Merge pull request #71302 from tokudan/encrypted-swap-entropy-fix

rngd: Start early during boot and encrypted swap entropy fix

1 files changed, 4 insertions, 1 deletions

diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
index d9d6d9c9f253..5566c53897dc 100644
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@@ -39,12 +39,15 @@ in
 
       description = "Hardware RNG Entropy Gatherer Daemon";
 
+      # rngd may have to start early to avoid entropy starvation during boot with encrypted swap
+      unitConfig.DefaultDependencies = false;
       serviceConfig = {
         ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
           + optionalString cfg.debug " -d";
+        # PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
+        # thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
         NoNewPrivileges = true;
         PrivateNetwork = true;
-        PrivateTmp = true;
         ProtectSystem = "full";
         ProtectHome = true;
       };