add defaults and README of new parameter timesync_need_explicit_chron…

…y_user

Signed-off-by: Francesco Trentini <[email protected]>

README.md

@@ -3,9 +3,13 @@
 [![ansible-lint.yml](https://github.com/linux-system-roles/timesync/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/timesync/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/timesync/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/timesync/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/timesync/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/timesync/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/timesync/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/timesync/actions/workflows/shellcheck.yml) [![woke.yml](https://github.com/linux-system-roles/timesync/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/timesync/actions/workflows/woke.yml)
 
 This role installs and configures an NTP and/or PTP implementation to operate
+
 <!--- wokeignore:rule=slave -->
+
 as an NTP client and/or PTP slave in order to synchronize the system clock with
+
 <!--- wokeignore:rule=master -->
+
 NTP servers and/or grandmasters in PTP domains. Supported NTP/PTP
 implementations are chrony, ntp (the reference implementation) and linuxptp.
 
@@ -26,7 +30,7 @@ See below
 ### Collection requirements
 
 In order to manage `rpm-ostree` systems, the role requires modules from external
-collections.  Use the following command to install them:
+collections. Use the following command to install them:
 
 ```bash
 ansible-galaxy collection install -vv -r meta/collection-requirements.yml
@@ -39,40 +43,50 @@ The variables that can be passed to this role are as follows:
 ```yaml
 # List of NTP servers
 timesync_ntp_servers:
-  - hostname: foo.example.com   # Hostname or address of the server
-    minpoll: 4                  # Minimum polling interval (default 6)
-    maxpoll: 8                  # Maximum polling interval (default 10)
-    iburst: true                # Flag enabling fast initial synchronization
-                                # (default false)
-    pool: false                 # Flag indicating that each resolved address
-                                # of the hostname is a separate NTP server
-                                # (default false)
-    nts: false                  # Flag enabling Network Time Security (NTS)
-                                # authentication mechanism (default false,
-                                # supported only with chrony >= 4.0)
-    prefer: false               # Flag marking the source to be preferred for
-                                # synchronization over other sources
-                                # (default false)
-    trust: false                # Flag marking the source to be trusted over
-                                # sources that don't have this flag
-                                # (default false)
-    xleave: false               # Flag enabling interleaved mode (default false)
-    filter: 1                   # Number of NTP measurements per clock update
-                                # (default 1)
+  - hostname: foo.example.com # Hostname or address of the server
+    minpoll: 4 # Minimum polling interval (default 6)
+    maxpoll: 8 # Maximum polling interval (default 10)
+    iburst:
+      true # Flag enabling fast initial synchronization
+      # (default false)
+    pool:
+      false # Flag indicating that each resolved address
+      # of the hostname is a separate NTP server
+      # (default false)
+    nts:
+      false # Flag enabling Network Time Security (NTS)
+      # authentication mechanism (default false,
+      # supported only with chrony >= 4.0)
+    prefer:
+      false # Flag marking the source to be preferred for
+      # synchronization over other sources
+      # (default false)
+    trust:
+      false # Flag marking the source to be trusted over
+      # sources that don't have this flag
+      # (default false)
+    xleave: false # Flag enabling interleaved mode (default false)
+    filter:
+      1 # Number of NTP measurements per clock update
+      # (default 1)
 
 # List of PTP domains
 timesync_ptp_domains:
-  - number: 0                   # PTP domain number
-    interfaces: [eth0]          # List of interfaces in the domain
-    delay: 0.000010             # Assumed maximum network delay to the
-                                # grandmaster in seconds # wokeignore:rule=master
-                                # (default 100 microsecond)
-    transport: UDPv4            # Network transport: UDPv4, UDPv6, L2
-                                # (default UDPv4)
-    udp_ttl: 1                  # TTL for UDPv4 and UDPv6 transports
-                                # (default 1)
-    hybrid_e2e: false           # Flag enabling unicast end-to-end delay
-                                # requests (default false)
+  - number: 0 # PTP domain number
+    interfaces: [eth0] # List of interfaces in the domain
+    delay:
+      0.000010 # Assumed maximum network delay to the
+      # grandmaster in seconds # wokeignore:rule=master
+      # (default 100 microsecond)
+    transport:
+      UDPv4 # Network transport: UDPv4, UDPv6, L2
+      # (default UDPv4)
+    udp_ttl:
+      1 # TTL for UDPv4 and UDPv6 transports
+      # (default 1)
+    hybrid_e2e:
+      false # Flag enabling unicast end-to-end delay
+      # requests (default false)
 
 # Flag enabling use of NTP servers provided by DHCP (default false)
 timesync_dhcp_ntp_servers: false
@@ -112,6 +126,12 @@ timesync_ntp_provider: chrony
 timesync_chrony_custom_settings:
   - "logdir /var/log/chrony"
   - "log measurements statistics tracking"
+
+# If true, then add an explicit `-u chrony` to `OPTIONS` in
+# `/etc/sysconfig/chronyd` to satisfy security guidelines like CIS. NOTE: on
+# RedHat OS family, chronyd is "hard coded" to use the `chrony` user, so this
+# is unnecessary except to satisfy certain security guidelines.
+timesync_need_explicit_chrony_user: false
 ```
 
 ## Example Playbooks
@@ -134,7 +154,9 @@ Install and configure ntp to synchronize the system clock with three NTP servers
 ```
 
 Install and configure linuxptp to synchronize the system clock with a
+
 <!--- wokeignore:rule=master -->
+
 grandmaster in PTP domain number 0, which is accessible on interface eth0:
 
 ```yaml

defaults/main.yml

@@ -7,3 +7,4 @@ timesync_min_sources: 1
 timesync_ntp_hwts_interfaces: []
 timesync_ntp_provider: ""
 timesync_max_distance: 0
+timesync_need_explicit_chrony_user: false