systemd service

[Artoria2e5]

It could be... made easier to get rsntp up and running if we put an examples/rsntp.service in. Down in my /etc I got this going:

systemd unit file

[Unit]
Description=High-performance ntp server
After=chronyd.service
BindsTo=chronyd.service
Documentation=https://github.com/mlichvar/rsntp

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/rsntp
ExecStart=/usr/bin/rsntp $OPTIONS

CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM

DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
#ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict

RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap

[Install]
WantedBy=multi-user.target

Now what's going on in my /usr is not pretty at all: I copied the binary from my cargo directory, and the libstd to /lib64 from /root's rustup directory. Somehow it still thinks of the old home, so no ProtectHome here.