pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.infnoise;
9in
10{
11 options = {
12 services.infnoise = {
13 enable = lib.mkEnableOption "the Infinite Noise TRNG driver";
14
15 fillDevRandom = lib.mkOption {
16 description = ''
17 Whether to run the infnoise driver as a daemon to refill /dev/random.
18
19 If disabled, you can use the `infnoise` command-line tool to
20 manually obtain randomness.
21 '';
22 type = lib.types.bool;
23 default = true;
24 };
25 };
26 };
27
28 config = lib.mkIf cfg.enable {
29 environment.systemPackages = [ pkgs.infnoise ];
30
31 services.udev.extraRules = ''
32 SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
33 '';
34
35 systemd.services.infnoise = lib.mkIf cfg.fillDevRandom {
36 description = "Infinite Noise TRNG driver";
37
38 bindsTo = [ "dev-infnoise.device" ];
39 after = [ "dev-infnoise.device" ];
40
41 serviceConfig = {
42 ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
43 Restart = "always";
44 User = "infnoise";
45 DynamicUser = true;
46 SupplementaryGroups = [ "dialout" ];
47 DeviceAllow = [ "/dev/infnoise" ];
48 DevicePolicy = "closed";
49 PrivateNetwork = true;
50 ProtectSystem = "strict";
51 ProtectHome = true;
52 ProtectHostname = true;
53 ProtectKernelLogs = true;
54 ProtectKernelModules = true;
55 ProtectKernelTunables = true; # only reads entropy pool size and watermark
56 RestrictNamespaces = true;
57 RestrictRealtime = true;
58 LockPersonality = true;
59 MemoryDenyWriteExecute = true;
60 };
61 };
62 };
63}