| blob | 36dce8bb3e038c50a0c71f5ca86d68011b568d3c |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 with lib;
10 let
11 cfg = config.services.infnoise;
12 in
13 {
14 options = {
15 services.infnoise = {
16 enable = mkEnableOption "the Infinite Noise TRNG driver";
18 fillDevRandom = mkOption {
19 description = ''
20 Whether to run the infnoise driver as a daemon to refill /dev/random.
22 If disabled, you can use the `infnoise` command-line tool to
23 manually obtain randomness.
24 '';
25 type = types.bool;
26 default = true;
27 };
28 };
29 };
31 config = mkIf cfg.enable {
32 environment.systemPackages = [ pkgs.infnoise ];
34 services.udev.extraRules = ''
35 SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
36 '';
38 systemd.services.infnoise = mkIf cfg.fillDevRandom {
39 description = "Infinite Noise TRNG driver";
41 bindsTo = [ "dev-infnoise.device" ];
42 after = [ "dev-infnoise.device" ];
44 serviceConfig = {
45 ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
46 Restart = "always";
47 User = "infnoise";
48 DynamicUser = true;
49 SupplementaryGroups = [ "dialout" ];
50 DeviceAllow = [ "/dev/infnoise" ];
51 DevicePolicy = "closed";
52 PrivateNetwork = true;
53 ProtectSystem = "strict";
54 ProtectHome = true;
55 ProtectHostname = true;
56 ProtectKernelLogs = true;
57 ProtectKernelModules = true;
58 ProtectKernelTunables = true; # only reads entropy pool size and watermark
59 RestrictNamespaces = true;
60 RestrictRealtime = true;
61 LockPersonality = true;
62 MemoryDenyWriteExecute = true;
63 };
64 };
65 };
66 }