[Unit] Description=FreeRADIUS multi-protocol policy server After=network-online.target Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/ [Service] Type=notify WatchdogSec=60 NotifyAccess=all EnvironmentFile=-/etc/default/freeradius # FreeRADIUS can do static evaluation of policy language rules based # on environmental variables which is very useful for doing per-host # customization. # Unfortunately systemd does not allow variable substitutions such # as %H or $(hostname) in the EnvironmentFile. # We provide HOSTNAME here for convenience. Environment=HOSTNAME=%H # Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS # is not memory hungry, if it's using more than this, then there's probably # a leak somewhere. MemoryMax=2G # Ensure the daemon can still write its pidfile after it drops # privileges. Combination of options that work on a variety of # systems. Test very carefully if you alter these lines. RuntimeDirectory=freeradius RuntimeDirectoryMode=0775 User=freerad Group=freerad ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS Restart=on-failure RestartSec=5 ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout ExecReload=/bin/kill -HUP $MAINPID # Don't elevate privileges after starting NoNewPrivileges=true # Allow binding to secure ports, broadcast addresses, and raw interfaces. #AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE # Private /tmp that isn't shared by other processes PrivateTmp=true # cgroups are readable only by radiusd, and child processes ProtectControlGroups=true # don't load new kernel modules ProtectKernelModules=true # don't tune kernel parameters ProtectKernelTunables=true # Only allow native system calls SystemCallArchitectures=native # We shouldn't be writing to the configuration directory ReadOnlyDirectories=/etc/freeradius/ # We can read and write to the log directory. ReadWriteDirectories=/var/log/freeradius/ [Install] WantedBy=multi-user.target