3 files changed, 55 insertions, 0 deletions

diff --git a/systemd/random-seed-save.service.in b/systemd/random-seed-save.service.in
new file mode 100644
index 0000000..e70192b
--- /dev/null
+++ b/systemd/random-seed-save.service.in
@@ -0,0 +1,16 @@
+[Unit]
+Description=Random seed save
+RequiresMountsFor=@default_seed_path_dir@
+After=systemd-remount-fs.service
+
+[Service]
+ExecStart=@sbindir@/random-seed save
+CapabilityBoundingSet=
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+LockPersonality=yes
+TemporaryFileSystem=/:ro
+BindPaths=@default_seed_path_dir@
diff --git a/systemd/random-seed-save.timer b/systemd/random-seed-save.timer
new file mode 100644
index 0000000..f39227d
--- /dev/null
+++ b/systemd/random-seed-save.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Random seed save timer
+ConditionVirtualization=!container
+
+[Timer]
+OnActiveSec=3h
+OnUnitInactiveSec=3h
+AccuracySec=2h
+
+[Install]
+WantedBy=timers.target
diff --git a/systemd/random-seed.service.in b/systemd/random-seed.service.in
new file mode 100644
index 0000000..97bda54
--- /dev/null
+++ b/systemd/random-seed.service.in
@@ -0,0 +1,28 @@
+[Unit]
+Description=Random seed load/save
+Documentation=man:random-seed(8) man:random(4)
+DefaultDependencies=no
+RequiresMountsFor=@default_seed_path_dir@
+Conflicts=shutdown.target
+After=systemd-remount-fs.service
+Before=sysinit.target shutdown.target
+ConditionVirtualization=!container
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@sbindir@/random-seed load
+ExecStop=@sbindir@/random-seed save
+CapabilityBoundingSet=CAP_SYS_ADMIN
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+LockPersonality=yes
+TemporaryFileSystem=/:ro
+BindPaths=@default_seed_path_dir@
+TimeoutSec=30s
+
+[Install]
+WantedBy=sysinit.target