nixpkgs-suyu/nixos/modules/services/networking/freeradius.nix
pennae ef176dcf7e nixos/*: automatically convert option descriptions
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running

    nix-doc-munge nixos/**/*.nix
    nix-doc-munge --import nixos/**/*.nix

the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
2022-08-31 16:32:53 +02:00

86 lines
1.9 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.freeradius;
freeradiusService = cfg:
{
description = "FreeRadius server";
wantedBy = ["multi-user.target"];
after = ["network.target"];
wants = ["network.target"];
preStart = ''
${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
'';
serviceConfig = {
ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +
optionalString cfg.debug " -xx";
ExecReload = [
"${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
ProtectSystem = "full";
ProtectHome = "on";
Restart = "on-failure";
RestartSec = 2;
LogsDirectory = "radius";
};
};
freeradiusConfig = {
enable = mkEnableOption (lib.mdDoc "the freeradius server");
configDir = mkOption {
type = types.path;
default = "/etc/raddb";
description = lib.mdDoc ''
The path of the freeradius server configuration directory.
'';
};
debug = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to enable debug logging for freeradius (-xx
option). This should not be left on, since it includes
sensitive data such as passwords in the logs.
'';
};
};
in
{
###### interface
options = {
services.freeradius = freeradiusConfig;
};
###### implementation
config = mkIf (cfg.enable) {
users = {
users.radius = {
/*uid = config.ids.uids.radius;*/
description = "Radius daemon user";
isSystemUser = true;
};
};
systemd.services.freeradius = freeradiusService cfg;
warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!";
};
}