1# SPDX-License-Identifier: LGPL-2.1-or-later 2# 3# This file is part of systemd. 4# 5# systemd is free software; you can redistribute it and/or modify it 6# under the terms of the GNU Lesser General Public License as published by 7# the Free Software Foundation; either version 2.1 of the License, or 8# (at your option) any later version. 9 10[Unit] 11Description=Network Time Synchronization 12Documentation=man:systemd-timesyncd.service(8) 13ConditionCapability=CAP_SYS_TIME 14ConditionVirtualization=!container 15DefaultDependencies=no 16After=systemd-sysusers.service 17Before=time-set.target sysinit.target shutdown.target 18Conflicts=shutdown.target 19Wants=time-set.target 20 21[Service] 22AmbientCapabilities=CAP_SYS_TIME 23BusName=org.freedesktop.timesync1 24CapabilityBoundingSet=CAP_SYS_TIME 25# Turn off DNSSEC validation for hostname look-ups, since those need the 26# correct time to work, but we likely won't acquire that without NTP. Let's 27# break this chicken-and-egg cycle here. 28Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0 29ExecStart=!!/usr/lib/systemd/systemd-timesyncd 30TimeoutSec=3 31LockPersonality=yes 32MemoryDenyWriteExecute=yes 33NoNewPrivileges=yes 34PrivateDevices=yes 35PrivateTmp=yes 36ProtectProc=invisible 37ProtectControlGroups=yes 38ProtectHome=yes 39ProtectHostname=yes 40ProtectKernelLogs=yes 41ProtectKernelModules=yes 42ProtectKernelTunables=yes 43ProtectSystem=strict 44Restart=always 45RestartSec=0 46RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 47RestrictNamespaces=yes 48RestrictRealtime=yes 49RestrictSUIDSGID=yes 50RuntimeDirectory=systemd/timesync 51StateDirectory=systemd/timesync 52SystemCallArchitectures=native 53SystemCallErrorNumber=EPERM 54SystemCallFilter=@system-service @clock 55Type=notify 56User=systemd-timesync 57WatchdogSec=3min 58 59[Install] 60WantedBy=sysinit.target 61Alias=dbus-org.freedesktop.timesync1.service 62