diff --git a/defaults/main.yml b/defaults/main.yml
index cd4ac047..4177a46b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -272,6 +272,8 @@ security_ntp_servers:
   - 3.pool.ntp.org
 # NTP server options.
 security_ntp_server_options: offline maxpoll 10 minpoll 8
+# Configure Chrony to synchronize the hardware clock
+security_ntp_sync_rtc: false
 # Chrony limits access to clients that are on certain subnets.  Adjust the
 # following subnets here to limit client access to chrony servers.
 security_allowed_ntp_subnets:
diff --git a/releasenotes/notes/chrony-rtc-sync-f46b9a526aec0889.yaml b/releasenotes/notes/chrony-rtc-sync-f46b9a526aec0889.yaml
new file mode 100644
index 00000000..87079f93
--- /dev/null
+++ b/releasenotes/notes/chrony-rtc-sync-f46b9a526aec0889.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - Chrony got a new configuration option to synchronize the system clock back
+    to the RTC using the ``security_ntp_sync_rtc`` variable. Disabled by default.
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
index d5ed910a..bf91e6c7 100644
--- a/templates/chrony.conf.j2
+++ b/templates/chrony.conf.j2
@@ -82,13 +82,16 @@ makestep 1 3
 
 # mailonchange root@localhost 0.5
 
+{% if security_ntp_sync_rtc | bool %}
 # This directive tells chrony to regulate the real-time clock and tells it
 # Where to store related data.  It may not work on some newer motherboards
 # that use the HPET real-time clock.  It requires enhanced real-time
-# support in the kernel.  I've commented it out because with certain
+# support in the kernel.  It is disabled by default because with certain
 # combinations of motherboard and kernel it is reported to cause lockups.
 
-# rtcfile /var/lib/chrony/chrony.rtc
+rtcfile /var/lib/chrony/chrony.rtc
+rtcautotrim 10
+{% endif %}
 
 # If the last line of this file reads 'rtconutc' chrony will assume that
 # the CMOS clock is on UTC (GMT).  If it reads '# rtconutc' or is absent