diff options
author | Austin Seipp <aseipp@pobox.com> | 2018-09-24 00:21:52 -0500 |
---|---|---|
committer | Austin Seipp <aseipp@pobox.com> | 2018-09-24 15:42:44 -0500 |
commit | 0ce90d58cca7a1318a50268e957f3faa3b80079c (patch) | |
tree | 8e0480c0fc2447e55fafdb7439b5a023870b7c5c /pkgs/os-specific | |
parent | 6ebad0821f207136f741a68790c6030592c9a131 (diff) | |
download | nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.gz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.bz2 nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.lz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.xz nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.tar.zst nixlib-0ce90d58cca7a1318a50268e957f3faa3b80079c.zip |
nixos/chrony: clean up, rework to be a little closer to upstream
Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem so that Chrony flaws are mitigated, should they occur. Moving to ProtectSystem=full however, requires moving the chrony key files under /var/lib/chrony -- which should be fine, anyway. This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring that chronyd will only be launched in an environment where such a capability can be granted. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'pkgs/os-specific')
0 files changed, 0 insertions, 0 deletions