feat(k-radius): Allow to enable extra mods and sites

This commit is contained in:
catvayor 2024-05-13 18:00:35 +02:00
parent 8c14c5d2c6
commit f9250e8886

View file

@ -11,6 +11,9 @@ let
mkIf mkIf
mkOption mkOption
types types
mapAttrsToList
optionalString
zipListsWith
; ;
settingsFormat = pkgs.formats.toml { }; settingsFormat = pkgs.formats.toml { };
@ -44,6 +47,32 @@ in
description = "File to the auth token for the service account."; description = "File to the auth token for the service account.";
}; };
extra-mods = mkOption {
type = types.attrsOf types.path;
description = "Additional files to be linked in mods-enabled.";
default = { };
};
extra-sites = mkOption {
type = types.attrsOf types.path;
description = "Additional files to be linked in sites-enabled.";
default = { };
};
dictionary = mkOption {
type = types.attrsOf (
types.enum [
"abinary"
"date"
"ipaddr"
"integer"
"string"
]
);
description = "Declare additionnal attributes to be listed in the dictionary.";
default = { };
};
radiusClients = mkOption { radiusClients = mkOption {
type = types.attrsOf ( type = types.attrsOf (
types.submodule { types.submodule {
@ -77,6 +106,12 @@ in
}; };
privateKeyPasswordFile = mkOption { type = types.path; }; privateKeyPasswordFile = mkOption { type = types.path; };
checkConfiguration = mkOption {
type = types.bool;
description = "Check the configuration before starting the deamon. Usefull for debugging.";
default = false;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -104,6 +139,8 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
wants = [ "network.target" ]; wants = [ "network.target" ];
startLimitIntervalSec = 20;
startLimitBurst = 5;
preStart = '' preStart = ''
mkdir -p ${cfg.configDir} mkdir -p ${cfg.configDir}
@ -164,8 +201,35 @@ in
sed -i ${cfg.configDir}/mods-available/eap \ sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Build the dictionary
cat <<EOF > ${cfg.configDir}/dictionary
${
let
attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary;
idList = builtins.genList (id: 3000 + id) (builtins.length attrs);
in
builtins.concatStringsSep "\n" (
zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList
)
}
EOF
# Link extra-mods
${builtins.concatStringsSep "\n" (
mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods
)}
# Link extra-sites
${builtins.concatStringsSep "\n" (
mapAttrsToList (
name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}"
) cfg.extra-sites
)}
# Check the configuration # Check the configuration
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout ${
optionalString (!cfg.checkConfiguration) "# "
}${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
''; '';
path = [ path = [
@ -187,6 +251,7 @@ in
LogsDirectory = "radius"; LogsDirectory = "radius";
StateDirectory = "radius"; StateDirectory = "radius";
RuntimeDirectory = "radius"; RuntimeDirectory = "radius";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
Environment = [ Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml" "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}" "PYTHONPATH=${rlm_python.pythonPath}"