Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
nixos/chrony: clean up, rework to be a little closer to upstream
Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem so that Chrony flaws are mitigated, should they occur. Moving to ProtectSystem=full however, requires moving the chrony key files under /var/lib/chrony -- which should be fine, anyway. This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring that chronyd will only be launched in an environment where such a capability can be granted. Signed-off-by: Austin Seipp <aseipp@pobox.com> (cherry picked from commit 0ce90d5)
- Loading branch information
1 parent
f34ef9e
commit b0f8181
Showing
1 changed file
with
20 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters