pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.haveged;
7
8in
9
10{
11
12 ###### interface
13
14 options = {
15
16 services.haveged = {
17
18 enable = mkEnableOption (lib.mdDoc ''
19 haveged entropy daemon, which refills /dev/random when low.
20 NOTE: does nothing on kernels newer than 5.6.
21 '');
22 # source for the note https://github.com/jirka-h/haveged/issues/57
23
24 refill_threshold = mkOption {
25 type = types.int;
26 default = 1024;
27 description = lib.mdDoc ''
28 The number of bits of available entropy beneath which
29 haveged should refill the entropy pool.
30 '';
31 };
32
33 };
34
35 };
36
37 config = mkIf cfg.enable {
38
39 # https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
40 systemd.services.haveged = {
41 description = "Entropy Daemon based on the HAVEGE algorithm";
42 unitConfig = {
43 Documentation = "man:haveged(8)";
44 DefaultDependencies = false;
45 ConditionKernelVersion = "<5.6";
46 };
47 wantedBy = [ "sysinit.target" ];
48 after = [ "systemd-tmpfiles-setup-dev.service" ];
49 before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ];
50
51 serviceConfig = {
52 ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1";
53 Restart = "always";
54 SuccessExitStatus = "137 143";
55 SecureBits = "noroot-locked";
56 CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ];
57 # We can *not* set PrivateTmp=true as it can cause an ordering cycle.
58 PrivateTmp = false;
59 PrivateDevices = true;
60 ProtectSystem = "full";
61 ProtectHome = true;
62 ProtectHostname = true;
63 ProtectKernelLogs = true;
64 ProtectKernelModules = true;
65 RestrictNamespaces = true;
66 RestrictRealtime = true;
67 LockPersonality = true;
68 MemoryDenyWriteExecute = true;
69 SystemCallArchitectures = "native";
70 SystemCallFilter = [ "@system-service" "newuname" "~@mount" ];
71 SystemCallErrorNumber = "EPERM";
72 };
73
74 };
75 };
76
77}