nixos/freeradius : init - Added freeradius service #34587
Conversation
|
|
||
| freeradiusConfig = { | ||
|
|
||
| enable = mkOption { |
|
|
||
| configDir = mkOption { | ||
| type = types.nullOr types.path; | ||
| default = null; |
There was a problem hiding this comment.
Why is this allowed to be null? This could default to /var/lib/freeradius.
There was a problem hiding this comment.
default value is set to /var/lib/freeradius. Without this parameter, the service will failed, so it makes sense to force default value. Default value for the radiusd command is /etc/raddb, should we use this ? I don't know about nixos policy on this.
There was a problem hiding this comment.
Probably yes. I believe freeradius never writes to this directory, does it? If it doesn't, /etc makes sense.
It's always good to find inspiration in other distros: https://git.archlinux.org/svntogit/community.git/tree/trunk/freeradius.service?h=packages/freeradius
Depending on whether freeradius needs write access to the filesystem, you should consider ProtectSystem=strict and ReadWritePaths: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Btw, please amend/squash the commit(s) instead of adding new ones.
There was a problem hiding this comment.
Done.
I used ProtectSystem=full because I had difficulties with ReadWritePaths= :
- the pre-start would fail
freeradius.service: Failed at step NAMESPACE spawning /nix/store/z0ppd98vmw50pc2fj6ycc71ayxvzyqsr-unit-script/bin/freeradius-pre-start: No such file or directory - I added ReadOnlyPaths="/nix/store" but it didn't solve the issue
- also, radius may need to write files (to /var/log/radius and maybe others), so it didn't seem wise (at least until we generate the freeradius configuration from nixos expressions).
| after = ["network-online.target"]; | ||
| requires = ["network-online.target"]; | ||
| preStart = '' | ||
| ${cfg.configDir}/certs/bootstrap |
There was a problem hiding this comment.
Is the user supposed to provide that script?
There was a problem hiding this comment.
This is some kind of typo that I forgot to remove.
|
I pushed fixes according to your very good suggestions. I only have a doubt on the default value for the config directory parameter (see comment). Also, I changed the |
netixx
force-pushed
the
add-freeradius-service
branch
from
7b0d554
to
4308652
Compare
|
Are you able to construct a NixOS test that verifies that the module produces a working freeradius? Something with static username/password in the configuration would probably be sufficient. |
|
What would the test consist on ? Doing an end to end test with a radius client ? |
|
Yes, nothing super fancy just ensuring the service gets up and answers on
simple requests.
…On Feb 6, 2018 9:01 PM, "netixx" ***@***.***> wrote:
What would the test consist on ? Doing an end to end test with a radius
client ?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#34587 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAm_dJrujY8QPPriVjydtm2zgHvQTASEks5tSK-pgaJpZM4R4hZ0>
.
|
|
In this case, we could do the following: However,
What I suggest regarding tests is that we wait until we provide nixos configuration options (at least defining |
|
|
||
| cfg = config.services.freeradius; | ||
|
|
||
| freeradiusService = cfg: optionalAttrs cfg.enable { |
There was a problem hiding this comment.
The optionalAttrs is not needed because you already guard the config below with mkIf. Also, returning the systemd service attrset is nicer than returning { freeradius = { ... }; } because the resulting service name can be chosen more elegantly.
There was a problem hiding this comment.
Also, the indenten is slightly off, Should be on the same level as cfg.
There was a problem hiding this comment.
Done.
I moved the freeradius name to the config section (not sure if that's where it should go). And I tested it in my setup.
Inspired from the dhcpd service implementation Only 2 configurations options at the moment: - enabled - path to config directory (defaults to /etc/raddb) Implementation was also inspired from ArchLinux systemd file and corrected with @dotlambda and @fpletz help.
netixx
force-pushed
the
add-freeradius-service
branch
from
4308652
to
2a2e885
Compare
|
Thank you |
The freeradius service was merged with NixOS#34587 but the module was not added to module-list. This commit fixes that and enables the use of services.freeradius in nixos configuration.
Resubmit because of branch mixup
Inspired from the dhcpd service implementation
Only 2 configurations options at the moment:
enabled and path to configfile
folder networking has been chosen because radius is mainly used for network device and network authentication (e.g. WPA2 Entreprise)
Motivation for this change
Freeradius package is already supported by nix, but no service exists for nixos. This patch adds basic support to start the freeradius service.
Things done
I tested the service configuration in my personal nix installation successfully.
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)