From 0e474f2d2604d83258d8fffef45e473814556366 Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Thu, 27 Feb 2020 17:59:01 +0100 Subject: [PATCH 1/5] freeradius: add patch for HTTP/2 support in rlm_rest module Co-Authored-By: Franz Pletz Co-Authored-By: Simon Waibl --- pkgs/servers/freeradius/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/servers/freeradius/default.nix b/pkgs/servers/freeradius/default.nix index cbd710853402..7cd80221b4e7 100644 --- a/pkgs/servers/freeradius/default.nix +++ b/pkgs/servers/freeradius/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, autoreconfHook, talloc, finger_bsd, perl +{ stdenv, fetchurl, fetchpatch, autoreconfHook, talloc, finger_bsd, perl , openssl , linkOpenssl? true , openldap @@ -71,6 +71,12 @@ stdenv.mkDerivation rec { "--localstatedir=/var" ] ++ optional (!linkOpenssl) "--with-openssl=no"; + patches = stdenv.lib.optional withRest (fetchpatch { + # Fix HTTP/2 in rest + url = "https://github.com/FreeRADIUS/freeradius-server/commit/6286520698a3cc4053b4d49eb0a61d9ba77632aa.patch"; + sha256 = "1ycvr3ql1mfkvzydnn4aiygnidicv2hgllppv37nb1p2pk02159g"; + }); + postPatch = '' substituteInPlace src/main/checkrad.in --replace "/usr/bin/finger" "${finger_bsd}/bin/finger" ''; From 3f11ceb4177e4f3abec066dee47fbd331698830c Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Thu, 27 Feb 2020 18:07:55 +0100 Subject: [PATCH 2/5] freeradius: add some maintainers --- pkgs/servers/freeradius/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/servers/freeradius/default.nix b/pkgs/servers/freeradius/default.nix index 7cd80221b4e7..f5c5d26ad470 100644 --- a/pkgs/servers/freeradius/default.nix +++ b/pkgs/servers/freeradius/default.nix @@ -92,7 +92,7 @@ stdenv.mkDerivation rec { homepage = https://freeradius.org/; description = "A modular, high performance free RADIUS suite"; license = licenses.gpl2; - maintainers = with maintainers; [ sheenobu willibutz ]; + maintainers = with maintainers; [ sheenobu willibutz fpletz lheckemann elseym ]; platforms = with platforms; linux; }; From cc9a4c8a06bba3c49323a9eb5df18fca4641acfc Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Fri, 28 Feb 2020 10:50:43 +0100 Subject: [PATCH 3/5] freeradius: do not generate TLS stuff --- pkgs/servers/freeradius/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/servers/freeradius/default.nix b/pkgs/servers/freeradius/default.nix index f5c5d26ad470..c7d6c509f098 100644 --- a/pkgs/servers/freeradius/default.nix +++ b/pkgs/servers/freeradius/default.nix @@ -81,9 +81,19 @@ stdenv.mkDerivation rec { substituteInPlace src/main/checkrad.in --replace "/usr/bin/finger" "${finger_bsd}/bin/finger" ''; + # By default, freeradius will generate Diffie-Hellman parameters and + # self-signed TLS certificates during installation. We don't want + # this, for several reasons: + # - reproducibility (random generation) + # - we don't want _anybody_ to use a cert where the private key is on our public binary cache! + # - we don't want the certs to change each time the package is rebuilt + # So let's avoid anything getting into our output. + makeFlags = [ "LOCAL_CERT_FILES=" ]; + installFlags = [ "sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}" + "INSTALL_CERT_FILES=" # see comment at makeFlags ]; outputs = [ "out" "dev" "man" "doc" ]; From 0587329191ace2463c2880006baebbb3889d07bc Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Mon, 2 Mar 2020 15:39:14 +0100 Subject: [PATCH 4/5] freeradius: make debug logging optional --- nixos/modules/services/networking/freeradius.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/freeradius.nix b/nixos/modules/services/networking/freeradius.nix index e192b70c129c..3a94c6807107 100644 --- a/nixos/modules/services/networking/freeradius.nix +++ b/nixos/modules/services/networking/freeradius.nix @@ -17,7 +17,8 @@ let ''; serviceConfig = { - ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout -xx"; + ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" + + optionalString cfg.debug " -xx"; ExecReload = [ "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout" "${pkgs.coreutils}/bin/kill -HUP $MAINPID" @@ -41,6 +42,16 @@ let ''; }; + debug = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable debug logging for freeradius (-xx + option). This should not be left on, since it includes + sensitive data such as passwords in the logs. + ''; + }; + }; in @@ -66,6 +77,7 @@ in }; systemd.services.freeradius = freeradiusService cfg; + warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!"; }; From 065716ab9517747ec760bd0193553ab8453cc53b Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Thu, 27 Feb 2020 18:25:43 +0100 Subject: [PATCH 5/5] nixos/freeradius: depend on network.target, not online --- nixos/modules/services/networking/freeradius.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/freeradius.nix b/nixos/modules/services/networking/freeradius.nix index 3a94c6807107..f3fdd576b65c 100644 --- a/nixos/modules/services/networking/freeradius.nix +++ b/nixos/modules/services/networking/freeradius.nix @@ -10,8 +10,8 @@ let { description = "FreeRadius server"; wantedBy = ["multi-user.target"]; - after = ["network-online.target"]; - wants = ["network-online.target"]; + after = ["network.target"]; + wants = ["network.target"]; preStart = '' ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout '';