New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/freeradius : init - Added freeradius service #34587
Conversation
|
||
freeradiusConfig = { | ||
|
||
enable = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use mkEnableOption
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done :)
|
||
configDir = mkOption { | ||
type = types.nullOr types.path; | ||
default = null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this allowed to be null? This could default to /var/lib/freeradius
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
default value is set to /var/lib/freeradius. Without this parameter, the service will failed, so it makes sense to force default value. Default value for the radiusd
command is /etc/raddb
, should we use this ? I don't know about nixos policy on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably yes. I believe freeradius never writes to this directory, does it? If it doesn't, /etc
makes sense.
It's always good to find inspiration in other distros: https://git.archlinux.org/svntogit/community.git/tree/trunk/freeradius.service?h=packages/freeradius
Depending on whether freeradius needs write access to the filesystem, you should consider ProtectSystem=strict
and ReadWritePaths
: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Btw, please amend/squash the commit(s) instead of adding new ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
I used ProtectSystem=full
because I had difficulties with ReadWritePaths=
:
- the pre-start would fail
freeradius.service: Failed at step NAMESPACE spawning /nix/store/z0ppd98vmw50pc2fj6ycc71ayxvzyqsr-unit-script/bin/freeradius-pre-start: No such file or directory
- I added ReadOnlyPaths="/nix/store" but it didn't solve the issue
- also, radius may need to write files (to /var/log/radius and maybe others), so it didn't seem wise (at least until we generate the freeradius configuration from nixos expressions).
after = ["network-online.target"]; | ||
requires = ["network-online.target"]; | ||
preStart = '' | ||
${cfg.configDir}/certs/bootstrap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the user supposed to provide that script?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is some kind of typo that I forgot to remove.
I pushed fixes according to your very good suggestions. I only have a doubt on the default value for the config directory parameter (see comment). Also, I changed the |
7b0d554
to
4308652
Compare
Are you able to construct a NixOS test that verifies that the module produces a working freeradius? Something with static username/password in the configuration would probably be sufficient. |
What would the test consist on ? Doing an end to end test with a radius client ? |
Yes, nothing super fancy just ensuring the service gets up and answers on
simple requests.
…On Feb 6, 2018 9:01 PM, "netixx" ***@***.***> wrote:
What would the test consist on ? Doing an end to end test with a radius
client ?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#34587 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAm_dJrujY8QPPriVjydtm2zgHvQTASEks5tSK-pgaJpZM4R4hZ0>
.
|
In this case, we could do the following: However,
What I suggest regarding tests is that we wait until we provide nixos configuration options (at least defining |
|
||
cfg = config.services.freeradius; | ||
|
||
freeradiusService = cfg: optionalAttrs cfg.enable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The optionalAttrs
is not needed because you already guard the config below with mkIf
. Also, returning the systemd service attrset is nicer than returning { freeradius = { ... }; }
because the resulting service name can be chosen more elegantly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the indenten is slightly off, Should be on the same level as cfg
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
I moved the freeradius
name to the config section (not sure if that's where it should go). And I tested it in my setup.
Inspired from the dhcpd service implementation Only 2 configurations options at the moment: - enabled - path to config directory (defaults to /etc/raddb) Implementation was also inspired from ArchLinux systemd file and corrected with @dotlambda and @fpletz help.
4308652
to
2a2e885
Compare
Thank you |
The freeradius service was merged with NixOS#34587 but the module was not added to module-list. This commit fixes that and enables the use of services.freeradius in nixos configuration.
Resubmit because of branch mixup
Inspired from the dhcpd service implementation
Only 2 configurations options at the moment:
enabled and path to configfile
folder networking has been chosen because radius is mainly used for network device and network authentication (e.g. WPA2 Entreprise)
Motivation for this change
Freeradius package is already supported by nix, but no service exists for nixos. This patch adds basic support to start the freeradius service.
Things done
I tested the service configuration in my personal nix installation successfully.
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)