diff options
author | Alyssa Ross <hi@alyssa.is> | 2019-05-17 10:56:54 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2019-05-17 10:56:54 +0000 |
commit | c1d22074139ab0d048a05b5e5116265d099114d6 (patch) | |
tree | 97977009422d675f8930f97c309b010481289e72 /nixpkgs/nixos/modules/security/rngd.nix | |
parent | 4dc8afe4fd6b18437150129e0a1ecc23c6a1c0b9 (diff) | |
parent | bc9df0f66110039e495b6debe3a6cda4a1bb0fed (diff) | |
download | nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.gz nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.bz2 nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.lz nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.xz nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.tar.zst nixlib-c1d22074139ab0d048a05b5e5116265d099114d6.zip |
Merge commit 'bc9df0f66110039e495b6debe3a6cda4a1bb0fed'
Diffstat (limited to 'nixpkgs/nixos/modules/security/rngd.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/rngd.nix | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/nixpkgs/nixos/modules/security/rngd.nix b/nixpkgs/nixos/modules/security/rngd.nix index a54ef2e6fcad..d9d6d9c9f253 100644 --- a/nixpkgs/nixos/modules/security/rngd.nix +++ b/nixpkgs/nixos/modules/security/rngd.nix @@ -2,20 +2,30 @@ with lib; +let + cfg = config.security.rngd; +in { options = { - security.rngd.enable = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable the rng daemon, which adds entropy from - hardware sources of randomness to the kernel entropy pool when - available. - ''; + security.rngd = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the rng daemon, which adds entropy from + hardware sources of randomness to the kernel entropy pool when + available. + ''; + }; + debug = mkOption { + type = types.bool; + default = false; + description = "Whether to enable debug output (-d)."; + }; }; }; - config = mkIf config.security.rngd.enable { + config = mkIf cfg.enable { services.udev.extraRules = '' KERNEL=="random", TAG+="systemd" SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" @@ -29,7 +39,15 @@ with lib; description = "Hardware RNG Entropy Gatherer Daemon"; - serviceConfig.ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"; + serviceConfig = { + ExecStart = "${pkgs.rng-tools}/sbin/rngd -f" + + optionalString cfg.debug " -d"; + NoNewPrivileges = true; + PrivateNetwork = true; + PrivateTmp = true; + ProtectSystem = "full"; + ProtectHome = true; + }; }; }; } |