1# SPDX-License-Identifier: LGPL-2.1-or-later 2# 3# This file is part of systemd. 4# 5# systemd is free software; you can redistribute it and/or modify it 6# under the terms of the GNU Lesser General Public License as published by 7# the Free Software Foundation; either version 2.1 of the License, or 8# (at your option) any later version. 9 10[Unit] 11Description=Network Time Synchronization 12Documentation=man:systemd-timesyncd.service(8) 13ConditionCapability=CAP_SYS_TIME 14ConditionVirtualization=!container 15DefaultDependencies=no 16After=systemd-sysusers.service 17Before=time-set.target sysinit.target shutdown.target 18Conflicts=shutdown.target 19Wants=time-set.target 20 21[Service] 22AmbientCapabilities=CAP_SYS_TIME 23BusName=org.freedesktop.timesync1 24CapabilityBoundingSet=CAP_SYS_TIME 25# Turn off DNSSEC validation for hostname look-ups, since those need the 26# correct time to work, but we likely won't acquire that without NTP. Let's 27# break this chicken-and-egg cycle here. 28Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0 29ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-timesyncd 30LockPersonality=yes 31MemoryDenyWriteExecute=yes 32NoNewPrivileges=yes 33PrivateDevices=yes 34PrivateTmp=yes 35ProtectProc=invisible 36ProtectControlGroups=yes 37ProtectHome=yes 38ProtectHostname=yes 39ProtectKernelLogs=yes 40ProtectKernelModules=yes 41ProtectKernelTunables=yes 42ProtectSystem=strict 43Restart=always 44RestartSec=0 45RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 46RestrictNamespaces=yes 47RestrictRealtime=yes 48RestrictSUIDSGID=yes 49RuntimeDirectory=systemd/timesync 50StateDirectory=systemd/timesync 51SystemCallArchitectures=native 52SystemCallErrorNumber=EPERM 53SystemCallFilter=@system-service @clock 54Type=notify 55User=systemd-timesync 56{{SERVICE_WATCHDOG}} 57 58[Install] 59WantedBy=sysinit.target 60Alias=dbus-org.freedesktop.timesync1.service 61