summary refs log tree commit diff
path: root/nixos/modules/services/security/haveged.nix
blob: 57cef7e44d5032881bc08c3df1bbfde583fa7f14 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.haveged;

in

{

  ###### interface

  options = {

    services.haveged = {

      enable = mkEnableOption ''
        haveged entropy daemon, which refills /dev/random when low.
        NOTE: does nothing on kernels newer than 5.6.
      '';
      # source for the note https://github.com/jirka-h/haveged/issues/57

      refill_threshold = mkOption {
        type = types.int;
        default = 1024;
        description = ''
          The number of bits of available entropy beneath which
          haveged should refill the entropy pool.
        '';
      };

    };

  };

  config = mkIf cfg.enable {

    # https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
    systemd.services.haveged = {
      description = "Entropy Daemon based on the HAVEGE algorithm";
      unitConfig = {
        Documentation = "man:haveged(8)";
        DefaultDependencies = false;
        ConditionKernelVersion = "<5.6";
      };
      wantedBy = [ "sysinit.target" ];
      after = [ "systemd-tmpfiles-setup-dev.service" ];
      before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ];

      serviceConfig = {
        ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1";
        Restart = "always";
        SuccessExitStatus = "137 143";
        SecureBits = "noroot-locked";
        CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ];
        # We can *not* set PrivateTmp=true as it can cause an ordering cycle.
        PrivateTmp = false;
        PrivateDevices = true;
        ProtectSystem = "full";
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [ "@system-service" "newuname" "~@mount" ];
        SystemCallErrorNumber = "EPERM";
      };

    };
  };

}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-04 12:27:44 +0000