diff options
author | WORLDofPEACE <worldofpeace@protonmail.ch> | 2020-09-09 21:53:41 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-09 21:53:41 -0400 |
commit | f7a6a1a18392648f76d719be193cbc47f42cf735 (patch) | |
tree | e00390599407f1a435b6e088965755b6f9edd152 /nixos | |
parent | 50feed19a620cd67d41e039f13cfac47b75ef002 (diff) | |
parent | ca674c176918f7b33407608b7894e32e6211dab9 (diff) | |
download | nixlib-f7a6a1a18392648f76d719be193cbc47f42cf735.tar nixlib-f7a6a1a18392648f76d719be193cbc47f42cf735.tar.gz nixlib-f7a6a1a18392648f76d719be193cbc47f42cf735.tar.bz2 nixlib-f7a6a1a18392648f76d719be193cbc47f42cf735.tar.lz nixlib-f7a6a1a18392648f76d719be193cbc47f42cf735.tar.xz nixlib-f7a6a1a18392648f76d719be193cbc47f42cf735.tar.zst nixlib-f7a6a1a18392648f76d719be193cbc47f42cf735.zip |
Merge pull request #96092 from nbraud/security/rngd
nixos/modules/security/rngd: Disable by default
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 7 | ||||
-rw-r--r-- | nixos/modules/security/rngd.nix | 13 |
2 files changed, 10 insertions, 10 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 8bc51c906ae8..1b51fbd566d5 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -815,6 +815,13 @@ CREATE ROLE postgres LOGIN SUPERUSER; the value of <option>services.jellyfin.package</option> to <literal>pkgs.jellyfin_10_5</literal>. </para> </listitem> + <listitem> + <para> + The <literal>security.rngd</literal> service is now disabled by default. + This choice was made because there's krngd in the linux kernel space making it (for most usecases) + functionally redundent. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index cffa1a5849f9..cb885c4762d0 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -10,11 +10,10 @@ in security.rngd = { enable = mkOption { type = types.bool; - default = true; + default = false; description = '' - Whether to enable the rng daemon, which adds entropy from - hardware sources of randomness to the kernel entropy pool when - available. + Whether to enable the rng daemon. Devices that the kernel recognises + as entropy sources are handled automatically by krngd. ''; }; debug = mkOption { @@ -26,12 +25,6 @@ in }; config = mkIf cfg.enable { - services.udev.extraRules = '' - KERNEL=="random", TAG+="systemd" - SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" - KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" - ''; - systemd.services.rngd = { bindsTo = [ "dev-random.device" ]; |