haveged: 1.9.2 -> 1.9.15
This commit is contained in:
Artturin
parent
08adacb68f
commit
c5a9a7edc4
2 changed files with 62 additions and 38 deletions
|
|
@ -3,12 +3,10 @@
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
cfg = config.services.haveged;
|
cfg = config.services.haveged;
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
###### interface
|
###### interface
|
||||||
|
|
@ -17,14 +15,11 @@ in
|
||||||
|
|
||||||
services.haveged = {
|
services.haveged = {
|
||||||
|
|
||||||
enable = mkOption {
|
enable = mkEnableOption ''
|
||||||
type = types.bool;
|
haveged entropy daemon, which refills /dev/random when low.
|
||||||
default = false;
|
NOTE: does nothing on kernels newer than 5.6.
|
||||||
description = ''
|
'';
|
||||||
Whether to enable to haveged entropy daemon, which refills
|
# source for the note https://github.com/jirka-h/haveged/issues/57
|
||||||
/dev/random when low.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
refill_threshold = mkOption {
|
refill_threshold = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
|
|
@ -39,29 +34,44 @@ in
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
###### implementation
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
systemd.services.haveged =
|
# https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
|
||||||
{ description = "Entropy Harvesting Daemon";
|
systemd.services.haveged = {
|
||||||
unitConfig.Documentation = "man:haveged(8)";
|
description = "Entropy Daemon based on the HAVEGE algorithm";
|
||||||
wantedBy = [ "multi-user.target" ];
|
unitConfig = {
|
||||||
|
Documentation = "man:haveged(8)";
|
||||||
|
DefaultDependencies = false;
|
||||||
|
ConditionKernelVersion = "<5.6";
|
||||||
|
};
|
||||||
|
wantedBy = [ "sysinit.target" ];
|
||||||
|
after = [ "systemd-tmpfiles-setup-dev.service" ];
|
||||||
|
before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ];
|
||||||
|
|
||||||
path = [ pkgs.haveged ];
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1";
|
||||||
serviceConfig = {
|
Restart = "always";
|
||||||
ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1";
|
SuccessExitStatus = "137 143";
|
||||||
SuccessExitStatus = 143;
|
SecureBits = "noroot-locked";
|
||||||
PrivateTmp = true;
|
CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ];
|
||||||
PrivateDevices = true;
|
# We can *not* set PrivateTmp=true as it can cause an ordering cycle.
|
||||||
PrivateNetwork = true;
|
PrivateTmp = false;
|
||||||
ProtectSystem = "full";
|
PrivateDevices = true;
|
||||||
ProtectHome = true;
|
ProtectSystem = "full";
|
||||||
};
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [ "@system-service" "newuname" "~@mount" ];
|
||||||
|
SystemCallErrorNumber = "EPERM";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,29 @@
|
||||||
{ lib, stdenv, fetchurl }:
|
{ lib, stdenv, fetchFromGitHub }:
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "haveged";
|
pname = "haveged";
|
||||||
version = "1.9.2";
|
version = "1.9.15";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchFromGitHub {
|
||||||
url = "http://www.issihosts.com/haveged/haveged-${version}.tar.gz";
|
owner = "jirka-h";
|
||||||
sha256 = "0w5ypz6451msckivjriwyw8djydlwffam7x23xh626s2vzdrlzgp";
|
repo = "haveged";
|
||||||
|
rev = "v${version}";
|
||||||
|
sha256 = "sha256-bU+/lRx0RAqHheNQ9CWT/V0oZnZd0W9EHhhX3RRIZ/0=";
|
||||||
};
|
};
|
||||||
|
|
||||||
meta = {
|
strictDeps = true;
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
patchShebangs ent # test shebang
|
||||||
|
'';
|
||||||
|
|
||||||
|
installFlags = [
|
||||||
|
"sbindir=$(out)/bin" # no reason for us to have a $out/sbin, its just a symlink to $out/bin
|
||||||
|
];
|
||||||
|
|
||||||
|
doCheck = true;
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
description = "A simple entropy daemon";
|
description = "A simple entropy daemon";
|
||||||
longDescription = ''
|
longDescription = ''
|
||||||
The haveged project is an attempt to provide an easy-to-use, unpredictable
|
The haveged project is an attempt to provide an easy-to-use, unpredictable
|
||||||
|
|
@ -19,9 +33,9 @@ stdenv.mkDerivation rec {
|
||||||
of haveged is directed towards improving overall reliability and adaptability while minimizing
|
of haveged is directed towards improving overall reliability and adaptability while minimizing
|
||||||
the barriers to using haveged for other tasks.
|
the barriers to using haveged for other tasks.
|
||||||
'';
|
'';
|
||||||
homepage = "http://www.issihosts.com/haveged/";
|
homepage = "https://github.com/jirka-h/haveged";
|
||||||
license = lib.licenses.gpl3;
|
license = licenses.gpl3;
|
||||||
maintainers = [ lib.maintainers.domenkozar ];
|
maintainers = with maintainers; [ domenkozar ];
|
||||||
platforms = lib.platforms.unix;
|
platforms = platforms.unix;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue