71 lines
2.1 KiB
Plaintext
71 lines
2.1 KiB
Plaintext
|
[Unit]
|
||
|
Description=FreeRADIUS multi-protocol policy server
|
||
|
After=network-online.target
|
||
|
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
|
||
|
|
||
|
[Service]
|
||
|
Type=notify
|
||
|
WatchdogSec=60
|
||
|
NotifyAccess=all
|
||
|
EnvironmentFile=-/etc/default/freeradius
|
||
|
|
||
|
# FreeRADIUS can do static evaluation of policy language rules based
|
||
|
# on environmental variables which is very useful for doing per-host
|
||
|
# customization.
|
||
|
# Unfortunately systemd does not allow variable substitutions such
|
||
|
# as %H or $(hostname) in the EnvironmentFile.
|
||
|
# We provide HOSTNAME here for convenience.
|
||
|
Environment=HOSTNAME=%H
|
||
|
|
||
|
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
|
||
|
# is not memory hungry, if it's using more than this, then there's probably
|
||
|
# a leak somewhere.
|
||
|
MemoryLimit=2G
|
||
|
|
||
|
# Ensure the daemon can still write its pidfile after it drops
|
||
|
# privileges. Combination of options that work on a variety of
|
||
|
# systems. Test very carefully if you alter these lines.
|
||
|
RuntimeDirectory=freeradius
|
||
|
RuntimeDirectoryMode=0775
|
||
|
#User=freerad
|
||
|
#Group=freerad
|
||
|
User=root
|
||
|
Group=root
|
||
|
|
||
|
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
|
||
|
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
|
||
|
Restart=on-failure
|
||
|
RestartSec=5
|
||
|
ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
|
||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||
|
|
||
|
# Don't elevate privileges after starting
|
||
|
NoNewPrivileges=true
|
||
|
|
||
|
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
|
||
|
#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
|
||
|
|
||
|
# Private /tmp that isn't shared by other processes
|
||
|
PrivateTmp=true
|
||
|
|
||
|
# cgroups are readable only by radiusd, and child processes
|
||
|
ProtectControlGroups=true
|
||
|
|
||
|
# don't load new kernel modules
|
||
|
ProtectKernelModules=true
|
||
|
|
||
|
# don't tune kernel parameters
|
||
|
ProtectKernelTunables=true
|
||
|
|
||
|
# Only allow native system calls
|
||
|
SystemCallArchitectures=native
|
||
|
|
||
|
# We shouldn't be writing to the configuration directory
|
||
|
ReadOnlyDirectories=/etc/freeradius/
|
||
|
|
||
|
# We can read and write to the log directory.
|
||
|
ReadWriteDirectories=/var/log/freeradius/
|
||
|
|
||
|
|
||
|
[Install]
|
||
|
WantedBy=multi-user.target
|