nixpkgs/nixos/modules/security/rngd.nix

{ config, lib, pkgs, ... }:

with lib;

{
  options = {
    security.rngd.enable = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to enable the rng daemon, which adds entropy from
        hardware sources of randomness to the kernel entropy pool when
        available.
      '';
    };
  };

  config = mkIf config.security.rngd.enable {
    services.udev.extraRules = ''
      KERNEL=="random", TAG+="systemd"
      SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
      KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
      ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''}
    '';

    systemd.services.rngd = {
      bindsTo = [ "dev-random.device" ];

      after = [ "dev-random.device" ];

      description = "Hardware RNG Entropy Gatherer Daemon";

      serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +
        (if config.services.tcsd.enable then " --no-tpm=1" else "");
    };
  };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 07:26:48 -07:00			`{ config, lib, pkgs, ... }:`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 07:26:48 -07:00			`with lib;`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00
			`{`
			`options = {`
			`security.rngd.enable = mkOption {`
Add lots of missing option types 2013-10-30 09:37:45 -07:00			`type = types.bool;`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 05:45:23 -08:00			`default = true;`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`description = ''`
Typo 2012-11-22 01:41:54 -08:00			`Whether to enable the rng daemon, which adds entropy from`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`hardware sources of randomness to the kernel entropy pool when`
Disable rngd by default while I work on some patches to make it more systemd-friendly 2012-11-22 07:14:41 -08:00			`available.`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`'';`
			`};`
			`};`

			`config = mkIf config.security.rngd.enable {`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 05:45:23 -08:00			`services.udev.extraRules = ''`
			`KERNEL=="random", TAG+="systemd"`
			`SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:feature:009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"`
			`KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"`
nixos/rngd: some fixes 2015-01-06 06:23:36 -08:00			`${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''}`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 05:45:23 -08:00			`'';`

Rename ‘boot.systemd’ to ‘systemd’ Suggested by Mathijs Kwik. ‘boot.systemd’ is a misnomer because systemd affects more than just booting. And it saves some typing. 2013-01-16 03:33:18 -08:00			`systemd.services.rngd = {`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 05:45:23 -08:00			`bindsTo = [ "dev-random.device" ];`

			`after = [ "dev-random.device" ];`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00
			`description = "Hardware RNG Entropy Gatherer Daemon";`

Only disable TPM access by rngd when tcsd is enabled. 2014-04-22 04:41:22 -07:00			`serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +`
			`(if config.services.tcsd.enable then " --no-tpm=1" else "");`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`};`
			`};`
			`}`