grimm-nixos-laptop/hardening/systemd/global/clock.nix

{ lib, config, ... }:
let
  inherit (lib) mkDefault types mkIf;
in
{
  options.systemd.services = lib.mkOption {
    type =
      let
        osConfig = config;
      in
      types.attrsOf (
        lib.types.submodule (
          { config, name, ... }:
          {
            config.serviceConfig = mkIf (osConfig.specialisation != { }) {
              ProtectClock = mkDefault true;
            };
          }
        )
      );
  };

  config = mkIf (config.specialisation != { }) {

    systemd.services = {
      systemd-timesyncd.serviceConfig = {
        ProtectClock = false;
        SystemCallFilter = "@system-service @clock";
      };

      save-hwclock.serviceConfig = {
        ProtectClock = false;
        SystemCallFilter = "@system-service @clock";
      };
    };
  };
}
more sysd hardening 2025-01-07 11:31:43 +01:00			`{ lib, config, ... }:`
			`let`
			`inherit (lib) mkDefault types mkIf;`
			`in`
			`{`
			`options.systemd.services = lib.mkOption {`
			`type =`
			`let`
			`osConfig = config;`
			`in`
			`types.attrsOf (`
			`lib.types.submodule (`
			`{ config, name, ... }:`
			`{`
			`config.serviceConfig = mkIf (osConfig.specialisation != { }) {`
			`ProtectClock = mkDefault true;`
			`};`
			`}`
			`)`
			`);`
			`};`

			`config = mkIf (config.specialisation != { }) {`

			`systemd.services = {`
			`systemd-timesyncd.serviceConfig = {`
			`ProtectClock = false;`
			`SystemCallFilter = "@system-service @clock";`
			`};`

			`save-hwclock.serviceConfig = {`
			`ProtectClock = false;`
			`SystemCallFilter = "@system-service @clock";`
			`};`
			`};`
			`};`
			`}`