Files
freeradius/charts/freeradius/templates/configmap.yaml
Georg K 99e1245ed3 feat: migrate to Gitea, productize Helm chart, unify version
- CI: replace GitLab pipeline with Gitea Actions (.gitea/workflows/release.yaml);
  publish .deb/image/hosted/chart to Gitea registries; gate image+hosted on .deb
  (needs + registry pre-check)
- drop connectone/Nexus; apt now from the Gitea Debian registry
- single version source (/VERSION=3.2.8); CI enforces .env/Chart consistency
- restructure: build/->packaging/deb, root Dockerfile->packaging/image,
  hosted/->packaging/hosted, .kube/->charts/freeradius
- Helm chart: documented values, DB password via Secret/$ENV, configurable
  scheduling/persistence; remove plaintext creds and hostPath PV
- gitignore *.env_cnf; docs for hosted (RU)/helm/root + agent KB sync

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-12 05:45:10 +03:00

169 lines
4.1 KiB
YAML

apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "freeradius.fullname" . }}-configs
namespace: {{ .Release.Namespace }}
labels:
{{- include "freeradius.labels" . | nindent 4 }}
data:
default: |
server default {
listen {
type = auth
ipaddr = *
port = {{ .Values.service.authPort }}
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = {{ .Values.service.acctPort }}
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
-sql
expiration
logintime
pap
Autz-Type New-TLS-Connection {
ok
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
digest
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
remove_reply_message_if_eap
}
Post-Auth-Type Client-Lost {
}
if (EAP-Key-Name && &reply:EAP-Session-Id) {
update reply {
&EAP-Key-Name := &reply:EAP-Session-Id
}
}
}
pre-proxy {
}
post-proxy {
}
}
sql: |
sql {
dialect = "postgresql"
driver = "rlm_sql_${dialect}"
postgresql {
send_application_name = yes
}
server = "{{ .Values.db.host }}"
port = {{ .Values.db.port }}
login = "{{ .Values.db.user }}"
password = "$ENV{DB_PASSWORD}"
radius_db = "{{ .Values.db.name }}"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
client_table = "nas"
group_attribute = "SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
rest: |
rest {
tls {
}
connect_uri = "http://{{ .Values.api.host }}:{{ .Values.api.port }}/"
authorize {
uri = "${..connect_uri}radius/auth"
method = 'post'
body = 'json'
data = '{"ip": "%{Packet-Src-IP-Address}", "hotspot-group": "%{raw:Called-Station-Id}", "hotspot-id": "%{raw:NAS-Identifier}"}'
force_to = 'json'
auth = 'none'
require_auth = no
timeout = 4.000000
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}