pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6
7 cfg = config.services.freeradius;
8
9 freeradiusService = cfg:
10 {
11 description = "FreeRadius server";
12 wantedBy = ["multi-user.target"];
13 after = ["network.target"];
14 wants = ["network.target"];
15 preStart = ''
16 ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
17 '';
18
19 serviceConfig = {
20 ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +
21 optionalString cfg.debug " -xx";
22 ExecReload = [
23 "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
24 "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
25 ];
26 User = "radius";
27 ProtectSystem = "full";
28 ProtectHome = "on";
29 Restart = "on-failure";
30 RestartSec = 2;
31 LogsDirectory = "radius";
32 };
33 };
34
35 freeradiusConfig = {
36 enable = mkEnableOption (lib.mdDoc "the freeradius server");
37
38 configDir = mkOption {
39 type = types.path;
40 default = "/etc/raddb";
41 description = lib.mdDoc ''
42 The path of the freeradius server configuration directory.
43 '';
44 };
45
46 debug = mkOption {
47 type = types.bool;
48 default = false;
49 description = lib.mdDoc ''
50 Whether to enable debug logging for freeradius (-xx
51 option). This should not be left on, since it includes
52 sensitive data such as passwords in the logs.
53 '';
54 };
55
56 };
57
58in
59
60{
61
62 ###### interface
63
64 options = {
65 services.freeradius = freeradiusConfig;
66 };
67
68
69 ###### implementation
70
71 config = mkIf (cfg.enable) {
72
73 users = {
74 users.radius = {
75 /*uid = config.ids.uids.radius;*/
76 description = "Radius daemon user";
77 isSystemUser = true;
78 };
79 };
80
81 systemd.services.freeradius = freeradiusService cfg;
82 warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!";
83
84 };
85
86}