mariadb: remove internal SSL generation

4 files changed, 26 insertions, 71 deletions

diff --git a/roles/mariadb/README.md b/roles/mariadb/README.md
index dcf566d..49a732e 100644
--- a/roles/mariadb/README.md
+++ b/roles/mariadb/README.md
@@ -2,6 +2,14 @@
 
 ```
 ---
+mdb:
+  address: '0.0.0.0'
+  ssl:
+    enable: False
+    ca: '/etc/ssl/certs/ca-certificates.crt'
+    cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+    key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+
 dbs:
   - testdb1
   - testdb2
diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml
index 155ecf7..7bae77c 100644
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@@ -2,3 +2,11 @@
 dbs: []
 
 db_users: []
+
+mdb:
+  address: '0.0.0.0'
+  ssl:
+    enable: False
+    ca: '/etc/ssl/certs/ca-certificates.crt'
+    cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+    key: '/etc/ssl/private/ssl-cert-snakeoil.key'
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index 79d7ef0..239affe 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -8,24 +8,13 @@
   become: yes
 
 - name: Config File
-  copy:
-    src: 50-server.cnf
+  template:
+    src: 50-server.cnf.j2
     dest: /etc/mysql/mariadb.conf.d/50-server.cnf
   become: yes
   notify:
     - Restart MariaDB
 
-- name: Generate SSL Certificates
-  include_role:
-    name: signed_certificate
-  vars:
-    cert_name: mysql
-    ca_path: /etc/mysql
-    key_path: /etc/mysql
-    cert_path: /etc/mysql
-    owner: mysql
-    group: mysql
-
 - name: Check for changed cert
   command: /bin/true
   when:
diff --git a/roles/mariadb/files/50-server.cnf b/roles/mariadb/templates/50-server.cnf.j2
index 7ef47b3..c18a635 100644
--- a/roles/mariadb/files/50-server.cnf
+++ b/roles/mariadb/templates/50-server.cnf.j2
@@ -1,13 +1,7 @@
-#
-# These groups are read by MariaDB server.
-# Use it for options that only the server (but not clients) should see
-#
-# See the examples of server my.cnf files in /usr/share/mysql
+# This file is managed by Ansible. Do NOT change.
 
-# this is read by the standalone daemon and embedded servers
 [server]
 
-# this is only for the mysqld standalone daemon
 [mysqld]
 
 #
@@ -16,7 +10,7 @@
 user                    = mysql
 pid-file                = /run/mysqld/mysqld.pid
 socket                  = /run/mysqld/mysqld.sock
-#port                   = 3306
+port                   = 3306
 basedir                 = /usr
 datadir                 = /var/lib/mysql
 tmpdir                  = /tmp
@@ -25,7 +19,7 @@ lc-messages-dir         = /usr/share/mysql
 
 # Instead of skip-networking the default is now to listen only on
 # localhost which is more compatible and is not less secure.
-bind-address            = 0.0.0.0
+bind-address            = {{ mdb.address }}
 
 #
 # * Fine Tuning
@@ -78,57 +72,13 @@ expire_logs_days        = 10
 #binlog_do_db           = include_database_name
 #binlog_ignore_db       = exclude_database_name
 
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-#chroot = /var/lib/mysql/
-#
-# For generating SSL certificates you can use for example the GUI tool "tinyca".
-#
-ssl-ca = /etc/ssl/certs/ca-certificates.crt
-ssl-cert = /etc/mysql/mysql.pem
-ssl-key = /etc/mysql/mysql.key
-#
-# Accept only connections using the latest and most secure TLS protocol version.
-# ..when MariaDB is compiled with OpenSSL:
+{% if mdb.ssl.enable %}
+ssl-ca = {{ mdb.ssl.ca }}
+ssl-cert = {{ mdb.ssl.cert }}
+ssl-key = {{ mdb.ssl.key }}
 ssl-cipher = TLSv1.2
-# ..when MariaDB is compiled with YaSSL (default in Debian):
-#ssl = on
+{% endif %}
 
-#
-# * Character sets
-#
-# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
-# utf8 4-byte character set. See also client.cnf
-#
 character-set-server  = utf8mb4
 collation-server      = utf8mb4_general_ci
 
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-
-#
-# * Unix socket authentication plugin is built-in since 10.0.22-6
-#
-# Needed so the root database user can authenticate without a password but
-# only when running as the unix root user.
-#
-# Also available for other users if required.
-# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
-
-# this is only for embedded server
-[embedded]
-
-# This group is only read by MariaDB servers, not by MySQL.
-# If you use the same .cnf file for MySQL and MariaDB,
-# you can put MariaDB-only options here
-[mariadb]
-
-# This group is only read by MariaDB-10.3 servers.
-# If you use the same .cnf file for MariaDB of different versions,
-# use this group for options that older servers don't understand
-[mariadb-10.3]