From f9250e88868a54821b2b1f2c7d60fe7ed7aebcbb Mon Sep 17 00:00:00 2001 From: catvayor Date: Mon, 13 May 2024 18:00:35 +0200 Subject: [PATCH] feat(k-radius): Allow to enable extra mods and sites --- machines/vault01/k-radius/module.nix | 67 +++++++++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/machines/vault01/k-radius/module.nix b/machines/vault01/k-radius/module.nix index 060f142..486c2b6 100644 --- a/machines/vault01/k-radius/module.nix +++ b/machines/vault01/k-radius/module.nix @@ -11,6 +11,9 @@ let mkIf mkOption types + mapAttrsToList + optionalString + zipListsWith ; settingsFormat = pkgs.formats.toml { }; @@ -44,6 +47,32 @@ in description = "File to the auth token for the service account."; }; + extra-mods = mkOption { + type = types.attrsOf types.path; + description = "Additional files to be linked in mods-enabled."; + default = { }; + }; + + extra-sites = mkOption { + type = types.attrsOf types.path; + description = "Additional files to be linked in sites-enabled."; + default = { }; + }; + + dictionary = mkOption { + type = types.attrsOf ( + types.enum [ + "abinary" + "date" + "ipaddr" + "integer" + "string" + ] + ); + description = "Declare additionnal attributes to be listed in the dictionary."; + default = { }; + }; + radiusClients = mkOption { type = types.attrsOf ( types.submodule { @@ -77,6 +106,12 @@ in }; privateKeyPasswordFile = mkOption { type = types.path; }; + + checkConfiguration = mkOption { + type = types.bool; + description = "Check the configuration before starting the deamon. Usefull for debugging."; + default = false; + }; }; config = mkIf cfg.enable { @@ -104,6 +139,8 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; wants = [ "network.target" ]; + startLimitIntervalSec = 20; + startLimitBurst = 5; preStart = '' mkdir -p ${cfg.configDir} @@ -164,8 +201,35 @@ in sed -i ${cfg.configDir}/mods-available/eap \ -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" + # Build the dictionary + cat < ${cfg.configDir}/dictionary + ${ + let + attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary; + idList = builtins.genList (id: 3000 + id) (builtins.length attrs); + in + builtins.concatStringsSep "\n" ( + zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList + ) + } + EOF + + # Link extra-mods + ${builtins.concatStringsSep "\n" ( + mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods + )} + + # Link extra-sites + ${builtins.concatStringsSep "\n" ( + mapAttrsToList ( + name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}" + ) cfg.extra-sites + )} + # Check the configuration - # ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ${ + optionalString (!cfg.checkConfiguration) "# " + }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout ''; path = [ @@ -187,6 +251,7 @@ in LogsDirectory = "radius"; StateDirectory = "radius"; RuntimeDirectory = "radius"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; Environment = [ "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml" "PYTHONPATH=${rlm_python.pythonPath}"