---

- name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver"
  when: ubtu24cis_rule_2_3_3_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_2.3.3.1
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - chrony
  block:
    - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver | sources"
      ansible.builtin.template:
        src: "{{ item }}.j2"
        dest: "/{{ item }}"
        mode: 'go-r'
        owner: root
        group: root
      loop:
        - etc/chrony/sources.d/pool.sources
        - etc/chrony/sources.d/server.sources
      notify: Restart timeservice

    - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources"
      ansible.builtin.lineinfile:
        path: /etc/chrony/chrony.conf
        regexp: '^sourcedir /etc/chrony/sources.d'
        line: sourcedir /etc/chrony/sources.d
      notify: Restart timeservice

- name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony"
  when: ubtu24cis_rule_2_3_3_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_2.3.3.2
    - NIST800-53R5_AU-8
    - chrony
  ansible.builtin.lineinfile:
    path: /etc/chrony/chrony.conf
    regexp: '^user _chrony'
    line: 'user _chrony'

- name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running"
  when: ubtu24cis_rule_2_3_3_3
  tags:
    - level1-server
    - level1-workstation
    - rule_2.3.3.3
    - NIST800-53R5_AU-8
    - chrony
  block:
    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running"
      ansible.builtin.systemd:
        name: chrony
        state: started
        enabled: true