pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6
7 cfg = config.services.freeradius;
8
9 freeradiusService = cfg:
10 {
11 description = "FreeRadius server";
12 wantedBy = ["multi-user.target"];
13 after = ["network.target"];
14 wants = ["network.target"];
15 preStart = ''
16 ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
17 '';
18
19 serviceConfig = {
20 ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +
21 optionalString cfg.debug " -xx";
22 ExecReload = [
23 "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
24 "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
25 ];
26 User = "radius";
27 ProtectSystem = "full";
28 ProtectHome = "on";
29 Restart = "on-failure";
30 RestartSec = 2;
31 };
32 };
33
34 freeradiusConfig = {
35 enable = mkEnableOption "the freeradius server";
36
37 configDir = mkOption {
38 type = types.path;
39 default = "/etc/raddb";
40 description = ''
41 The path of the freeradius server configuration directory.
42 '';
43 };
44
45 debug = mkOption {
46 type = types.bool;
47 default = false;
48 description = ''
49 Whether to enable debug logging for freeradius (-xx
50 option). This should not be left on, since it includes
51 sensitive data such as passwords in the logs.
52 '';
53 };
54
55 };
56
57in
58
59{
60
61 ###### interface
62
63 options = {
64 services.freeradius = freeradiusConfig;
65 };
66
67
68 ###### implementation
69
70 config = mkIf (cfg.enable) {
71
72 users = {
73 users.radius = {
74 /*uid = config.ids.uids.radius;*/
75 description = "Radius daemon user";
76 };
77 };
78
79 systemd.services.freeradius = freeradiusService cfg;
80 warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!";
81
82 };
83
84}