haveged module: clean up service configuration (#18513)

Switches from the forking service type to simple by running haveged in the foreground. Also restricts the execution environment a bit (these are inspired by the Debian service file).
2016-09-13 07:07:46 +02:00 · 2016-09-13 07:07:46 +02:00 · b023e8f303
commit b023e8f303
parent 87ee2736ce
1 changed files with 11 additions and 7 deletions
--- a/nixos/modules/services/security/haveged.nix
+++ b/nixos/modules/services/security/haveged.nix
@ -48,14 +48,18 @@ in
      { description = "Entropy Harvesting Daemon";
        unitConfig.Documentation = "man:haveged(8)";
        wantedBy = [ "multi-user.target" ];
-        
+
        path = [ pkgs.haveged ];
-        
+
-        serviceConfig = 
+        serviceConfig = {
-          { Type = "forking";
+          ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1";
-            ExecStart = "${pkgs.haveged}/sbin/haveged -w ${toString cfg.refill_threshold} -v 1";
+          SuccessExitStatus = 143;
-            PIDFile = "/run/haveged.pid";
+          PrivateTmp = true;
-          };
+          PrivateDevices = true;
          PrivateNetwork = true;
          ProtectSystem = "full";
          ProtectHome = true;
        };
      };
  };