1 { config, lib, pkgs, ... }:
6 cfg = config.services.infnoise;
10 enable = mkEnableOption (lib.mdDoc "the Infinite Noise TRNG driver");
12 fillDevRandom = mkOption {
13 description = lib.mdDoc ''
14 Whether to run the infnoise driver as a daemon to refill /dev/random.
16 If disabled, you can use the `infnoise` command-line tool to
17 manually obtain randomness.
25 config = mkIf cfg.enable {
26 environment.systemPackages = [ pkgs.infnoise ];
28 services.udev.extraRules = ''
29 SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
32 systemd.services.infnoise = mkIf cfg.fillDevRandom {
33 description = "Infinite Noise TRNG driver";
35 bindsTo = [ "dev-infnoise.device" ];
36 after = [ "dev-infnoise.device" ];
39 ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
43 SupplementaryGroups = [ "dialout" ];
44 DeviceAllow = [ "/dev/infnoise" ];
45 DevicePolicy = "closed";
46 PrivateNetwork = true;
47 ProtectSystem = "strict";
49 ProtectHostname = true;
50 ProtectKernelLogs = true;
51 ProtectKernelModules = true;
52 ProtectKernelTunables = true; # only reads entropy pool size and watermark
53 RestrictNamespaces = true;
54 RestrictRealtime = true;
55 LockPersonality = true;
56 MemoryDenyWriteExecute = true;