nixos/chrony: clean up, rework to be a little closer to upstream - nixlib

diff options

author	Austin Seipp <aseipp@pobox.com>	2018-09-24 00:21:52 -0500
committer	Austin Seipp <aseipp@pobox.com>	2018-09-24 15:42:44 -0500
commit	0ce90d58cca7a1318a50268e957f3faa3b80079c (patch)
tree	8e0480c0fc2447e55fafdb7439b5a023870b7c5c /pkgs/os-specific
parent	6ebad0821f207136f741a68790c6030592c9a131 (diff)
download	nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.gz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.bz2 nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.lz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.xz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.zst nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.zip

nixos/chrony: clean up, rework to be a little closer to upstream

Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem
so that Chrony flaws are mitigated, should they occur.

Moving to ProtectSystem=full however, requires moving the chrony key
files under /var/lib/chrony -- which should be fine, anyway.

This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring
that chronyd will only be launched in an environment where such a
capability can be granted.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

Diffstat (limited to 'pkgs/os-specific')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: