[Unit]
Description=FreeRADIUS multi-protocol policy server
After=network-online.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/

[Service]
Type=notify
WatchdogSec=60
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/radiusd

# FreeRADIUS can do static evaluation of policy language rules based
# on environmental variables which is very useful for doing per-host
# customization.
# Unfortunately systemd does not allow variable substitutions such
# as %H or $(hostname) in the EnvironmentFile.
# We provide HOSTNAME here for convenience.
Environment=HOSTNAME=%H

# Limit memory to 2G this is fine for %99.99 of deployments.  FreeRADIUS
# is not memory hungry, if it's using more than this, then there's probably
# a leak somewhere.
MemoryLimit=2G

RuntimeDirectory=radiusd
RuntimeDirectoryMode=0775
User=radiusd
Group=radiusd 
ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cx -lstdout
ExecStart=/usr/sbin/radiusd -f $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
ExecReload=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout
ExecReload=/bin/kill -HUP $MAINPID

#  Don't elevate privileges after starting
NoNewPrivileges=true

# Allow binding to secure ports, broadcast addresses, and raw interfaces.
#
# This list of capabilities may not be exhaustive, and needs
# further testing. Please uncomment, test, and report any issues.
#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE

# Private /tmp that isn't shared by other processes
PrivateTmp=true

# cgroups are readable only by radiusd, and child processes
ProtectControlGroups=true

# don't load new kernel modules
ProtectKernelModules=true

# don't tune kernel parameters
ProtectKernelTunables=true

# Only allow native system calls
SystemCallArchitectures=native

# We shouldn't be writing to the configuration directory
ReadOnlyDirectories=/etc/raddb/

# We can read and write to the log directory.
ReadWriteDirectories=/var/log/radius/

[Install]
WantedBy=multi-user.target