Merge pull request #96092 from nbraud/security/rngd

nixos/modules/security/rngd: Disable by default

2 files changed, 10 insertions, 10 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 8bc51c906ae8..1b51fbd566d5 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -815,6 +815,13 @@ CREATE ROLE postgres LOGIN SUPERUSER;
      the value of <option>services.jellyfin.package</option> to <literal>pkgs.jellyfin_10_5</literal>.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     The <literal>security.rngd</literal> service is now disabled by default.
+     This choice was made because there's krngd in the linux kernel space making it (for most usecases)
+     functionally redundent.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
index cffa1a5849f9..cb885c4762d0 100644
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@@ -10,11 +10,10 @@ in
     security.rngd = {
       enable = mkOption {
         type = types.bool;
-        default = true;
+        default = false;
         description = ''
-          Whether to enable the rng daemon, which adds entropy from
-          hardware sources of randomness to the kernel entropy pool when
-          available.
+          Whether to enable the rng daemon.  Devices that the kernel recognises
+          as entropy sources are handled automatically by krngd.
         '';
       };
       debug = mkOption {
@@ -26,12 +25,6 @@ in
   };
 
   config = mkIf cfg.enable {
-    services.udev.extraRules = ''
-      KERNEL=="random", TAG+="systemd"
-      SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-      KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-    '';
-
     systemd.services.rngd = {
       bindsTo = [ "dev-random.device" ];