diff options
| author | Guillaume Girol <symphorien@users.noreply.github.com> | 2022-06-05 17:30:34 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-05 17:30:34 +0000 |
| commit | 7548b711384e6214787a6615fbd3be3b968fc430 (patch) | |
| tree | e2f9679c603bcdd747c14414e7da5d04cee07497 /nixos/modules | |
| parent | 4697dffd3c48522c22e8384ad95ead3af5180e25 (diff) | |
| parent | d7432b815d0e08634d0a5e4f56f42fc18cbd38e9 (diff) | |
Merge pull request #171778 from zhaofengli/infnoise-0.3.2
infnoise: unstable-2019-08-12 -> 0.3.2, nixos/infnoise: init
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/security/infnoise.nix | 60 |
2 files changed, 61 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 902fffd60f9b9..d59d7bfe40d9f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -983,6 +983,7 @@ ./services/security/hologram-server.nix ./services/security/hologram-agent.nix ./services/security/kanidm.nix + ./services/security/infnoise.nix ./services/security/munge.nix ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix diff --git a/nixos/modules/services/security/infnoise.nix b/nixos/modules/services/security/infnoise.nix new file mode 100644 index 0000000000000..4fb8adaf33f89 --- /dev/null +++ b/nixos/modules/services/security/infnoise.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.infnoise; +in { + options = { + services.infnoise = { + enable = mkEnableOption "the Infinite Noise TRNG driver"; + + fillDevRandom = mkOption { + description = '' + Whether to run the infnoise driver as a daemon to refill /dev/random. + + If disabled, you can use the `infnoise` command-line tool to + manually obtain randomness. + ''; + type = types.bool; + default = true; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.infnoise ]; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service" + ''; + + systemd.services.infnoise = mkIf cfg.fillDevRandom { + description = "Infinite Noise TRNG driver"; + + bindsTo = [ "dev-infnoise.device" ]; + after = [ "dev-infnoise.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug"; + Restart = "always"; + User = "infnoise"; + DynamicUser = true; + SupplementaryGroups = [ "dialout" ]; + DeviceAllow = [ "/dev/infnoise" ]; + DevicePolicy = "closed"; + PrivateNetwork = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; # only reads entropy pool size and watermark + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} |