diff --git a/pkgs/by-name/es/esdm/package.nix b/pkgs/by-name/es/esdm/package.nix
index 7226f1e05ff4..2c96a1aefc77 100644
--- a/pkgs/by-name/es/esdm/package.nix
+++ b/pkgs/by-name/es/esdm/package.nix
@@ -18,45 +18,42 @@
   # A brief explanation is given.
 
   # general options
-  selinux ? false, # enable selinux support
-  drngHashDrbg ? true, # set the default drng callback
-  drngChaCha20 ? false, # set the default drng callback
-  ais2031 ? false, # set the seeding strategy to be compliant with AIS 20/31
-  sp80090c ? false, # set compliance with NIST SP800-90C
-  cryptoBackend ? "builtin", # set backend for hash and drbg operations
+  selinux ? true, # enable selinux support
+  fips140 ? true, # enable FIPS 140 checksum support
+  ais2031 ? true, # set the seeding strategy to be compliant with AIS 20/31
+  sp80090c ? true, # set compliance with NIST SP800-90C
+  cryptoBackend ? "botan", # set backend for hash and drbg operations
   linuxDevFiles ? true, # enable linux /dev/random and /dev/urandom support
   linuxGetRandom ? true, # enable linux getrandom support
-  hashSha512 ? false, # set the conditioning hash: SHA2-512
-  hashSha3_512 ? true, # set the conditioning hash: SHA3-512
-  openSSLRandProvider ? false, # build ESDM provider for OpenSSL 3.x
-  botanRng ? false, # build ESDM class for Botan 3.x
-
-  # client-related options (handle with care, consult source code and meson options)
-  # leave as is if in doubt
-  connectTimeoutExponent ? 28, # (1 << EXPONENT nanoseconds)
-  rxTxTimeoutExponent ? 28, # (1 << EXPONENT nanoseconds)
-  reconnectAttempts ? 10, # how often to attempt unix socket connection before giving up
+  openSSLRandProvider ? true, # build ESDM provider for OpenSSL 3.x
+  maxThreads ? 1024, # number of RPC handler threads
+  validationHelpers ? true, # used to analyze entropy output from esdm_es
+  numAuxPools ? 128, # use multiple hash pools for e.g. smartcard input
+  serverTermOnSignal ? false, # use select with timeout in server watch loop
 
   # entropy sources
   esJitterRng ? true, # enable support for the entropy source: jitter rng (running in user space)
   esJitterRngEntropyRate ? 256, # amount of entropy to account for jitter rng source
-  esJitterRngKernel ? true, # enable support for the entropy source: jitter rng (running in kernel space)
+  esJitterRngEntropyBlocks ? 128, # number of cached entropy blocks for jitterentropy
+  esJitterRngKernel ? false, # enable support for the entropy source: jitter rng (running in kernel space)
   esJitterRngKernelEntropyRate ? 256, # amount of entropy to account for kernel jitter rng source
   esCPU ? true, # enable support for the entropy source: cpu-based entropy
-  esCPUEntropyRate ? 8, # amount of entropy to account for cpu rng source
-  esKernel ? true, # enable support for the entropy source: kernel-based entropy
-  esKernelEntropyRate ? 128, # amount of entropy to account for kernel-based source
+  esCPUEntropyRate ? 256, # amount of entropy to account for cpu rng source
+  esKernel ? false, # enable support for the entropy source: kernel-based entropy
+  esKernelEntropyRate ? 256, # amount of entropy to account for kernel-based source
   esIRQ ? false, # enable support for the entropy source: interrupt-based entropy
   esIRQEntropyRate ? 256, # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0)
   esSched ? false, # enable support for the entropy source: scheduler-based entropy
   esSchedEntropyRate ? 0, # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0)
   esHwrand ? true, # enable support for the entropy source: /dev/hwrng
-  esHwrandEntropyRate ? 128, # amount of entropy to account for /dev/hwrng-based sources
+  esHwrandEntropyRate ? 256, # amount of entropy to account for /dev/hwrng-based sources
+
+  # kernel seeding
+  linuxKernelReseedInterval ? 60, # how often to push entropy into Linux kernel, iff seeder service is started
+  linuxKernelReseedEntropyRate ? 256, # how many bits to account on kernel (re-)seeding
 }:
 
