main/freeradius: change default cache paths to /var/cache/radiusd

All are commented out, so we don't have to handle existing cache
directories in upgrade.

2 files changed, 104 insertions, 43 deletions

diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD
index 39a34d9fcc..7d7880b35b 100644
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -150,6 +150,7 @@ package() {
 		"$pkgdir"$_radconfdir
 
 	install -d -m0750 -o radius -g radius \
+		"$pkgdir"/var/cache/radiusd \
 		"$pkgdir"/var/lib/radiusd \
 		"$pkgdir"/var/log/radius \
 		"$pkgdir"/var/log/radius/radacct
@@ -397,7 +398,7 @@ a66ab5d3f1c86450e9c50aa8be10a40fb4118467670048773ad8c80b5f3fb958dd3addc6ef245289
 5f940e200aa39b2fbbfaf5b24f2ad99869fa75bb7e2008876940ea96cb9dbc7f2b27dd1672aa56cdb5243faabdcbc38875594dd8792af965987183c0aa2aefd1  print-var.mk
 c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d  musl-fix-headers.patch
 41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234  fix-scopeid.patch
-0a60e3a5eff133898292cee4935d2d50c4a8a79c8357446999f12a368dac47abc4af4a09478cea001968f78791dca0eab305aaa3ee397ef09ebcc378b17f5ad0  default-config.patch
+c266718d830076423c19a31c608a925ec664156ef2da87c97166d376b16f4582e7f8adebd9c8e3ef51b24da0ca3252f00b557ed9ee9dd8325d8a6a317f4e3ed1  default-config.patch
 f96b7b2e0fc614cb8b70bd500933538e98e05b58718af931a62bc7ba2307600cf8c2a8a99de856ad2e18101dd5bfe95c50ee34de20eef21ba0ad795577a6619b  remove-eap-from-default-mods.patch
 55e179d5e6b31d289c2da7f907e494a6a6f5900483fdff8d3bb25ee15a583b8705942eca1f0d5390e91376966e66e457dce9b2cf1a1f61c8eac6d8fb825404dd  readme-setup-script.patch
 f88cb4ae335d67211c8563b6df88e20ee3729e57aa56423f99b518f83b190479b38bb189a0ab53c70ef9709a6229ccaa506ea6b79844cbfd4f2a7f0c7c292045  Fix-permissions-of-certs-in-bootstrap-fallback.patch
diff --git a/main/freeradius/default-config.patch b/main/freeradius/default-config.patch
index 520d75cbd0..0ad71173dd 100644
--- a/main/freeradius/default-config.patch
+++ b/main/freeradius/default-config.patch
@@ -1,6 +1,71 @@
+--- a/raddb/mods-available/cui
++++ b/raddb/mods-available/cui
+@@ -29,7 +29,7 @@
+ 	driver = "rlm_sql_${dialect}"
+ 
+ 	sqlite {
+-		filename = ${radacctdir}/cui.sqlite
++		filename = ${db_dir}/cui.sqlite
+ 		bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
+ 	}
+ 
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -504,20 +504,15 @@
+ 			#  state and the cached VPs. This will persist session
+ 			#  across server restarts.
+ 			#
+-			#  The default directory is ${logdir}, for historical
+-			#  reasons.  You should ${db_dir} instead.  And check
+-			#  the value of db_dir in the main radiusd.conf file.
+-			#  It should not point to ${raddb}
+-			#
+ 			#  The server will need write perms, and the directory
+ 			#  should be secured from anyone else. You might want
+ 			#  a script to remove old files from here periodically:
+ 			#
+-			#    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
++			#    find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \;
+ 			#
+ 			#  This feature REQUIRES "name" option be set above.
+ 			#
+-		#	persist_dir = "${logdir}/tlscache"
++		#	persist_dir = "${cachedir}/tlscache"
+ 
+ 			#
+ 			#  As of 3.0.20, it is possible to partially
+@@ -586,7 +581,7 @@
+ 			#  deleted by the server when the command
+ 			#  returns.
+ 			#
+-		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
++		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ 		}
+ 
+ 		#  OCSP Configuration
+--- a/raddb/mods-available/sql
++++ b/raddb/mods-available/sql
+@@ -70,7 +70,7 @@
+ 	#
+ 	sqlite {
+ 		# Path to the sqlite database
+-		filename = "/tmp/freeradius.db"
++		filename = "${db_dir}/freeradius.db"
+ 
+ 		# How long to wait for write locks on the database to be
+ 		# released (in ms) before giving up.
+@@ -85,7 +85,7 @@
+ 	mysql {
+ 		# If any of the files below are set, TLS encryption is enabled
+ 		tls {
+-			ca_file = "/etc/ssl/certs/my_ca.crt"
++			ca_file = "/etc/ssl/certs/ca-certificates.crt"
+ 			ca_path = "/etc/ssl/certs/"
+ 			certificate_file = "/etc/ssl/certs/private/client.crt"
+ 			private_key_file = "/etc/ssl/certs/private/client.key"
 --- a/raddb/radiusd.conf.in
 +++ b/raddb/radiusd.conf.in
-@@ -98,10 +98,9 @@
+@@ -98,10 +98,10 @@
  modconfdir = ${confdir}/mods-config
  certdir = ${confdir}/certs
  cadir   = ${confdir}/certs
@@ -10,10 +75,11 @@
 -# Should likely be ${localstatedir}/lib/radiusd
 -db_dir = ${raddbdir}
 +db_dir = ${localstatedir}/lib/radiusd
++cachedir = ${localstatedir}/cache/radiusd
  
