Ways to simplify configs?

Phil Mayers p.mayers at imperial.ac.uk
Sat Jul 29 19:55:35 CEST 2017


On 27/07/17 16:34, Adam Bishop wrote:
> On 27 Jul 2017, at 16:20, Phil Mayers <p.mayers at imperial.ac.uk>
> wrote:
>> As others have said, we put the entire repo into a git directory,
>> and just push it out to servers.
>
> This, and I split the config into more files than default, not less.
>
> I have a file (/etc/raddb/variables) that is not stored in the git
> tree that contains the host name of the system, and a bunch of values
> for whether it's a Dev or Production system, vlan id's, policy
> enablement etc.

We do very similar things.

We actually run our various services (wireless, eduroam IdP, eduroam SP, 
macauth, VPN) as separate processes as opposed to one big radius 
process, which provides a measure of protection against crash bugs and 
the disruption of a full restart or having to toggle into debug mode; as 
such, I have huge sections of our config in "common" includes, and we 
use a setup like:

instance.conf

serviceopts {
   name = instance

   # port for nagios to check this
   # instance over authentication
   nagios_port = 16000

   # ditto via status-server
   status_port = 16001

   sql_socks = 10
   redis_socks = 20
   # etc. etc.
}

# global user-supplied
$INCLUDE global.conf
# server-local, not in git
$INCLUDE local.conf
# most of normal radiusd.conf
$INCLUDE common.conf

$INCLUDE sites-enabled/instance
$INCLUDE sites-enabled/instance-inner
$INCLUDE sites-enabled/common-radmin
$INCLUDE sites-enabled/common-status

...and the various included files will make use of ${serviceopts.blah} 
expansions to hook all this in.

Works great. Very happy with it.


More information about the Freeradius-Users mailing list