Loading nixos/modules/services/networking/ntp/ntpd.nix +26 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,32 @@ in ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}"; Type = "forking"; StateDirectory = "ntp"; # Hardening options PrivateDevices = true; PrivateIPC = true; PrivateTmp = true; ProtectClock = false; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = true; RestrictNamespaces = true; RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; AmbientCapabilities = [ "CAP_SYS_TIME" ]; ProtectControlGroups = true; ProtectProc = "invisible"; ProcSubset = "pid"; RestrictSUIDSGID = true; }; }; Loading Loading
nixos/modules/services/networking/ntp/ntpd.nix +26 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,32 @@ in ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}"; Type = "forking"; StateDirectory = "ntp"; # Hardening options PrivateDevices = true; PrivateIPC = true; PrivateTmp = true; ProtectClock = false; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = true; RestrictNamespaces = true; RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; AmbientCapabilities = [ "CAP_SYS_TIME" ]; ProtectControlGroups = true; ProtectProc = "invisible"; ProcSubset = "pid"; RestrictSUIDSGID = true; }; }; Loading
