Merge pull request #96092 from nbraud/security/rngd

nixos/modules/security/rngd: Disable by default
2020-09-09 21:53:41 -04:00 · 2020-09-09 21:53:41 -04:00 · f7a6a1a183
parent 50feed19a6 ca674c1769
commit f7a6a1a183
2 changed files with 10 additions and 10 deletions
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -815,6 +815,13 @@ CREATE ROLE postgres LOGIN SUPERUSER;
     the value of <option>services.jellyfin.package</option> to <literal>pkgs.jellyfin_10_5</literal>.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     The <literal>security.rngd</literal> service is now disabled by default.
+     This choice was made because there's krngd in the linux kernel space making it (for most usecases)
+     functionally redundent.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@ -10,11 +10,10 @@ in
    security.rngd = {
      enable = mkOption {
        type = types.bool;
-        default = true;
+        default = false;
        description = ''
-          Whether to enable the rng daemon, which adds entropy from
-          hardware sources of randomness to the kernel entropy pool when
-          available.
+          Whether to enable the rng daemon.  Devices that the kernel recognises
+          as entropy sources are handled automatically by krngd.
        '';
      };
      debug = mkOption {
@ -26,12 +25,6 @@ in
  };

  config = mkIf cfg.enable {
-    services.udev.extraRules = ''
-      KERNEL=="random", TAG+="systemd"
-      SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-      KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-    '';
-
    systemd.services.rngd = {
      bindsTo = [ "dev-random.device" ];