pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #82252 from mayflower/radius-http2

FreeRADIUS improvements

Linus Heckemann dfc70d37 320334ae

options
unified split
Changed files
+33 -5
nixos
modules
services
networking
freeradius.nix
pkgs
servers
freeradius
default.nix
+15 -3
nixos/modules/services/networking/freeradius.nix 
···

       
10

       
10

       
 

       
  {


     

       
11

       
11

       
 

       
    description = "FreeRadius server";


     

       
12

       
12

       
 

       
    wantedBy = ["multi-user.target"];


     

       
13

       

       
-

       
    after = ["network-online.target"];


     

       
14

       

       
-

       
    wants = ["network-online.target"];


     

       

       
13

       
+

       
    after = ["network.target"];


     

       

       
14

       
+

       
    wants = ["network.target"];


     

       
15

       
15

       
 

       
    preStart = ''


     

       
16

       
16

       
 

       
      ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout


     

       
17

       
17

       
 

       
    '';


     

       
18

       
18

       
 

       



     

       
19

       
19

       
 

       
    serviceConfig = {


     

       
20

       

       
-

       
        ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout -xx";


     

       

       
20

       
+

       
        ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +


     

       

       
21

       
+

       
                    optionalString cfg.debug " -xx";


     

       
21

       
22

       
 

       
        ExecReload = [


     

       
22

       
23

       
 

       
          "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"


     

       
23

       
24

       
 

       
          "${pkgs.coreutils}/bin/kill -HUP $MAINPID"


     
···

       
41

       
42

       
 

       
      '';


     

       
42

       
43

       
 

       
    };


     

       
43

       
44

       
 

       



     

       

       
45

       
+

       
    debug = mkOption {


     

       

       
46

       
+

       
      type = types.bool;


     

       

       
47

       
+

       
      default = false;


     

       

       
48

       
+

       
      description = ''


     

       

       
49

       
+

       
        Whether to enable debug logging for freeradius (-xx


     

       

       
50

       
+

       
        option). This should not be left on, since it includes


     

       

       
51

       
+

       
        sensitive data such as passwords in the logs.


     

       

       
52

       
+

       
      '';


     

       

       
53

       
+

       
    };


     

       

       
54

       
+

       



     

       
44

       
55

       
 

       
  };


     

       
45

       
56

       
 

       



     

       
46

       
57

       
 

       
in


     
···

       
66

       
77

       
 

       
    };


     

       
67

       
78

       
 

       



     

       
68

       
79

       
 

       
    systemd.services.freeradius = freeradiusService cfg;


     

       

       
80

       
+

       
    warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!";


     

       
69

       
81

       
 

       



     

       
70

       
82

       
 

       
  };


     

       
71

       
83
+18 -2
pkgs/servers/freeradius/default.nix 
···

       
1

       

       
-

       
{ stdenv, fetchurl, autoreconfHook, talloc, finger_bsd, perl


     

       

       
1

       
+

       
{ stdenv, fetchurl, fetchpatch, autoreconfHook, talloc, finger_bsd, perl


     

       
2

       
2

       
 

       
, openssl


     

       
3

       
3

       
 

       
, linkOpenssl? true


     

       
4

       
4

       
 

       
, openldap


     
···

       
71

       
71

       
 

       
    "--localstatedir=/var"


     

       
72

       
72

       
 

       
  ] ++ optional (!linkOpenssl) "--with-openssl=no";


     

       
73

       
73

       
 

       



     

       

       
74

       
+

       
  patches = stdenv.lib.optional withRest (fetchpatch {


     

       

       
75

       
+

       
    # Fix HTTP/2 in rest


     

       

       
76

       
+

       
    url = "https://github.com/FreeRADIUS/freeradius-server/commit/6286520698a3cc4053b4d49eb0a61d9ba77632aa.patch";


     

       

       
77

       
+

       
    sha256 = "1ycvr3ql1mfkvzydnn4aiygnidicv2hgllppv37nb1p2pk02159g";


     

       

       
78

       
+

       
  });


     

       

       
79

       
+

       



     

       
74

       
80

       
 

       
  postPatch = ''


     

       
75

       
81

       
 

       
    substituteInPlace src/main/checkrad.in --replace "/usr/bin/finger" "${finger_bsd}/bin/finger"


     

       
76

       
82

       
 

       
  '';


     

       
77

       
83

       
 

       



     

       

       
84

       
+

       
  # By default, freeradius will generate Diffie-Hellman parameters and


     

       

       
85

       
+

       
  # self-signed TLS certificates during installation. We don't want


     

       

       
86

       
+

       
  # this, for several reasons:


     

       

       
87

       
+

       
  # - reproducibility (random generation)


     

       

       
88

       
+

       
  # - we don't want _anybody_ to use a cert where the private key is on our public binary cache!


     

       

       
89

       
+

       
  # - we don't want the certs to change each time the package is rebuilt


     

       

       
90

       
+

       
  # So let's avoid anything getting into our output.


     

       

       
91

       
+

       
  makeFlags = [ "LOCAL_CERT_FILES=" ];


     

       

       
92

       
+

       



     

       
78

       
93

       
 

       
  installFlags = [


     

       
79

       
94

       
 

       
    "sysconfdir=\${out}/etc"


     

       
80

       
95

       
 

       
    "localstatedir=\${TMPDIR}"


     

       

       
96

       
+

       
    "INSTALL_CERT_FILES=" # see comment at makeFlags


     

       
81

       
97

       
 

       
  ];


     

       
82

       
98

       
 

       



     

       
83

       
99

       
 

       
  outputs = [ "out" "dev" "man" "doc" ];


     
···

       
86

       
102

       
 

       
    homepage = https://freeradius.org/;


     

       
87

       
103

       
 

       
    description = "A modular, high performance free RADIUS suite";


     

       
88

       
104

       
 

       
    license = licenses.gpl2;


     

       
89

       

       
-

       
    maintainers = with maintainers; [ sheenobu willibutz ];


     

       

       
105

       
+

       
    maintainers = with maintainers; [ sheenobu willibutz fpletz lheckemann elseym ];


     

       
90

       
106

       
 

       
    platforms = with platforms; linux;


     

       
91

       
107

       
 

       
  };


     

       
92

       
108