nixos/rngd: Remove module entirely, leave an explaination
Per @shlevy's request on #96092.
This commit is contained in:
parent
2b7e3a20c3
commit
39383a8494
@ -1,56 +1,16 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{ lib, ... }:
|
||||
let
|
||||
cfg = config.security.rngd;
|
||||
removed = k: lib.mkRemovedOptionModule [ "security" "rngd" k ];
|
||||
in
|
||||
{
|
||||
options = {
|
||||
security.rngd = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable the rng daemon. Devices that the kernel recognises
|
||||
as entropy sources are handled automatically by krngd.
|
||||
'';
|
||||
};
|
||||
debug = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to enable debug output (-d).";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.rngd = {
|
||||
bindsTo = [ "dev-random.device" ];
|
||||
|
||||
after = [ "dev-random.device" ];
|
||||
|
||||
# Clean shutdown without DefaultDependencies
|
||||
conflicts = [ "shutdown.target" ];
|
||||
before = [
|
||||
"sysinit.target"
|
||||
"shutdown.target"
|
||||
];
|
||||
|
||||
description = "Hardware RNG Entropy Gatherer Daemon";
|
||||
|
||||
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
|
||||
+ optionalString cfg.debug " -d";
|
||||
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
|
||||
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
|
||||
NoNewPrivileges = true;
|
||||
PrivateNetwork = true;
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
imports = [
|
||||
(removed "enable" ''
|
||||
rngd is not necessary for any device that the kernel recognises
|
||||
as an hardware RNG, as it will automatically run the krngd task
|
||||
to periodically collect random data from the device and mix it
|
||||
into the kernel's RNG.
|
||||
'')
|
||||
(removed "debug"
|
||||
"The rngd module was removed, so its debug option does nothing.")
|
||||
];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user