24 lines
772 B
Nix
24 lines
772 B
Nix
{ ... }: { config, lib, pkgs, ... }:
|
|
|
|
lib.mkIf config.hardware.nitrokey.enable {
|
|
services.udev.packages = [
|
|
(pkgs.writeTextDir "etc/udev/rules.d/98-nitrokey-random-seed.rules" ''
|
|
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1|42b2", TAG+="systemd", ENV{SYSTEMD_WANTS}+="nitrokey-random-seed@%k.service"
|
|
'')
|
|
];
|
|
|
|
systemd.services."nitrokey-random-seed@" = {
|
|
description = "Feed kernel from Nitrokey TRNG";
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = "${pkgs.pynitrokey}/bin/nitropy fido2 rng feedkernel";
|
|
DynamicUser = true;
|
|
SupplementaryGroups = [ "plugdev" ];
|
|
AmbientCapabilities = [ "CAP_SYS_ADMIN" ];
|
|
|
|
DeviceAllow = [ "/dev/%i rw" ];
|
|
DevicePolicy = "closed";
|
|
};
|
|
};
|
|
}
|