2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
10 Description=chrony, an NTP client/server
11 Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
12 Conflicts=openntpd.service ntp.service ntpsec.service
13 Wants=time-sync.target
14 Before=time-sync.target
16 ConditionCapability=CAP_SYS_TIME
20 PIDFile=/run/chrony/chronyd.pid
21 EnvironmentFile=-/etc/default/chrony
23 # Daemon is started as root, but still sandboxed
24 ExecStart=!/usr/sbin/chronyd $DAEMON_OPTS
26 CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
27 CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
28 CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
29 CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
30 CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
31 DeviceAllow=char-pps rw
32 DeviceAllow=char-ptp rw
33 DeviceAllow=char-rtc rw
36 MemoryDenyWriteExecute=yes
40 ProtectControlGroups=yes
44 ProtectKernelModules=yes
45 ProtectKernelTunables=yes
48 # Used for gps refclocks
50 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
51 RestrictNamespaces=yes
53 SystemCallArchitectures=native
54 SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
56 ConfigurationDirectory=chrony
57 RuntimeDirectory=chrony
58 RuntimeDirectoryMode=0700
59 # See dumpdir in chrony.conf(5)
60 RuntimeDirectoryPreserve=restart
62 StateDirectoryMode=0750
64 LogsDirectoryMode=0750
66 # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
68 ReadWritePaths=-/var/spool
69 RestrictAddressFamilies=AF_NETLINK
77 WantedBy=multi-user.target