Add resource for installing certificates and keys

README.md

@@ -9,6 +9,7 @@
        * [`freeradius`](#freeradius)
     * [Resources](#resources)
        * [`freeradius::attr`](#freeradiusattr)
+       * [`freeradius::cert`](#freeradiuscert)
        * [`freeradius::client`](#freeradiusclient)
        * [`freeradius::config`](#freeradiusconfig)
        * [`freeradius::dictionary`](#freeradiusdictionary)
@@ -110,6 +111,21 @@ freeradius::attr { 'eduroamlocal':
 }
 ```
 
+#### `freeradius::cert`
+
+Install certificates as provided. These are installed in `/etc/raddb/certs`
+
+```puppet
+freeradius::cert { 'mycert.pem':
+  source => 'puppet:///modules/site_freeradius/mycert.pem',
+  type   => 'key',
+}
+```
+
+##### `type`
+
+Set file permissions on the installed certificate differently depending on whether this is a private key or a public certificate. Note that the default is to treat the file as a private key and remove world-readable privileges. Allowable values: `cert`, `key`. Default: `key`.
+
 #### `freeradius::client`
 
 Define RADIUS clients as seen in `clients.conf`

manifests/cert.pp

+# Install FreeRADIUS certificates
+define freeradius::cert (
+  $source,
+  $type = 'key',
+) {
+  $fr_package  = $::freeradius::params::fr_package
+  $fr_service  = $::freeradius::params::fr_service
+  $fr_basepath = $::freeradius::params::fr_basepath
+  $fr_group    = $::freeradius::params::fr_group
+
+  file { "${fr_basepath}/certs/${name}":
+    mode    => $type ? {
+      'key'   => '0640',
+      'cert'  => '0644',
+      default => '0644',
+    },
+    owner   => 'root',
+    group   => $fr_group,
+    source  => $source,
+    require => [File["${fr_basepath}/certs"], Package[$fr_package], Group[$fr_group]],
+    notify  => Service[$fr_service],
+  }
+}