From 78ba8d284d065da7100a35ccdbbc320b563221ce Mon Sep 17 00:00:00 2001
From: Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk>
Date: Mon, 3 Nov 2014 15:49:14 +0000
Subject: [PATCH] Add resource for installing certificates and keys

---
 README.md         | 16 ++++++++++++++++
 manifests/cert.pp | 23 +++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 manifests/cert.pp

diff --git a/README.md b/README.md
index 1dad63b..5d105f7 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@
        * [`freeradius`](#freeradius)
     * [Resources](#resources)
        * [`freeradius::attr`](#freeradiusattr)
+       * [`freeradius::cert`](#freeradiuscert)
        * [`freeradius::client`](#freeradiusclient)
        * [`freeradius::config`](#freeradiusconfig)
        * [`freeradius::dictionary`](#freeradiusdictionary)
@@ -110,6 +111,21 @@ freeradius::attr { 'eduroamlocal':
 }
 ```
 
+#### `freeradius::cert`
+
+Install certificates as provided. These are installed in `/etc/raddb/certs`
+
+```puppet
+freeradius::cert { 'mycert.pem':
+  source => 'puppet:///modules/site_freeradius/mycert.pem',
+  type   => 'key',
+}
+```
+
+##### `type`
+
+Set file permissions on the installed certificate differently depending on whether this is a private key or a public certificate. Note that the default is to treat the file as a private key and remove world-readable privileges. Allowable values: `cert`, `key`. Default: `key`.
+
 #### `freeradius::client`
 
 Define RADIUS clients as seen in `clients.conf`
diff --git a/manifests/cert.pp b/manifests/cert.pp
new file mode 100644
index 0000000..9779269
--- /dev/null
+++ b/manifests/cert.pp
@@ -0,0 +1,23 @@
+# Install FreeRADIUS certificates
+define freeradius::cert (
+  $source,
+  $type = 'key',
+) {
+  $fr_package  = $::freeradius::params::fr_package
+  $fr_service  = $::freeradius::params::fr_service
+  $fr_basepath = $::freeradius::params::fr_basepath
+  $fr_group    = $::freeradius::params::fr_group
+
+  file { "${fr_basepath}/certs/${name}":
+    mode    => $type ? {
+      'key'   => '0640',
+      'cert'  => '0644',
+      default => '0644',
+    },
+    owner   => 'root',
+    group   => $fr_group,
+    source  => $source,
+    require => [File["${fr_basepath}/certs"], Package[$fr_package], Group[$fr_group]],
+    notify  => Service[$fr_service],
+  }
+}
-- 
GitLab