pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8
9 cfg = config.services.freeradius;
10
11 freeradiusService = cfg: {
12 description = "FreeRadius server";
13 wantedBy = [ "multi-user.target" ];
14 after = [ "network.target" ];
15 wants = [ "network.target" ];
16 preStart = ''
17 ${cfg.package}/bin/radiusd -C -d ${cfg.configDir} -l stdout
18 '';
19
20 serviceConfig = {
21 ExecStart =
22 "${cfg.package}/bin/radiusd -f -d ${cfg.configDir} -l stdout" + lib.optionalString cfg.debug " -xx";
23 ExecReload = [
24 "${cfg.package}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
25 "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
26 ];
27 User = "radius";
28 ProtectSystem = "full";
29 ProtectHome = "on";
30 Restart = "on-failure";
31 RestartSec = 2;
32 LogsDirectory = "radius";
33 };
34 };
35
36 freeradiusConfig = {
37 enable = lib.mkEnableOption "the freeradius server";
38
39 package = lib.mkPackageOption pkgs "freeradius" { };
40
41 configDir = lib.mkOption {
42 type = lib.types.path;
43 default = "/etc/raddb";
44 description = ''
45 The path of the freeradius server configuration directory.
46 '';
47 };
48
49 debug = lib.mkOption {
50 type = lib.types.bool;
51 default = false;
52 description = ''
53 Whether to enable debug logging for freeradius (-xx
54 option). This should not be left on, since it includes
55 sensitive data such as passwords in the logs.
56 '';
57 };
58
59 };
60
61in
62
63{
64
65 ###### interface
66
67 options = {
68 services.freeradius = freeradiusConfig;
69 };
70
71 ###### implementation
72
73 config = lib.mkIf (cfg.enable) {
74
75 users = {
76 users.radius = {
77 # uid = config.ids.uids.radius;
78 description = "Radius daemon user";
79 isSystemUser = true;
80 group = "radius";
81 };
82 groups.radius = { };
83 };
84
85 systemd.services.freeradius = freeradiusService cfg;
86 warnings = lib.optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!";
87
88 };
89
90}