diff options
Diffstat (limited to 'nixos/modules/services/security/infnoise.nix')
| -rw-r--r-- | nixos/modules/services/security/infnoise.nix | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/nixos/modules/services/security/infnoise.nix b/nixos/modules/services/security/infnoise.nix new file mode 100644 index 0000000000000..4fb8adaf33f89 --- /dev/null +++ b/nixos/modules/services/security/infnoise.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.infnoise; +in { + options = { + services.infnoise = { + enable = mkEnableOption "the Infinite Noise TRNG driver"; + + fillDevRandom = mkOption { + description = '' + Whether to run the infnoise driver as a daemon to refill /dev/random. + + If disabled, you can use the `infnoise` command-line tool to + manually obtain randomness. + ''; + type = types.bool; + default = true; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.infnoise ]; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service" + ''; + + systemd.services.infnoise = mkIf cfg.fillDevRandom { + description = "Infinite Noise TRNG driver"; + + bindsTo = [ "dev-infnoise.device" ]; + after = [ "dev-infnoise.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug"; + Restart = "always"; + User = "infnoise"; + DynamicUser = true; + SupplementaryGroups = [ "dialout" ]; + DeviceAllow = [ "/dev/infnoise" ]; + DevicePolicy = "closed"; + PrivateNetwork = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; # only reads entropy pool size and watermark + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} |