diff --git a/nixos/modules/services/networking/freeradius.nix b/nixos/modules/services/networking/freeradius.nix index e192b70c129c..f3fdd576b65c 100644 --- a/nixos/modules/services/networking/freeradius.nix +++ b/nixos/modules/services/networking/freeradius.nix @@ -10,14 +10,15 @@ let { description = "FreeRadius server"; wantedBy = ["multi-user.target"]; - after = ["network-online.target"]; - wants = ["network-online.target"]; + after = ["network.target"]; + wants = ["network.target"]; preStart = '' ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout ''; serviceConfig = { - ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout -xx"; + ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" + + optionalString cfg.debug " -xx"; ExecReload = [ "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout" "${pkgs.coreutils}/bin/kill -HUP $MAINPID" @@ -41,6 +42,16 @@ let ''; }; + debug = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable debug logging for freeradius (-xx + option). This should not be left on, since it includes + sensitive data such as passwords in the logs. + ''; + }; + }; in @@ -66,6 +77,7 @@ in }; systemd.services.freeradius = freeradiusService cfg; + warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!"; }; diff --git a/pkgs/servers/freeradius/default.nix b/pkgs/servers/freeradius/default.nix index cbd710853402..c7d6c509f098 100644 --- a/pkgs/servers/freeradius/default.nix +++ b/pkgs/servers/freeradius/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, autoreconfHook, talloc, finger_bsd, perl +{ stdenv, fetchurl, fetchpatch, autoreconfHook, talloc, finger_bsd, perl , openssl , linkOpenssl? true , openldap @@ -71,13 +71,29 @@ stdenv.mkDerivation rec { "--localstatedir=/var" ] ++ optional (!linkOpenssl) "--with-openssl=no"; + patches = stdenv.lib.optional withRest (fetchpatch { + # Fix HTTP/2 in rest + url = "https://github.com/FreeRADIUS/freeradius-server/commit/6286520698a3cc4053b4d49eb0a61d9ba77632aa.patch"; + sha256 = "1ycvr3ql1mfkvzydnn4aiygnidicv2hgllppv37nb1p2pk02159g"; + }); + postPatch = '' substituteInPlace src/main/checkrad.in --replace "/usr/bin/finger" "${finger_bsd}/bin/finger" ''; + # By default, freeradius will generate Diffie-Hellman parameters and + # self-signed TLS certificates during installation. We don't want + # this, for several reasons: + # - reproducibility (random generation) + # - we don't want _anybody_ to use a cert where the private key is on our public binary cache! + # - we don't want the certs to change each time the package is rebuilt + # So let's avoid anything getting into our output. + makeFlags = [ "LOCAL_CERT_FILES=" ]; + installFlags = [ "sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}" + "INSTALL_CERT_FILES=" # see comment at makeFlags ]; outputs = [ "out" "dev" "man" "doc" ]; @@ -86,7 +102,7 @@ stdenv.mkDerivation rec { homepage = https://freeradius.org/; description = "A modular, high performance free RADIUS suite"; license = licenses.gpl2; - maintainers = with maintainers; [ sheenobu willibutz ]; + maintainers = with maintainers; [ sheenobu willibutz fpletz lheckemann elseym ]; platforms = with platforms; linux; };