]> git.somenet.org - root/pub/somesible.git/blob - roles/base/ntp/files/default/chrony.service
SomeNet / public repos / root / pub / somesible.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
roles/service/mattermost/defaults
[root/pub/somesible.git] / roles / base / ntp / files / default / chrony.service
1 #
2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2025 by someone <someone@somenet.org>
7 #
8
9 [Unit]
10 Description=chrony, an NTP client/server
11 Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
12 Conflicts=openntpd.service ntp.service ntpsec.service
13 ConditionCapability=CAP_SYS_TIME
14
15 [Service]
16 Type=forking
17 PIDFile=/run/chrony/chronyd.pid
18 EnvironmentFile=-/etc/default/chrony
19 User=_chrony
20 # Daemon is started as root, but still sandboxed
21 ExecStart=!/usr/sbin/chronyd $DAEMON_OPTS
22
23 CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
24 CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
25 CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
26 CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
27 CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
28 DeviceAllow=char-pps rw
29 DeviceAllow=char-ptp rw
30 DeviceAllow=char-rtc rw
31 DevicePolicy=closed
32 LockPersonality=yes
33 MemoryDenyWriteExecute=yes
34 NoNewPrivileges=yes
35 PrivateTmp=yes
36 ProcSubset=pid
37 ProtectControlGroups=yes
38 ProtectHome=yes
39 ProtectHostname=yes
40 ProtectKernelLogs=yes
41 ProtectKernelModules=yes
42 ProtectKernelTunables=yes
43 ProtectProc=invisible
44 ProtectSystem=strict
45 # Used for gps refclocks
46 ReadWritePaths=/run
47 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
48 RestrictNamespaces=yes
49 RestrictSUIDSGID=yes
50 SystemCallArchitectures=native
51 SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
52
53 ConfigurationDirectory=chrony
54 RuntimeDirectory=chrony
55 RuntimeDirectoryMode=0700
56 # See dumpdir in chrony.conf(5)
57 RuntimeDirectoryPreserve=restart
58 StateDirectory=chrony
59 StateDirectoryMode=0750
60 LogsDirectory=chrony
61 LogsDirectoryMode=0750
62
63 # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
64 NoNewPrivileges=no
65 ReadWritePaths=-/var/spool
66 RestrictAddressFamilies=AF_NETLINK
67
68 Restart=always
69 RestartSec=10
70 Nice=-5
71
72 [Install]
73 Alias=chronyd.service
74 WantedBy=multi-user.target