commit a9cd681b8df39ca567cada7ff50d44f7b3fb225a · pyrox.dev/nixpkgs

+81
nixos/modules/services/networking/ntp/ntpd-rs.nix
···

       90
       90
        
                 ""

     

       91
       91
        
                 "${lib.makeBinPath [ cfg.package ]}/ntp-daemon --config=${validateConfig configFile}"

     

       92
       92
        
               ];

     

       93
       93
       +
       

     

       94
       94
       +
               CapabilityBoundingSet = [

     

       95
       95
       +
                 "CAP_SYS_TIME"

     

       96
       96
       +
                 "CAP_NET_BIND_SERVICE"

     

       97
       97
       +
               ];

     

       98
       98
       +
               AmbientCapabilities = [

     

       99
       99
       +
                 "CAP_SYS_TIME"

     

       100
       100
       +
                 "CAP_NET_BIND_SERVICE"

     

       101
       101
       +
               ];

     

       102
       102
       +
               LimitCORE = 0;

     

       103
       103
       +
               LimitNOFILE = 65535;

     

       104
       104
       +
               LockPersonality = true;

     

       105
       105
       +
               MemorySwapMax = 0;

     

       106
       106
       +
               MemoryZSwapMax = 0;

     

       107
       107
       +
               PrivateTmp = true;

     

       108
       108
       +
               ProcSubset = "pid";

     

       109
       109
       +
               ProtectControlGroups = true;

     

       110
       110
       +
               ProtectHome = true;

     

       111
       111
       +
               ProtectHostname = true;

     

       112
       112
       +
               ProtectKernelLogs = true;

     

       113
       113
       +
               ProtectKernelModules = true;

     

       114
       114
       +
               ProtectKernelTunables = true;

     

       115
       115
       +
               ProtectProc = "invisible";

     

       116
       116
       +
               ProtectSystem = "strict";

     

       117
       117
       +
               Restart = "on-failure";

     

       118
       118
       +
               RestartSec = "10s";

     

       119
       119
       +
               RestrictAddressFamilies = [

     

       120
       120
       +
                 "AF_INET"

     

       121
       121
       +
                 "AF_INET6"

     

       122
       122
       +
                 "AF_UNIX"

     

       123
       123
       +
                 "AF_NETLINK"

     

       124
       124
       +
               ];

     

       125
       125
       +
               RestrictNamespaces = true;

     

       126
       126
       +
               RestrictRealtime = true;

     

       127
       127
       +
               SystemCallArchitectures = "native";

     

       128
       128
       +
               SystemCallFilter = [

     

       129
       129
       +
                 "@system-service"

     

       130
       130
       +
                 "@resources"

     

       131
       131
       +
                 "@network-io"

     

       132
       132
       +
                 "@clock"

     

       133
       133
       +
               ];

     

       134
       134
       +
               NoNewPrivileges = true;

     

       135
       135
       +
               UMask = "0077";

     

       93
       136
        
             };

     

       94
       137
        
           };

     

       95
       138
        
       

     
···

       103
       146
        
                 ""

     

       104
       147
        
                 "${lib.makeBinPath [ cfg.package ]}/ntp-metrics-exporter --config=${validateConfig configFile}"

     

       105
       148
        
               ];

     

       149
       149
       +
       

     

       150
       150
       +
               CapabilityBoundingSet = [ ];

     

       151
       151
       +
               LimitCORE = 0;

     

       152
       152
       +
               LimitNOFILE = 65535;

     

       153
       153
       +
               LockPersonality = true;

     

       154
       154
       +
               MemorySwapMax = 0;

     

       155
       155
       +
               MemoryZSwapMax = 0;

     

       156
       156
       +
               PrivateTmp = true;

     

       157
       157
       +
               ProcSubset = "pid";

     

       158
       158
       +
               ProtectClock = true;

     

       159
       159
       +
               ProtectControlGroups = true;

     

       160
       160
       +
               ProtectHome = true;

     

       161
       161
       +
               ProtectHostname = true;

     

       162
       162
       +
               ProtectKernelLogs = true;

     

       163
       163
       +
               ProtectKernelModules = true;

     

       164
       164
       +
               ProtectKernelTunables = true;

     

       165
       165
       +
               ProtectProc = "invisible";

     

       166
       166
       +
               ProtectSystem = "strict";

     

       167
       167
       +
               PrivateDevices = true;

     

       168
       168
       +
               RestrictSUIDSGID = true;

     

       169
       169
       +
               RemoveIPC = true;

     

       170
       170
       +
               RestrictAddressFamilies = [

     

       171
       171
       +
                 "AF_INET"

     

       172
       172
       +
                 "AF_INET6"

     

       173
       173
       +
                 "AF_UNIX"

     

       174
       174
       +
               ];

     

       175
       175
       +
               RestrictNamespaces = true;

     

       176
       176
       +
               RestrictRealtime = true;

     

       177
       177
       +
               SystemCallArchitectures = "native";

     

       178
       178
       +
               SystemCallFilter = [

     

       179
       179
       +
                 "@system-service"

     

       180
       180
       +
                 "@network-io"

     

       181
       181
       +
                 "~@privileged"

     

       182
       182
       +
                 "~@resources"

     

       183
       183
       +
                 "~@mount"

     

       184
       184
       +
               ];

     

       185
       185
       +
               NoNewPrivileges = true;

     

       186
       186
       +
               UMask = "0077";

     

       106
       187
        
             };

     

       107
       188
        
           };

     

       108
       189
        
         };