]> git.somenet.org - root/pub/somesible.git/blob - roles/base/ntp/files/default/chrony.service
[roles/base/tor] install tor with hidden sshd service, possibly copy private key
[root/pub/somesible.git] / roles / base / ntp / files / default / chrony.service
1 #
2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
7 #
8
9 [Unit]
10 Description=chrony, an NTP client/server
11 Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
12 Conflicts=openntpd.service ntp.service ntpsec.service
13 Wants=time-sync.target
14 Before=time-sync.target
15 After=network.target
16 ConditionCapability=CAP_SYS_TIME
17
18 [Service]
19 Type=forking
20 PIDFile=/run/chrony/chronyd.pid
21 EnvironmentFile=-/etc/default/chrony
22 User=_chrony
23 # Daemon is started as root, but still sandboxed
24 ExecStart=!/usr/sbin/chronyd $DAEMON_OPTS
25
26 CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
27 CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
28 CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
29 CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
30 CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
31 DeviceAllow=char-pps rw
32 DeviceAllow=char-ptp rw
33 DeviceAllow=char-rtc rw
34 DevicePolicy=closed
35 LockPersonality=yes
36 MemoryDenyWriteExecute=yes
37 NoNewPrivileges=yes
38 PrivateTmp=yes
39 ProcSubset=pid
40 ProtectControlGroups=yes
41 ProtectHome=yes
42 ProtectHostname=yes
43 ProtectKernelLogs=yes
44 ProtectKernelModules=yes
45 ProtectKernelTunables=yes
46 ProtectProc=invisible
47 ProtectSystem=strict
48 # Used for gps refclocks
49 ReadWritePaths=/run
50 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
51 RestrictNamespaces=yes
52 RestrictSUIDSGID=yes
53 SystemCallArchitectures=native
54 SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
55
56 ConfigurationDirectory=chrony
57 RuntimeDirectory=chrony
58 RuntimeDirectoryMode=0700
59 # See dumpdir in chrony.conf(5)
60 RuntimeDirectoryPreserve=restart
61 StateDirectory=chrony
62 StateDirectoryMode=0750
63 LogsDirectory=chrony
64 LogsDirectoryMode=0750
65
66 # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
67 NoNewPrivileges=no
68 ReadWritePaths=-/var/spool
69 RestrictAddressFamilies=AF_NETLINK
70
71 Restart=always
72 RestartSec=10
73 Nice=-5
74
75 [Install]
76 Alias=chronyd.service
77 WantedBy=multi-user.target