| blob | d747219b29cb6ee0aeafe6c40da407def333bf3b |
1 { config, lib, pkgs, ... }:
2 let
4 cfg = config.services.freeradius;
6 freeradiusService = cfg:
7 {
8 description = "FreeRadius server";
9 wantedBy = ["multi-user.target"];
10 after = ["network.target"];
11 wants = ["network.target"];
12 preStart = ''
13 ${cfg.package}/bin/radiusd -C -d ${cfg.configDir} -l stdout
14 '';
16 serviceConfig = {
17 ExecStart = "${cfg.package}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +
18 lib.optionalString cfg.debug " -xx";
19 ExecReload = [
20 "${cfg.package}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
21 "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
22 ];
23 User = "radius";
24 ProtectSystem = "full";
25 ProtectHome = "on";
26 Restart = "on-failure";
27 RestartSec = 2;
28 LogsDirectory = "radius";
29 };
30 };
32 freeradiusConfig = {
33 enable = lib.mkEnableOption "the freeradius server";
35 package = lib.mkPackageOption pkgs "freeradius" { };
37 configDir = lib.mkOption {
38 type = lib.types.path;
39 default = "/etc/raddb";
40 description = ''
41 The path of the freeradius server configuration directory.
42 '';
43 };
45 debug = lib.mkOption {
46 type = lib.types.bool;
47 default = false;
48 description = ''
49 Whether to enable debug logging for freeradius (-xx
50 option). This should not be left on, since it includes
51 sensitive data such as passwords in the logs.
52 '';
53 };
55 };
57 in
59 {
61 ###### interface
63 options = {
64 services.freeradius = freeradiusConfig;
65 };
68 ###### implementation
70 config = lib.mkIf (cfg.enable) {
72 users = {
73 users.radius = {
74 /*uid = config.ids.uids.radius;*/
75 description = "Radius daemon user";
76 isSystemUser = true;
77 group = "radius";
78 };
79 groups.radius = {};
80 };
82 systemd.services.freeradius = freeradiusService cfg;
83 warnings = lib.optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!";
85 };
87 }