Add unit file

meson.build

@@ -880,6 +880,7 @@ subdir('src/fundamental')
 subdir('src/basic')
 subdir('src/libsystemd')
 subdir('src/shared')
+subdir('units')
 
 install_libsystemd_static = static_library(
         'systemd',

src/nts-timesync/80-systemd-timesync.list

@@ -1,4 +1,4 @@
 # This file is part of systemd.
 # See systemd-timedated.service(8) for more information.
 
-systemd-timesyncd.service
+systemd-nts-timesyncd.service

units/meson.build

@@ -0,0 +1,6 @@
+systemd_nts_timesyncd_conf = configure_file(
+                       input : 'nts-timesyncd.service.in',
+                       output : 'nts-timesyncd.service',
+                       configuration : substs)
+                       install_data(systemd_nts_timesyncd_conf,
+                       install_dir : '/lib/systemd/system')

units/nts-timesyncd.service.in

@@ -0,0 +1,60 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Network Time Synchronization using ntpsec
+Documentation=man:nts-timesyncd.service.service(8)
+ConditionCapability=CAP_SYS_TIME
+ConditionVirtualization=!container
+DefaultDependencies=no
+After=systemd-sysusers.service
+Before=time-set.target sysinit.target shutdown.target
+Conflicts=shutdown.target
+Wants=time-set.target
+
+[Service]
+AmbientCapabilities=CAP_SYS_TIME
+BusName=org.freedesktop.ntstimesync1
+CapabilityBoundingSet=CAP_SYS_TIME
+# Turn off DNSSEC validation for hostname look-ups, since those need the
+# correct time to work, but we likely won't acquire that without NTP. Let's
+# break this chicken-and-egg cycle here.
+Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
+ExecStart=!!/usr/bin/nts-timesyncd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectProc=invisible
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestartSec=0
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RuntimeDirectory=nts-timesync
+StateDirectory=nts-timesync
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @clock
+Type=notify
+User=nts-timesync
+
+
+[Install]
+WantedBy=sysinit.target
+Alias=dbus-org.freedesktop.ntstimesync1.service