1 { config, lib, pkgs, ... }:
6 cfg = config.services.haveged;
18 enable = mkEnableOption (lib.mdDoc ''
19 haveged entropy daemon, which refills /dev/random when low.
20 NOTE: does nothing on kernels newer than 5.6.
22 # source for the note https://github.com/jirka-h/haveged/issues/57
24 refill_threshold = mkOption {
27 description = lib.mdDoc ''
28 The number of bits of available entropy beneath which
29 haveged should refill the entropy pool.
37 config = mkIf cfg.enable {
39 # https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
40 systemd.services.haveged = {
41 description = "Entropy Daemon based on the HAVEGE algorithm";
43 Documentation = "man:haveged(8)";
44 DefaultDependencies = false;
45 ConditionKernelVersion = "<5.6";
47 wantedBy = [ "sysinit.target" ];
48 after = [ "systemd-tmpfiles-setup-dev.service" ];
49 before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ];
52 ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1";
54 SuccessExitStatus = "137 143";
55 SecureBits = "noroot-locked";
56 CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ];
57 # We can *not* set PrivateTmp=true as it can cause an ordering cycle.
59 PrivateDevices = true;
60 ProtectSystem = "full";
62 ProtectHostname = true;
63 ProtectKernelLogs = true;
64 ProtectKernelModules = true;
65 RestrictNamespaces = true;
66 RestrictRealtime = true;
67 LockPersonality = true;
68 MemoryDenyWriteExecute = true;
69 SystemCallArchitectures = "native";
70 SystemCallFilter = [ "@system-service" "newuname" "~@mount" ];
71 SystemCallErrorNumber = "EPERM";