diff options
| author | Robert Helgesson <robert@rycee.net> | 2016-09-13 07:07:46 +0200 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-09-13 07:07:46 +0200 |
| commit | b023e8f303893d34916284d9434d1fb806e6e124 (patch) | |
| tree | 2e28cbb74231e4428e14b236b9d1b40189ff4f33 /nixos/modules/services/security/haveged.nix | |
| parent | 87ee2736ce61d53f2919b155749c4cc3594cc6f1 (diff) | |
| download | nixpkgs-b023e8f303893d34916284d9434d1fb806e6e124.tar nixpkgs-b023e8f303893d34916284d9434d1fb806e6e124.tar.gz nixpkgs-b023e8f303893d34916284d9434d1fb806e6e124.tar.bz2 nixpkgs-b023e8f303893d34916284d9434d1fb806e6e124.tar.lz nixpkgs-b023e8f303893d34916284d9434d1fb806e6e124.tar.xz nixpkgs-b023e8f303893d34916284d9434d1fb806e6e124.tar.zst nixpkgs-b023e8f303893d34916284d9434d1fb806e6e124.zip | |
haveged module: clean up service configuration (#18513)
Switches from the forking service type to simple by running haveged in the foreground. Also restricts the execution environment a bit (these are inspired by the Debian service file).
Diffstat (limited to 'nixos/modules/services/security/haveged.nix')
| -rw-r--r-- | nixos/modules/services/security/haveged.nix | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/nixos/modules/services/security/haveged.nix b/nixos/modules/services/security/haveged.nix index 2aa523bf70a..eca52918881 100644 --- a/nixos/modules/services/security/haveged.nix +++ b/nixos/modules/services/security/haveged.nix @@ -48,14 +48,18 @@ in { description = "Entropy Harvesting Daemon"; unitConfig.Documentation = "man:haveged(8)"; wantedBy = [ "multi-user.target" ]; - + path = [ pkgs.haveged ]; - - serviceConfig = - { Type = "forking"; - ExecStart = "${pkgs.haveged}/sbin/haveged -w ${toString cfg.refill_threshold} -v 1"; - PIDFile = "/run/haveged.pid"; - }; + + serviceConfig = { + ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1"; + SuccessExitStatus = 143; + PrivateTmp = true; + PrivateDevices = true; + PrivateNetwork = true; + ProtectSystem = "full"; + ProtectHome = true; + }; }; }; |