freeradius: do not generate TLS stuff

2020-02-28 10:50:43 +01:00 · 2020-02-28 10:50:43 +01:00 · cc9a4c8a06
parent 3f11ceb417
commit cc9a4c8a06
1 changed files with 10 additions and 0 deletions
--- a/pkgs/servers/freeradius/default.nix
+++ b/pkgs/servers/freeradius/default.nix
@ -81,9 +81,19 @@ stdenv.mkDerivation rec {
    substituteInPlace src/main/checkrad.in --replace "/usr/bin/finger" "${finger_bsd}/bin/finger"
  '';

+  # By default, freeradius will generate Diffie-Hellman parameters and
+  # self-signed TLS certificates during installation. We don't want
+  # this, for several reasons:
+  # - reproducibility (random generation)
+  # - we don't want _anybody_ to use a cert where the private key is on our public binary cache!
+  # - we don't want the certs to change each time the package is rebuilt
+  # So let's avoid anything getting into our output.
+  makeFlags = [ "LOCAL_CERT_FILES=" ];
+
  installFlags = [
    "sysconfdir=\${out}/etc"
    "localstatedir=\${TMPDIR}"
+    "INSTALL_CERT_FILES=" # see comment at makeFlags
  ];

  outputs = [ "out" "dev" "man" "doc" ];