Relocate HAOS Systemd drop-ins to /usr/lib/systemd (#3582)

* Relocate HAOS Systemd drop-ins to /usr/lib/systemd

With some exceptions, Systemd drop-ins overriding default unit configuration
have been placed to `/etc/systemd/system`. This is meant for user overrides of
those, or per `man 5 systemd.unit` for "system unites created by the
administrator". Relocate all of these to `/usr/lib/systemd` which should be
used as path for units "installed by the distribution package manager" which is
closer to what we're trying to achieve.

This will make it easier to detect changes to unit files once we enable the
possibility to edit the content of /etc.

* Patch systemd-timesyncd.service instead of replacing it fully

buildroot-external/patches/systemd/0003-systemd-timesyncd-delay-start-after-network-online.t.patch

@@ -0,0 +1,41 @@
+From 13cf1bb9c5fa91762184c3b0dddea1328c2746bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cerm=C3=A1k?= <sairon@sairon.cz>
+Date: Wed, 11 Sep 2024 17:25:00 +0200
+Subject: [PATCH] systemd-timesyncd: delay start after network-online.target
+
+As explained in [1], it's desired for the systemd-timesyncd to run after
+the network is deemed online, otherwise the connectivity (at least on
+HAOS with NetworkManager) is not operational when the NTP sync is
+attempted and it fails, delaying the boot and leading to other problems.
+Because it's not possible to remove dependencies of existing units using
+drop-ins, patch the service template file for systemd-timesyncd unit
+instead, avoiding the need for complete unit file override as in [2].
+
+[1] https://github.com/home-assistant/operating-system/pull/2068
+[2] https://github.com/home-assistant/operating-system/pull/2082
+---
+ units/systemd-timesyncd.service.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
+index c606461..5870744 100644
+--- a/units/systemd-timesyncd.service.in
++++ b/units/systemd-timesyncd.service.in
+@@ -13,8 +13,8 @@ Documentation=man:systemd-timesyncd.service(8)
+ ConditionCapability=CAP_SYS_TIME
+ ConditionVirtualization=!container
+ DefaultDependencies=no
+-After=systemd-sysusers.service
+-Before=time-set.target sysinit.target shutdown.target
++After=systemd-sysusers.service network-online.target
++Before=time-set.target shutdown.target
+ Conflicts=shutdown.target
+ Wants=time-set.target
+ 
+@@ -56,5 +56,5 @@ User=systemd-timesync
+ {{SERVICE_WATCHDOG}}
+ 
+ [Install]
+-WantedBy=sysinit.target
++WantedBy=time-sync.target
+ Alias=dbus-org.freedesktop.timesync1.service

buildroot-external/rootfs-overlay/etc/systemd/system/systemd-timesyncd.service

@@ -1,60 +0,0 @@
-#  SPDX-License-Identifier: LGPL-2.1-or-later
-#
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU Lesser General Public License as published by
-#  the Free Software Foundation; either version 2.1 of the License, or
-#  (at your option) any later version.
-
-[Unit]
-Description=Network Time Synchronization
-Documentation=man:systemd-timesyncd.service(8)
-ConditionCapability=CAP_SYS_TIME
-ConditionVirtualization=!container
-DefaultDependencies=no
-After=systemd-sysusers.service
-Before=time-set.target shutdown.target
-Conflicts=shutdown.target
-Wants=time-set.target
-
-[Service]
-AmbientCapabilities=CAP_SYS_TIME
-BusName=org.freedesktop.timesync1
-CapabilityBoundingSet=CAP_SYS_TIME
-# Turn off DNSSEC validation for hostname look-ups, since those need the
-# correct time to work, but we likely won't acquire that without NTP. Let's
-# break this chicken-and-egg cycle here.
-Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
-ExecStart=!!/usr/lib/systemd/systemd-timesyncd
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectProc=invisible
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectSystem=strict
-Restart=always
-RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-RuntimeDirectory=systemd/timesync
-StateDirectory=systemd/timesync
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
-SystemCallFilter=@system-service @clock
-Type=notify
-User=systemd-timesync
-WatchdogSec=3min
-
-[Install]
-WantedBy=time-sync.target
-Alias=dbus-org.freedesktop.timesync1.service

buildroot-external/rootfs-overlay/usr/lib/systemd/system/systemd-timesyncd.service.d/hassos.conf

@@ -1,3 +1,2 @@
 [Unit]
 RequiresMountsFor=/var/lib/systemd
-After=network-online.target