From 36f1c0c2b3ab4d6e12a8888950cc636d2197b587 Mon Sep 17 00:00:00 2001 From: Markus Theil Date: Tue, 28 Nov 2023 15:55:50 +0100 Subject: [PATCH] nixos/esdm: simplify module ESDM 1.0.1 fixed bugs related to Linux compatibility layer with CUSE. During these fixes, the compatibility layer was simplified behind a target in order to start the necessary services together or none of them (services.esdm.linuxCompatServices). Furthermore, a small helper was added to ESDM 1.0.1 in order to deal with resume/suspend/hibernate (FUSE needs to be unblocked). Removed options are marked. Signed-off-by: Markus Theil --- nixos/modules/services/security/esdm.nix | 101 ++++++----------------- 1 file changed, 26 insertions(+), 75 deletions(-) diff --git a/nixos/modules/services/security/esdm.nix b/nixos/modules/services/security/esdm.nix index 134b4be1a94c..c34fba1b3c75 100644 --- a/nixos/modules/services/security/esdm.nix +++ b/nixos/modules/services/security/esdm.nix @@ -4,49 +4,33 @@ let cfg = config.services.esdm; in { + imports = [ + # removed option 'services.esdm.cuseRandomEnable' + (lib.mkRemovedOptionModule [ "services" "esdm" "cuseRandomEnable" ] '' + Use services.esdm.enableLinuxCompatServices instead. + '') + # removed option 'services.esdm.cuseUrandomEnable' + (lib.mkRemovedOptionModule [ "services" "esdm" "cuseUrandomEnable" ] '' + Use services.esdm.enableLinuxCompatServices instead. + '') + # removed option 'services.esdm.procEnable' + (lib.mkRemovedOptionModule [ "services" "esdm" "procEnable" ] '' + Use services.esdm.enableLinuxCompatServices instead. + '') + # removed option 'services.esdm.verbose' + (lib.mkRemovedOptionModule [ "services" "esdm" "verbose" ] '' + There is no replacement. + '') + ]; + options.services.esdm = { enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); package = lib.mkPackageOption pkgs "esdm" { }; - serverEnable = lib.mkOption { + enableLinuxCompatServices = lib.mkOption { type = lib.types.bool; default = true; description = lib.mdDoc '' - Enable option for ESDM server service. If serverEnable == false, then the esdm-server - will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom - and esdm-proc will not start as these have the entry Want=esdm-server.service. - ''; - }; - cuseRandomEnable = lib.mkOption { - type = lib.types.bool; - default = true; - description = lib.mdDoc '' - Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service - is started. - ''; - }; - cuseUrandomEnable = lib.mkOption { - type = lib.types.bool; - default = true; - description = lib.mdDoc '' - Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service - is started. - ''; - }; - procEnable = lib.mkOption { - type = lib.types.bool; - default = true; - description = lib.mdDoc '' - Enable option for ESDM proc service. Determines if the esdm-proc.service - is started. - ''; - }; - verbose = lib.mkOption { - type = lib.types.bool; - default = false; - description = lib.mdDoc '' - Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart" - values of the 4 aforementioned services are overwritten with the option - for the highest verbosity. + Enable /dev/random, /dev/urandom and /proc/sys/kernel/random/* userspace wrapper. ''; }; }; @@ -55,46 +39,13 @@ in lib.mkMerge [ ({ systemd.packages = [ cfg.package ]; + systemd.services."esdm-server".wantedBy = [ "basic.target" ]; }) # It is necessary to set those options for these services to be started by systemd in NixOS - (lib.mkIf cfg.serverEnable { - systemd.services."esdm-server".wantedBy = [ "basic.target" ]; - systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-server.service' - "${cfg.package}/bin/esdm-server -f -vvvvvv" - ]; - }; - }) - - (lib.mkIf cfg.cuseRandomEnable { - systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ]; - systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-cuse-random.service' - "${cfg.package}/bin/esdm-cuse-random -f -v 6" - ]; - }; - }) - - (lib.mkIf cfg.cuseUrandomEnable { - systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ]; - systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-cuse-urandom.service' - "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6" - ]; - }; - }) - - (lib.mkIf cfg.procEnable { - systemd.services."esdm-proc".wantedBy = [ "basic.target" ]; - systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-proc.service' - "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6" - ]; - }; + (lib.mkIf cfg.enableLinuxCompatServices { + systemd.targets."esdm-linux-compat".wantedBy = [ "basic.target" ]; + systemd.services."esdm-server-suspend".wantedBy = [ "sleep.target" "suspend.target" "hibernate.target" ]; + systemd.services."esdm-server-resume".wantedBy = [ "sleep.target" "suspend.target" "hibernate.target" ]; }) ]);