ConditionCapability=CAP_SYS_TIME
ConditionVirtualization=!container
DefaultDependencies=no
-After=systemd-remount-fs.service systemd-sysusers.service
-Before=time-sync.target sysinit.target shutdown.target
+After=systemd-sysusers.service
+Before=time-set.target sysinit.target shutdown.target
Conflicts=shutdown.target
-Wants=time-sync.target
+Wants=time-set.target time-sync.target
[Service]
AmbientCapabilities=CAP_SYS_TIME
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
+ProtectKernelLogs=yes
ProtectSystem=strict
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RuntimeDirectory=systemd/timesync
StateDirectory=systemd/timesync
SystemCallArchitectures=native
SystemCallFilter=@system-service @clock
Type=notify
User=systemd-timesync
-WatchdogSec=3min
+@SERVICE_WATCHDOG@
[Install]
WantedBy=sysinit.target