feat: migrate to Gitea, productize Helm chart, unify version
- CI: replace GitLab pipeline with Gitea Actions (.gitea/workflows/release.yaml); publish .deb/image/hosted/chart to Gitea registries; gate image+hosted on .deb (needs + registry pre-check) - drop connectone/Nexus; apt now from the Gitea Debian registry - single version source (/VERSION=3.2.8); CI enforces .env/Chart consistency - restructure: build/->packaging/deb, root Dockerfile->packaging/image, hosted/->packaging/hosted, .kube/->charts/freeradius - Helm chart: documented values, DB password via Secret/$ENV, configurable scheduling/persistence; remove plaintext creds and hostPath PV - gitignore *.env_cnf; docs for hosted (RU)/helm/root + agent KB sync Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
74
packaging/hosted/config/systemd/freeradius.service
Normal file
74
packaging/hosted/config/systemd/freeradius.service
Normal file
@@ -0,0 +1,74 @@
|
||||
[Unit]
|
||||
Description=FreeRADIUS multi-protocol policy server
|
||||
After=network-online.target
|
||||
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
WatchdogSec=60
|
||||
NotifyAccess=all
|
||||
PIDFile=/etc/freeradius/freeradius.pid
|
||||
EnvironmentFile=-/etc/default/freeradius
|
||||
|
||||
# FreeRADIUS can do static evaluation of policy language rules based
|
||||
# on environmental variables which is very useful for doing per-host
|
||||
# customization.
|
||||
# Unfortunately systemd does not allow variable substitutions such
|
||||
# as %H or $(hostname) in the EnvironmentFile.
|
||||
# We provide HOSTNAME here for convenience.
|
||||
Environment=HOSTNAME=%H
|
||||
Environment=TZ=UTC
|
||||
|
||||
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
|
||||
# is not memory hungry, if it's using more than this, then there's probably
|
||||
# a leak somewhere.
|
||||
MemoryLimit=2G
|
||||
|
||||
# Ensure the daemon can still write its pidfile after it drops
|
||||
# privileges. Combination of options that work on a variety of
|
||||
# systems. Test very carefully if you alter these lines.
|
||||
RuntimeDirectory=freeradius
|
||||
RuntimeDirectoryMode=0775
|
||||
# This does not work on Debian Jessie:
|
||||
User=freerad
|
||||
Group=freerad
|
||||
# This does not work on Ubuntu Bionic:
|
||||
ExecStartPre=/bin/chown freerad:freerad /var/run/freeradius
|
||||
|
||||
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
|
||||
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
|
||||
Restart=on-failure
|
||||
RestartSec=3
|
||||
ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
|
||||
# Don't elevate privileges after starting
|
||||
NoNewPrivileges=true
|
||||
|
||||
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
|
||||
#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
|
||||
|
||||
# Private /tmp that isn't shared by other processes
|
||||
PrivateTmp=true
|
||||
|
||||
# cgroups are readable only by radiusd, and child processes
|
||||
ProtectControlGroups=true
|
||||
|
||||
# don't load new kernel modules
|
||||
ProtectKernelModules=true
|
||||
|
||||
# don't tune kernel parameters
|
||||
ProtectKernelTunables=true
|
||||
|
||||
# Only allow native system calls
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# We shouldn't be writing to the configuration directory
|
||||
ReadOnlyDirectories=/etc/freeradius/
|
||||
|
||||
# We can read and write to the log directory.
|
||||
ReadWriteDirectories=/var/log/freeradius/
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
Reference in New Issue
Block a user