b023e8f303
Switches from the forking service type to simple by running haveged in the foreground. Also restricts the execution environment a bit (these are inspired by the Debian service file).
68 lines
1.2 KiB
Nix
68 lines
1.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.services.haveged;
|
|
|
|
in
|
|
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.haveged = {
|
|
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable to haveged entropy daemon, which refills
|
|
/dev/random when low.
|
|
'';
|
|
};
|
|
|
|
refill_threshold = mkOption {
|
|
type = types.int;
|
|
default = 1024;
|
|
description = ''
|
|
The number of bits of available entropy beneath which
|
|
haveged should refill the entropy pool.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
systemd.services.haveged =
|
|
{ description = "Entropy Harvesting Daemon";
|
|
unitConfig.Documentation = "man:haveged(8)";
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
path = [ pkgs.haveged ];
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1";
|
|
SuccessExitStatus = 143;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
PrivateNetwork = true;
|
|
ProtectSystem = "full";
|
|
ProtectHome = true;
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
}
|