nixos/rngd: Remove module entirely, leave an explaination
Per @shlevy's request on #96092.
This commit is contained in:
nicoo
parent
2b7e3a20c3
commit
39383a8494
|
|
@ -1,56 +1,16 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.security.rngd;
|
removed = k: lib.mkRemovedOptionModule [ "security" "rngd" k ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
imports = [
|
||||||
security.rngd = {
|
(removed "enable" ''
|
||||||
enable = mkOption {
|
rngd is not necessary for any device that the kernel recognises
|
||||||
type = types.bool;
|
as an hardware RNG, as it will automatically run the krngd task
|
||||||
default = false;
|
to periodically collect random data from the device and mix it
|
||||||
description = ''
|
into the kernel's RNG.
|
||||||
Whether to enable the rng daemon. Devices that the kernel recognises
|
'')
|
||||||
as entropy sources are handled automatically by krngd.
|
(removed "debug"
|
||||||
'';
|
"The rngd module was removed, so its debug option does nothing.")
|
||||||
};
|
|
||||||
debug = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = "Whether to enable debug output (-d).";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
systemd.services.rngd = {
|
|
||||||
bindsTo = [ "dev-random.device" ];
|
|
||||||
|
|
||||||
after = [ "dev-random.device" ];
|
|
||||||
|
|
||||||
# Clean shutdown without DefaultDependencies
|
|
||||||
conflicts = [ "shutdown.target" ];
|
|
||||||
before = [
|
|
||||||
"sysinit.target"
|
|
||||||
"shutdown.target"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
description = "Hardware RNG Entropy Gatherer Daemon";
|
|
||||||
|
|
||||||
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap
|
|
||||||
unitConfig.DefaultDependencies = false;
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
|
|
||||||
+ optionalString cfg.debug " -d";
|
|
||||||
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
|
|
||||||
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
PrivateNetwork = true;
|
|
||||||
ProtectSystem = "full";
|
|
||||||
ProtectHome = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue