Merge pull request #82252 from mayflower/radius-http2

FreeRADIUS improvements
2020-03-10 16:01:46 +01:00 · 2020-03-10 16:01:46 +01:00 · dfc70d37f4
commit dfc70d37f4
parent 320334aee7 065716ab95
2 changed files with 33 additions and 5 deletions
--- a/nixos/modules/services/networking/freeradius.nix
+++ b/nixos/modules/services/networking/freeradius.nix
@ -10,14 +10,15 @@ let
  {
    description = "FreeRadius server";
    wantedBy = ["multi-user.target"];
-    after = ["network-online.target"];
-    wants = ["network-online.target"];
+    after = ["network.target"];
+    wants = ["network.target"];
    preStart = ''
      ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
    '';

    serviceConfig = {
-        ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout -xx";
+        ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +
+                    optionalString cfg.debug " -xx";
        ExecReload = [
          "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
          "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
@ -41,6 +42,16 @@ let
      '';
    };

+    debug = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable debug logging for freeradius (-xx
+        option). This should not be left on, since it includes
+        sensitive data such as passwords in the logs.
+      '';
+    };
+
  };

 in
@ -66,6 +77,7 @@ in
    };

    systemd.services.freeradius = freeradiusService cfg;
+    warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!";

  };

--- a/pkgs/servers/freeradius/default.nix
+++ b/pkgs/servers/freeradius/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook, talloc, finger_bsd, perl
+{ stdenv, fetchurl, fetchpatch, autoreconfHook, talloc, finger_bsd, perl
 , openssl
 , linkOpenssl? true
 , openldap
@ -71,13 +71,29 @@ stdenv.mkDerivation rec {
    "--localstatedir=/var"
  ] ++ optional (!linkOpenssl) "--with-openssl=no";

+  patches = stdenv.lib.optional withRest (fetchpatch {
+    # Fix HTTP/2 in rest
+    url = "https://github.com/FreeRADIUS/freeradius-server/commit/6286520698a3cc4053b4d49eb0a61d9ba77632aa.patch";
+    sha256 = "1ycvr3ql1mfkvzydnn4aiygnidicv2hgllppv37nb1p2pk02159g";
+  });
+
  postPatch = ''
    substituteInPlace src/main/checkrad.in --replace "/usr/bin/finger" "${finger_bsd}/bin/finger"
  '';

+  # By default, freeradius will generate Diffie-Hellman parameters and
+  # self-signed TLS certificates during installation. We don't want
+  # this, for several reasons:
+  # - reproducibility (random generation)
+  # - we don't want _anybody_ to use a cert where the private key is on our public binary cache!
+  # - we don't want the certs to change each time the package is rebuilt
+  # So let's avoid anything getting into our output.
+  makeFlags = [ "LOCAL_CERT_FILES=" ];
+
  installFlags = [
    "sysconfdir=\${out}/etc"
    "localstatedir=\${TMPDIR}"
+    "INSTALL_CERT_FILES=" # see comment at makeFlags
  ];

  outputs = [ "out" "dev" "man" "doc" ];
@ -86,7 +102,7 @@ stdenv.mkDerivation rec {
    homepage = https://freeradius.org/;
    description = "A modular, high performance free RADIUS suite";
    license = licenses.gpl2;
-    maintainers = with maintainers; [ sheenobu willibutz ];
+    maintainers = with maintainers; [ sheenobu willibutz fpletz lheckemann elseym ];
    platforms = with platforms; linux;
  };