-assert drngHashDrbg != drngChaCha20;
-assert hashSha512 != hashSha3_512;
-assert cryptoBackend == "openssl" || cryptoBackend == "botan" || cryptoBackend == "builtin";
+assert cryptoBackend == "openssl" || cryptoBackend == "botan";
 
 stdenv.mkDerivation rec {
   pname = "esdm";
@@ -76,7 +73,7 @@ stdenv.mkDerivation rec {
   ];
 
   buildInputs =
-    lib.optional (cryptoBackend == "botan" || botanRng) botan3
+    lib.optional (cryptoBackend == "botan") botan3
     ++ lib.optional (cryptoBackend == "openssl" || openSSLRandProvider) openssl
     ++ lib.optional selinux libselinux
     ++ lib.optional esJitterRng jitterentropy
@@ -86,20 +83,19 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ protobufc ];
 
   mesonFlags = [
-    (lib.mesonBool "b_lto" false)
-    (lib.mesonBool "fips140" false)
+    (lib.mesonBool "b_lto" true)
+    (lib.mesonBool "fips140" fips140)
     (lib.mesonBool "ais2031" ais2031)
     (lib.mesonBool "sp80090c" sp80090c)
     (lib.mesonEnable "node" true) # multiple DRNGs
-    (lib.mesonOption "threading_max_threads" (toString 64))
+    (lib.mesonEnable "systemd" true) # systemd notify and socket support
+    (lib.mesonOption "threading_max_threads" (toString maxThreads))
     (lib.mesonOption "crypto_backend" cryptoBackend)
     (lib.mesonEnable "linux-devfiles" linuxDevFiles)
     (lib.mesonEnable "linux-getrandom" linuxGetRandom)
-    (lib.mesonOption "client-connect-timeout-exponent" (toString connectTimeoutExponent))
-    (lib.mesonOption "client-rx-tx-timeout-exponent" (toString rxTxTimeoutExponent))
-    (lib.mesonOption "client-reconnect-attempts" (toString reconnectAttempts))
     (lib.mesonEnable "es_jent" esJitterRng)
     (lib.mesonOption "es_jent_entropy_rate" (toString esJitterRngEntropyRate))
+    (lib.mesonOption "es_jent_entropy_blocks" (toString esJitterRngEntropyBlocks))
     (lib.mesonEnable "es_jent_kernel" esJitterRngKernel)
     (lib.mesonOption "es_jent_kernel_entropy_rate" (toString esJitterRngKernelEntropyRate))
     (lib.mesonEnable "es_cpu" esCPU)
@@ -112,15 +108,20 @@ stdenv.mkDerivation rec {
     (lib.mesonOption "es_sched_entropy_rate" (toString esSchedEntropyRate))
     (lib.mesonEnable "es_hwrand" esHwrand)
     (lib.mesonOption "es_hwrand_entropy_rate" (toString esHwrandEntropyRate))
-    (lib.mesonEnable "hash_sha512" hashSha512)
-    (lib.mesonEnable "hash_sha3_512" hashSha3_512)
     (lib.mesonEnable "selinux" selinux)
-    (lib.mesonEnable "drng_hash_drbg" drngHashDrbg)
-    (lib.mesonEnable "drng_chacha20" drngChaCha20)
     (lib.mesonEnable "openssl-rand-provider" openSSLRandProvider)
-    (lib.mesonEnable "botan-rng" botanRng)
+    (lib.mesonOption "linux-reseed-interval" (toString linuxKernelReseedInterval))
+    (lib.mesonOption "linux-reseed-entropy-count" (toString linuxKernelReseedEntropyRate))
+    (lib.mesonEnable "validation-helpers" validationHelpers)
+    (lib.mesonOption "num-aux-pools" (toString numAuxPools))
+    (lib.mesonBool "esdm-server-term-on-signal" serverTermOnSignal)
   ];
 
+  postFixup = lib.optionals fips140 ''
+    $out/bin/esdm-tool --fips-checkfile $out/bin/.esdm-server.hmac \
+                       --fips-targetfile $out/bin/esdm-server
+  '';
+
   doCheck = true;
 
   strictDeps = true;