pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.infnoise;
7in {
8 options = {
9 services.infnoise = {
10 enable = mkEnableOption (lib.mdDoc "the Infinite Noise TRNG driver");
11
12 fillDevRandom = mkOption {
13 description = lib.mdDoc ''
14 Whether to run the infnoise driver as a daemon to refill /dev/random.
15
16 If disabled, you can use the `infnoise` command-line tool to
17 manually obtain randomness.
18 '';
19 type = types.bool;
20 default = true;
21 };
22 };
23 };
24
25 config = mkIf cfg.enable {
26 environment.systemPackages = [ pkgs.infnoise ];
27
28 services.udev.extraRules = ''
29 SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
30 '';
31
32 systemd.services.infnoise = mkIf cfg.fillDevRandom {
33 description = "Infinite Noise TRNG driver";
34
35 bindsTo = [ "dev-infnoise.device" ];
36 after = [ "dev-infnoise.device" ];
37
38 serviceConfig = {
39 ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
40 Restart = "always";
41 User = "infnoise";
42 DynamicUser = true;
43 SupplementaryGroups = [ "dialout" ];
44 DeviceAllow = [ "/dev/infnoise" ];
45 DevicePolicy = "closed";
46 PrivateNetwork = true;
47 ProtectSystem = "strict";
48 ProtectHome = true;
49 ProtectHostname = true;
50 ProtectKernelLogs = true;
51 ProtectKernelModules = true;
52 ProtectKernelTunables = true; # only reads entropy pool size and watermark
53 RestrictNamespaces = true;
54 RestrictRealtime = true;
55 LockPersonality = true;
56 MemoryDenyWriteExecute = true;
57 };
58 };
59 };
60}