Merge pull request #151123 from Artturin/havegedupdate

This commit is contained in:
Artturi 2022-02-10 17:10:20 +02:00 committed by GitHub
commit e35d057ea5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 62 additions and 38 deletions

View file

@ -3,12 +3,10 @@
with lib;
let
cfg = config.services.haveged;
in
{
###### interface
@ -17,14 +15,11 @@ in
services.haveged = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable to haveged entropy daemon, which refills
/dev/random when low.
'';
};
enable = mkEnableOption ''
haveged entropy daemon, which refills /dev/random when low.
NOTE: does nothing on kernels newer than 5.6.
'';
# source for the note https://github.com/jirka-h/haveged/issues/57
refill_threshold = mkOption {
type = types.int;
@ -39,29 +34,44 @@ in
};
###### implementation
config = mkIf cfg.enable {
systemd.services.haveged =
{ description = "Entropy Harvesting Daemon";
unitConfig.Documentation = "man:haveged(8)";
wantedBy = [ "multi-user.target" ];
# https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
systemd.services.haveged = {
description = "Entropy Daemon based on the HAVEGE algorithm";
unitConfig = {
Documentation = "man:haveged(8)";
DefaultDependencies = false;
ConditionKernelVersion = "<5.6";
};
wantedBy = [ "sysinit.target" ];
after = [ "systemd-tmpfiles-setup-dev.service" ];
before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ];
path = [ pkgs.haveged ];
serviceConfig = {
ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1";
SuccessExitStatus = 143;
PrivateTmp = true;
PrivateDevices = true;
PrivateNetwork = true;
ProtectSystem = "full";
ProtectHome = true;
};
serviceConfig = {
ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1";
Restart = "always";
SuccessExitStatus = "137 143";
SecureBits = "noroot-locked";
CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ];
# We can *not* set PrivateTmp=true as it can cause an ordering cycle.
PrivateTmp = false;
PrivateDevices = true;
ProtectSystem = "full";
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
RestrictNamespaces = true;
RestrictRealtime = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "newuname" "~@mount" ];
SystemCallErrorNumber = "EPERM";
};
};
};
}

View file

@ -1,15 +1,29 @@
{ lib, stdenv, fetchurl }:
{ lib, stdenv, fetchFromGitHub }:
stdenv.mkDerivation rec {
pname = "haveged";
version = "1.9.2";
version = "1.9.15";
src = fetchurl {
url = "http://www.issihosts.com/haveged/haveged-${version}.tar.gz";
sha256 = "0w5ypz6451msckivjriwyw8djydlwffam7x23xh626s2vzdrlzgp";
src = fetchFromGitHub {
owner = "jirka-h";
repo = "haveged";
rev = "v${version}";
sha256 = "sha256-bU+/lRx0RAqHheNQ9CWT/V0oZnZd0W9EHhhX3RRIZ/0=";
};
meta = {
strictDeps = true;
postPatch = ''
patchShebangs ent # test shebang
'';
installFlags = [
"sbindir=$(out)/bin" # no reason for us to have a $out/sbin, its just a symlink to $out/bin
];
doCheck = true;
meta = with lib; {
description = "A simple entropy daemon";
longDescription = ''
The haveged project is an attempt to provide an easy-to-use, unpredictable
@ -19,9 +33,9 @@ stdenv.mkDerivation rec {
of haveged is directed towards improving overall reliability and adaptability while minimizing
the barriers to using haveged for other tasks.
'';
homepage = "http://www.issihosts.com/haveged/";
license = lib.licenses.gpl3;
maintainers = [ lib.maintainers.domenkozar ];
platforms = lib.platforms.unix;
homepage = "https://github.com/jirka-h/haveged";
license = licenses.gpl3;
maintainers = with maintainers; [ domenkozar ];
platforms = platforms.unix;
};
}