nixos/infnoise: init

2024-11-16 14:54:29 +01:00 · 2022-05-06 00:22:46 -07:00 · 2022-05-06 00:22:46 -07:00 · 6c4bfe583c
commit 6c4bfe583c
parent d2aa5ff6e7
5 changed files with 72 additions and 4 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -40,7 +40,7 @@
  </section>
  <section xml:id="sec-release-22.11-new-services">
    <title>New Services</title>
-    <itemizedlist spacing="compact">
+    <itemizedlist>
      <listitem>
        <para>
          <link xlink:href="https://github.com/jollheef/appvm">appvm</link>,
@ -48,6 +48,13 @@
          <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>,
+          a hardware True Random Number Generator dongle. Available as
+          <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>.
+        </para>
+      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="sec-release-22.11-incompatibilities">
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -25,6 +25,9 @@ In addition to numerous new and upgraded packages, this release has the followin

 - [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).

+- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
+  Available as [services.infnoise](options.html#opt-services.infnoise.enable).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -981,6 +981,7 @@
  ./services/security/hologram-server.nix
  ./services/security/hologram-agent.nix
  ./services/security/kanidm.nix
+  ./services/security/infnoise.nix
  ./services/security/munge.nix
  ./services/security/nginx-sso.nix
  ./services/security/oauth2_proxy.nix
--- a/nixos/modules/services/security/infnoise.nix
+++ b/nixos/modules/services/security/infnoise.nix
@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.infnoise;
+in {
+  options = {
+    services.infnoise = {
+      enable = mkEnableOption "the Infinite Noise TRNG driver";
+
+      fillDevRandom = mkOption {
+        description = ''
+          Whether to run the infnoise driver as a daemon to refill /dev/random.
+
+          If disabled, you can use the `infnoise` command-line tool to
+          manually obtain randomness.
+        '';
+        type = types.bool;
+        default = true;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.infnoise ];
+
+    services.udev.extraRules = ''
+      SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
+    '';
+
+    systemd.services.infnoise = mkIf cfg.fillDevRandom {
+      description = "Infinite Noise TRNG driver";
+
+      bindsTo = [ "dev-infnoise.device" ];
+      after = [ "dev-infnoise.device" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
+        Restart = "always";
+        User = "infnoise";
+        DynamicUser = true;
+        SupplementaryGroups = [ "dialout" ];
+        DeviceAllow = [ "/dev/infnoise" ];
+        DevicePolicy = "closed";
+        PrivateNetwork = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true; # only reads entropy pool size and watermark
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+      };
+    };
+  };
+}
--- a/pkgs/misc/drivers/infnoise/default.nix
+++ b/pkgs/misc/drivers/infnoise/default.nix
@ -37,9 +37,6 @@ stdenv.mkDerivation rec {
    longDescription = ''
      The Infinite Noise TRNG is a USB key hardware true random number generator.
      It can either provide rng for userland applications, or provide rng for the OS entropy.
-      Add the following to your system configuration for plug and play support, adding to the OS entropy:
-      systemd.packages = [ pkgs.infnoise ];
-      services.udev.packages = [ pkgs.infnoise ];
    '';
    license = licenses.cc0;
    maintainers = with maintainers; [ StijnDW zhaofengli ];