diff --git a/roles/mgrote_ntp_chrony_client/templates/chrony.conf.j2 b/roles/mgrote_ntp_chrony_client/templates/chrony.conf.j2 index 86b2f23b..0523c307 100644 --- a/roles/mgrote_ntp_chrony_client/templates/chrony.conf.j2 +++ b/roles/mgrote_ntp_chrony_client/templates/chrony.conf.j2 @@ -1,19 +1,50 @@ {{ file_header | default () }} -# servers +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usable directives. + +# Include configuration files found in /etc/chrony/conf.d. +confdir /etc/chrony/conf.d + +# This will use (up to): +# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled +# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well +# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm) +# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only +# sources will be used. +# At the same time it retains some protection against one of the entries being +# down (compare to just using one of the lines). See (LP: #1754358) for the +# discussion. +# +# About using servers from the NTP Pool Project in general see (LP: #104525). +# Approved by Ubuntu Technical Board on 2011-02-08. +# See http://www.pool.ntp.org/join.html for more information. {% for item in ntp_chrony_servers %} server {{ item.address }} {{ item.options |default() }} {% endfor %} +# Use time sources from DHCP. +sourcedir /run/chrony-dhcp -# keys +# Use NTP sources found in /etc/chrony/sources.d. +sourcedir /etc/chrony/sources.d + +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. keyfile /etc/chrony/chrony.keys -# driftfile +# This directive specify the file into which chronyd will store the rate +# information. driftfile {{ ntp_chrony_driftfile_directory }}/chrony.drift +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + +# Uncomment the following line to turn logging on. +{% if ntp_chrony_logging is sameas true %} +#log tracking measurements statistics +{% endif %} {% if ntp_chrony_logging is sameas true %} -# Logging -log tracking measurements statistics +# Log files location. logdir /var/log/chrony {% endif %} @@ -21,9 +52,14 @@ logdir /var/log/chrony maxupdateskew 100.0 # This directive enables kernel synchronisation (every 11 minutes) of the -# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. +# real-time clock. Note that it can't be used along with the 'rtcfile' directive. rtcsync # Step the system clock instead of slewing it if the adjustment is larger than # one second, but only in the first three clock updates. makestep 1 3 + +# Get TAI-UTC offset and leap seconds from the system tz database. +# This directive must be commented out when using time sources serving +# leap-smeared time. +leapsectz right/UTC diff --git a/roles/mgrote_ssh/templates/ubuntu.j2 b/roles/mgrote_ssh/templates/ubuntu.j2 index 6ddeea1c..9a2ce2c3 100644 --- a/roles/mgrote_ssh/templates/ubuntu.j2 +++ b/roles/mgrote_ssh/templates/ubuntu.j2 @@ -2,7 +2,7 @@ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where @@ -38,7 +38,7 @@ Port {{ ssh_listen_port }} #PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none @@ -59,7 +59,7 @@ PasswordAuthentication {{ ssh_password_authentication }} # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication no +KbdInteractiveAuthentication no # Kerberos options #KerberosAuthentication no @@ -75,15 +75,14 @@ ChallengeResponseAuthentication no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and +# be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. +# and KbdInteractiveAuthentication to 'no'. UsePAM yes - #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no @@ -99,7 +98,7 @@ PrintLastLog {{ ssh_print_lastlog }} #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no -#PidFile /var/run/sshd.pid +#PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none @@ -112,12 +111,12 @@ PrintLastLog {{ ssh_print_lastlog }} AcceptEnv LANG LC_* # override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server PermitRootLogin {{ ssh_permit_root_login }} +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server