From b2d2d555a704148968cb7e566735a2a1b1a2f189 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 9 Apr 2024 14:48:01 +0200 Subject: Adding upstream version 4.5. Signed-off-by: Daniel Baumann --- examples/chrony-wait.service | 46 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 examples/chrony-wait.service (limited to 'examples/chrony-wait.service') diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service new file mode 100644 index 0000000..374f633 --- /dev/null +++ b/examples/chrony-wait.service @@ -0,0 +1,46 @@ +[Unit] +Description=Wait for chrony to synchronize system clock +Documentation=man:chronyc(1) +After=chronyd.service +Requires=chronyd.service +Before=time-sync.target +Wants=time-sync.target + +[Service] +Type=oneshot +# Wait for chronyd to update the clock and the remaining +# correction to be less than 0.1 seconds +ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1 +# Wait for at most 3 minutes +TimeoutStartSec=180 +RemainAfterExit=yes +StandardOutput=null + +CapabilityBoundingSet= +DevicePolicy=closed +DynamicUser=yes +IPAddressAllow=localhost +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0777 + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3