Per @shlevy's request on #96092.wip/yesman
parent
2b7e3a20c3
commit
39383a8494
@ -1,56 +1,16 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
|
||||
{ lib, ... }: |
||||
let |
||||
cfg = config.security.rngd; |
||||
removed = k: lib.mkRemovedOptionModule [ "security" "rngd" k ]; |
||||
in |
||||
{ |
||||
options = { |
||||
security.rngd = { |
||||
enable = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Whether to enable the rng daemon. Devices that the kernel recognises |
||||
as entropy sources are handled automatically by krngd. |
||||
''; |
||||
}; |
||||
debug = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = "Whether to enable debug output (-d)."; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
systemd.services.rngd = { |
||||
bindsTo = [ "dev-random.device" ]; |
||||
|
||||
after = [ "dev-random.device" ]; |
||||
|
||||
# Clean shutdown without DefaultDependencies |
||||
conflicts = [ "shutdown.target" ]; |
||||
before = [ |
||||
"sysinit.target" |
||||
"shutdown.target" |
||||
]; |
||||
|
||||
description = "Hardware RNG Entropy Gatherer Daemon"; |
||||
|
||||
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap |
||||
unitConfig.DefaultDependencies = false; |
||||
serviceConfig = { |
||||
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f" |
||||
+ optionalString cfg.debug " -d"; |
||||
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted, |
||||
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation. |
||||
NoNewPrivileges = true; |
||||
PrivateNetwork = true; |
||||
ProtectSystem = "full"; |
||||
ProtectHome = true; |
||||
}; |
||||
}; |
||||
}; |
||||
imports = [ |
||||
(removed "enable" '' |
||||
rngd is not necessary for any device that the kernel recognises |
||||
as an hardware RNG, as it will automatically run the krngd task |
||||
to periodically collect random data from the device and mix it |
||||
into the kernel's RNG. |
||||
'') |
||||
(removed "debug" |
||||
"The rngd module was removed, so its debug option does nothing.") |
||||
]; |
||||
} |
||||
|
Loading…
Reference in new issue