  #
  # libdir: Where to find the rlm_* modules.
-@@ -137,18 +136,7 @@
+@@ -137,18 +137,7 @@
  #
  libdir = @libdir@
  
@@ -32,7 +98,7 @@
  #  correct_escapes: use correct backslash escaping
  #
  #  Prior to version 3.0.5, the handling of backslashes was a little
-@@ -501,8 +500,8 @@
+@@ -501,8 +490,8 @@
  	#  member.  This can allow for some finer-grained access
  	#  controls.
  	#
@@ -43,45 +109,39 @@
  
  	#  Core dumps are a bad thing.  This should only be set to
  	#  'yes' if you're debugging a problem with the server.
---- a/raddb/mods-available/eap
-+++ b/raddb/mods-available/eap
-@@ -586,7 +586,7 @@
- 			#  deleted by the server when the command
- 			#  returns.
- 			#
--		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
-+		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -25,7 +25,7 @@
+ 			enable = no
+ 			lifetime = 24 # hours
+ 			name = "abfab-tls"
+-#			persist_dir = ${logdir}/abfab-tls
++#			persist_dir = ${cachedir}/abfab-tls
  		}
  
- 		#  OCSP Configuration
---- a/raddb/mods-available/sql
-+++ b/raddb/mods-available/sql
-@@ -70,7 +70,7 @@
- 	#
- 	sqlite {
- 		# Path to the sqlite database
--		filename = "/tmp/freeradius.db"
-+		filename = "${db_dir}/freeradius.db"
- 
- 		# How long to wait for write locks on the database to be
- 		# released (in ms) before giving up.
-@@ -85,7 +85,7 @@
- 	mysql {
- 		# If any of the files below are set, TLS encryption is enabled
- 		tls {
--			ca_file = "/etc/ssl/certs/my_ca.crt"
-+			ca_file = "/etc/ssl/certs/ca-certificates.crt"
- 			ca_path = "/etc/ssl/certs/"
- 			certificate_file = "/etc/ssl/certs/private/client.crt"
- 			private_key_file = "/etc/ssl/certs/private/client.key"
---- a/raddb/mods-available/cui
-+++ b/raddb/mods-available/cui
-@@ -29,7 +29,7 @@
- 	driver = "rlm_sql_${dialect}"
- 
- 	sqlite {
--		filename = ${radacctdir}/cui.sqlite
-+		filename = ${db_dir}/cui.sqlite
- 		bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
- 	}
+ 		require_client_cert = yes
+@@ -64,7 +64,7 @@
+ 			enable = no
+ 			lifetime = 24 # hours
+ 			name = "abfab-tls"
+-			# persist_dir = ${logdir}/abfab-tls
++			# persist_dir = ${cachedir}/abfab-tls
+ 		}
+ 		require_client_cert = yes
+ 		verify {
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -316,11 +316,11 @@
+ 		      #  should be secured from anyone else. You might want
+ 		      #  a script to remove old files from here periodically:
+ 		      #
+-		      #    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
++		      #    find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \;
+ 		      #
+ 		      #  This feature REQUIRES "name" option be set above.
+ 		      #
+-		      #persist_dir = "${logdir}/tlscache"
++		      #persist_dir = "${cachedir}/tlscache"
+ 		}
  
+ 		#