diff options
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 9 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2211.section.md | 3 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/security/infnoise.nix | 60 | ||||
| -rw-r--r-- | pkgs/misc/drivers/infnoise/default.nix | 3 |
5 files changed, 72 insertions, 4 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 8bbb8665219a..b2d9b26fa371 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -40,7 +40,7 @@ </section> <section xml:id="sec-release-22.11-new-services"> <title>New Services</title> - <itemizedlist spacing="compact"> + <itemizedlist> <listitem> <para> <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, @@ -48,6 +48,13 @@ <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, + a hardware True Random Number Generator dongle. Available as + <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-incompatibilities"> diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 5dc8e958c896..8dcde84f237a 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -25,6 +25,9 @@ In addition to numerous new and upgraded packages, this release has the followin - [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). +- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. + Available as [services.infnoise](options.html#opt-services.infnoise.enable). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Backward Incompatibilities {#sec-release-22.11-incompatibilities} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f7357036d69d..0767343368d6 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -981,6 +981,7 @@ ./services/security/hologram-server.nix ./services/security/hologram-agent.nix ./services/security/kanidm.nix + ./services/security/infnoise.nix ./services/security/munge.nix ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix diff --git a/nixos/modules/services/security/infnoise.nix b/nixos/modules/services/security/infnoise.nix new file mode 100644 index 000000000000..4fb8adaf33f8 --- /dev/null +++ b/nixos/modules/services/security/infnoise.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.infnoise; +in { + options = { + services.infnoise = { + enable = mkEnableOption "the Infinite Noise TRNG driver"; + + fillDevRandom = mkOption { + description = '' + Whether to run the infnoise driver as a daemon to refill /dev/random. + + If disabled, you can use the `infnoise` command-line tool to + manually obtain randomness. + ''; + type = types.bool; + default = true; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.infnoise ]; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service" + ''; + + systemd.services.infnoise = mkIf cfg.fillDevRandom { + description = "Infinite Noise TRNG driver"; + + bindsTo = [ "dev-infnoise.device" ]; + after = [ "dev-infnoise.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug"; + Restart = "always"; + User = "infnoise"; + DynamicUser = true; + SupplementaryGroups = [ "dialout" ]; + DeviceAllow = [ "/dev/infnoise" ]; + DevicePolicy = "closed"; + PrivateNetwork = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; # only reads entropy pool size and watermark + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} diff --git a/pkgs/misc/drivers/infnoise/default.nix b/pkgs/misc/drivers/infnoise/default.nix index d8e4dd659757..5bc32ba1ca02 100644 --- a/pkgs/misc/drivers/infnoise/default.nix +++ b/pkgs/misc/drivers/infnoise/default.nix @@ -37,9 +37,6 @@ stdenv.mkDerivation rec { longDescription = '' The Infinite Noise TRNG is a USB key hardware true random number generator. It can either provide rng for userland applications, or provide rng for the OS entropy. - Add the following to your system configuration for plug and play support, adding to the OS entropy: - systemd.packages = [ pkgs.infnoise ]; - services.udev.packages = [ pkgs.infnoise ]; ''; license = licenses.cc0; maintainers = with maintainers; [ StijnDW zhaofengli ]; |