @@ neutron_provider_networks: security_sshd_permit_root_login: yes security_ntp_servers: - - 45.79.111.114 + - {{ ntp_server }} |