| blob | 4fb8adaf33f894351f07149c76f49a2271be544e |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.services.infnoise;
7 in {
8 options = {
9 services.infnoise = {
10 enable = mkEnableOption "the Infinite Noise TRNG driver";
12 fillDevRandom = mkOption {
13 description = ''
14 Whether to run the infnoise driver as a daemon to refill /dev/random.
16 If disabled, you can use the `infnoise` command-line tool to
17 manually obtain randomness.
18 '';
19 type = types.bool;
20 default = true;
21 };
22 };
23 };
25 config = mkIf cfg.enable {
26 environment.systemPackages = [ pkgs.infnoise ];
28 services.udev.extraRules = ''
29 SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
30 '';
32 systemd.services.infnoise = mkIf cfg.fillDevRandom {
33 description = "Infinite Noise TRNG driver";
35 bindsTo = [ "dev-infnoise.device" ];
36 after = [ "dev-infnoise.device" ];
38 serviceConfig = {
39 ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
40 Restart = "always";
41 User = "infnoise";
42 DynamicUser = true;
43 SupplementaryGroups = [ "dialout" ];
44 DeviceAllow = [ "/dev/infnoise" ];
45 DevicePolicy = "closed";
46 PrivateNetwork = true;
47 ProtectSystem = "strict";
48 ProtectHome = true;
49 ProtectHostname = true;
50 ProtectKernelLogs = true;
51 ProtectKernelModules = true;
52 ProtectKernelTunables = true; # only reads entropy pool size and watermark
53 RestrictNamespaces = true;
54 RestrictRealtime = true;
55 LockPersonality = true;
56 MemoryDenyWriteExecute = true;
57 };
58 };
59 };
60 }