vn-ansible/roles/config-freeradius-totp/templates/freeradiusservice.j2

71 lines
2.1 KiB
Plaintext
Raw Normal View History

2024-05-08 11:33:10 +00:00
[Unit]
Description=FreeRADIUS multi-protocol policy server
After=network-online.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
[Service]
Type=notify
WatchdogSec=60
NotifyAccess=all
EnvironmentFile=-/etc/default/freeradius
# FreeRADIUS can do static evaluation of policy language rules based
# on environmental variables which is very useful for doing per-host
# customization.
# Unfortunately systemd does not allow variable substitutions such
# as %H or $(hostname) in the EnvironmentFile.
# We provide HOSTNAME here for convenience.
Environment=HOSTNAME=%H
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
# is not memory hungry, if it's using more than this, then there's probably
# a leak somewhere.
MemoryLimit=2G
# Ensure the daemon can still write its pidfile after it drops
# privileges. Combination of options that work on a variety of
# systems. Test very carefully if you alter these lines.
RuntimeDirectory=freeradius
RuntimeDirectoryMode=0775
#User=freerad
#Group=freerad
User=root
Group=root
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
ExecReload=/bin/kill -HUP $MAINPID
# Don't elevate privileges after starting
NoNewPrivileges=true
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
# Private /tmp that isn't shared by other processes
PrivateTmp=true
# cgroups are readable only by radiusd, and child processes
ProtectControlGroups=true
# don't load new kernel modules
ProtectKernelModules=true
# don't tune kernel parameters
ProtectKernelTunables=true
# Only allow native system calls
SystemCallArchitectures=native
# We shouldn't be writing to the configuration directory
ReadOnlyDirectories=/etc/freeradius/
# We can read and write to the log directory.
ReadWriteDirectories=/var/log/freeradius/
[Install]
WantedBy=multi-user.target