Loading nixos/modules/services/networking/ntp/ntpd-rs.nix +81 −0 Original line number Diff line number Diff line Loading @@ -90,6 +90,49 @@ in "" "${lib.makeBinPath [ cfg.package ]}/ntp-daemon --config=${validateConfig configFile}" ]; CapabilityBoundingSet = [ "CAP_SYS_TIME" "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_SYS_TIME" "CAP_NET_BIND_SERVICE" ]; LimitCORE = 0; LimitNOFILE = 65535; LockPersonality = true; MemorySwapMax = 0; MemoryZSwapMax = 0; PrivateTmp = true; ProcSubset = "pid"; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; Restart = "on-failure"; RestartSec = "10s"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "@resources" "@network-io" "@clock" ]; NoNewPrivileges = true; UMask = "0077"; }; }; Loading @@ -103,6 +146,44 @@ in "" "${lib.makeBinPath [ cfg.package ]}/ntp-metrics-exporter --config=${validateConfig configFile}" ]; CapabilityBoundingSet = [ ]; LimitCORE = 0; LimitNOFILE = 65535; LockPersonality = true; MemorySwapMax = 0; MemoryZSwapMax = 0; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; PrivateDevices = true; RestrictSUIDSGID = true; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "@network-io" "~@privileged" "~@resources" "~@mount" ]; NoNewPrivileges = true; UMask = "0077"; }; }; }; Loading Loading
nixos/modules/services/networking/ntp/ntpd-rs.nix +81 −0 Original line number Diff line number Diff line Loading @@ -90,6 +90,49 @@ in "" "${lib.makeBinPath [ cfg.package ]}/ntp-daemon --config=${validateConfig configFile}" ]; CapabilityBoundingSet = [ "CAP_SYS_TIME" "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_SYS_TIME" "CAP_NET_BIND_SERVICE" ]; LimitCORE = 0; LimitNOFILE = 65535; LockPersonality = true; MemorySwapMax = 0; MemoryZSwapMax = 0; PrivateTmp = true; ProcSubset = "pid"; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; Restart = "on-failure"; RestartSec = "10s"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "@resources" "@network-io" "@clock" ]; NoNewPrivileges = true; UMask = "0077"; }; }; Loading @@ -103,6 +146,44 @@ in "" "${lib.makeBinPath [ cfg.package ]}/ntp-metrics-exporter --config=${validateConfig configFile}" ]; CapabilityBoundingSet = [ ]; LimitCORE = 0; LimitNOFILE = 65535; LockPersonality = true; MemorySwapMax = 0; MemoryZSwapMax = 0; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; PrivateDevices = true; RestrictSUIDSGID = true; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "@network-io" "~@privileged" "~@resources" "~@mount" ]; NoNewPrivileges = true; UMask = "0077"; }; }; }; Loading
