mirrors/aports
3
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-05-05 09:54:24 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
aports/main/freeradius/default-config.patch

181 lines
5.6 KiB
Diff
Raw Permalink Blame History

From f37bee486aca3de86b594770f0b2b3ff8e96596a Mon Sep 17 00:00:00 2001
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Tue, 18 May 2021 14:10:00 +0000
Subject: [PATCH] Adjust default config
- Fix default location of db_dir and run_dir.
- Remove pidfile - this is handled by OpenRC.
- Change default sqlite db path to a reasonable location.
- Change default cui sqlite location to $db_dir/.
- Change default cache paths to /var/cache/radiusd.
---
raddb/mods-available/cui | 2 +-
raddb/mods-available/eap | 11 +++--------
raddb/mods-available/sql | 4 ++--
raddb/radiusd.conf.in | 21 +++++----------------
raddb/sites-available/abfab-tls | 4 ++--
raddb/sites-available/tls | 4 ++--
6 files changed, 15 insertions(+), 31 deletions(-)
diff --git a/raddb/mods-available/cui b/raddb/mods-available/cui
index b72aa30..0dc4e1c 100644
--- a/raddb/mods-available/cui
+++ b/raddb/mods-available/cui
@@ -29,7 +29,7 @@ sql cuisql {
driver = "rlm_sql_${dialect}"
sqlite {
- filename = ${radacctdir}/cui.sqlite
+ filename = ${db_dir}/cui.sqlite
bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
}
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 239ac4c..66d59b4 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -534,20 +534,15 @@ eap {
# state and the cached VPs. This will persist session
# across server restarts.
#
- # The default directory is ${logdir}, for historical
- # reasons. You should ${db_dir} instead. And check
- # the value of db_dir in the main radiusd.conf file.
- # It should not point to ${raddb}
- #
# The server will need write perms, and the directory
# should be secured from anyone else. You might want
# a script to remove old files from here periodically:
#
- # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+ # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \;
#
# This feature REQUIRES "name" option be set above.
#
- # persist_dir = "${logdir}/tlscache"
+ # persist_dir = "${cachedir}/tlscache"
#
# As of 3.0.20, it is possible to partially
@@ -616,7 +611,7 @@ eap {
# deleted by the server when the command
# returns.
#
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
# OCSP Configuration
diff --git a/raddb/mods-available/sql b/raddb/mods-available/sql
index cfeac63..7ff51dd 100644
--- a/raddb/mods-available/sql
+++ b/raddb/mods-available/sql
@@ -69,7 +69,7 @@ sql {
#
sqlite {
# Path to the sqlite database
- filename = "/tmp/freeradius.db"
+ filename = "${db_dir}/freeradius.db"
# How long to wait for write locks on the database to be
# released (in ms) before giving up.
@@ -84,7 +84,7 @@ sql {
mysql {
# If any of the files below are set, TLS encryption is enabled
tls {
- ca_file = "/etc/ssl/certs/my_ca.crt"
+ ca_file = "/etc/ssl/certs/ca-certificates.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 61cc3a4..29f716a 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -98,10 +98,10 @@ confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
-run_dir = ${localstatedir}/run/${name}
+run_dir = /run/${name}
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
+cachedir = ${localstatedir}/cache/radiusd
#
# libdir: Where to find the rlm_* modules.
@@ -137,17 +137,6 @@ db_dir = ${raddbdir}
#
libdir = @libdir@
-# pidfile: Where to place the PID of the RADIUS server.
-#
-# The server may be signalled while it's running by using this
-# file.
-#
-# This file is written when ONLY running in daemon mode.
-#
-# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
-#
-pidfile = ${run_dir}/${name}.pid
-
#
# correct_escapes: use correct backslash escaping
#
@@ -520,8 +509,8 @@ security {
# member. This can allow for some finer-grained access
# controls.
#
-# user = radius
-# group = radius
+ user = radius
+ group = radius
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index b8d0626..4eba0a3 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -25,7 +25,7 @@ listen {
enable = no
lifetime = 24 # hours
name = "abfab-tls"
- # persist_dir = ${logdir}/abfab-tls
+ # persist_dir = ${cachedir}/abfab-tls
}
require_client_cert = yes
verify {
@@ -63,7 +63,7 @@ listen {
enable = no
lifetime = 24 # hours
name = "abfab-tls"
- # persist_dir = ${logdir}/abfab-tls
+ # persist_dir = ${cachedir}/abfab-tls
}
require_client_cert = yes
verify {
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 8c8e06a..9f55b74 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -366,11 +366,11 @@ listen {
# should be secured from anyone else. You might want
# a script to remove old files from here periodically:
#
- # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+ # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \;
#
# This feature REQUIRES "name" option be set above.
#
- #persist_dir = "${logdir}/tlscache"
+ #persist_dir = "${cachedir}/tlscache"
}
#
--
2.31.1
Reference in a new issue View git blame Copy permalink