From 7ce639a7fd31fca19c9cb0d6ea5b9fab01958daa Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 29 Oct 2021 23:16:52 +0200 Subject: mariadb: remove internal SSL generation --- roles/mariadb/README.md | 8 ++ roles/mariadb/defaults/main.yml | 8 ++ roles/mariadb/files/50-server.cnf | 134 ------------------------------- roles/mariadb/tasks/main.yml | 15 +--- roles/mariadb/templates/50-server.cnf.j2 | 84 +++++++++++++++++++ 5 files changed, 102 insertions(+), 147 deletions(-) delete mode 100644 roles/mariadb/files/50-server.cnf create mode 100644 roles/mariadb/templates/50-server.cnf.j2 (limited to 'roles/mariadb') diff --git a/roles/mariadb/README.md b/roles/mariadb/README.md index dcf566d..49a732e 100644 --- a/roles/mariadb/README.md +++ b/roles/mariadb/README.md @@ -2,6 +2,14 @@ ``` --- +mdb: + address: '0.0.0.0' + ssl: + enable: False + ca: '/etc/ssl/certs/ca-certificates.crt' + cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + key: '/etc/ssl/private/ssl-cert-snakeoil.key' + dbs: - testdb1 - testdb2 diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 155ecf7..7bae77c 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -2,3 +2,11 @@ dbs: [] db_users: [] + +mdb: + address: '0.0.0.0' + ssl: + enable: False + ca: '/etc/ssl/certs/ca-certificates.crt' + cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + key: '/etc/ssl/private/ssl-cert-snakeoil.key' diff --git a/roles/mariadb/files/50-server.cnf b/roles/mariadb/files/50-server.cnf deleted file mode 100644 index 7ef47b3..0000000 --- a/roles/mariadb/files/50-server.cnf +++ /dev/null @@ -1,134 +0,0 @@ -# -# These groups are read by MariaDB server. -# Use it for options that only the server (but not clients) should see -# -# See the examples of server my.cnf files in /usr/share/mysql - -# this is read by the standalone daemon and embedded servers -[server] - -# this is only for the mysqld standalone daemon -[mysqld] - -# -# * Basic Settings -# -user = mysql -pid-file = /run/mysqld/mysqld.pid -socket = /run/mysqld/mysqld.sock -#port = 3306 -basedir = /usr -datadir = /var/lib/mysql -tmpdir = /tmp -lc-messages-dir = /usr/share/mysql -#skip-external-locking - -# Instead of skip-networking the default is now to listen only on -# localhost which is more compatible and is not less secure. -bind-address = 0.0.0.0 - -# -# * Fine Tuning -# -#key_buffer_size = 16M -#max_allowed_packet = 16M -#thread_stack = 192K -#thread_cache_size = 8 -# This replaces the startup script and checks MyISAM tables if needed -# the first time they are touched -#myisam_recover_options = BACKUP -#max_connections = 100 -#table_cache = 64 -#thread_concurrency = 10 - -# -# * Query Cache Configuration -# -#query_cache_limit = 1M -query_cache_size = 16M - -# -# * Logging and Replication -# -# Both location gets rotated by the cronjob. -# Be aware that this log type is a performance killer. -# As of 5.1 you can enable the log at runtime! -#general_log_file = /var/log/mysql/mysql.log -#general_log = 1 -# -# Error log - should be very few entries. -# -log_warnings = 4 -log_error = /var/log/mysql/error.log -# -# Enable the slow query log to see queries with especially long duration -#slow_query_log_file = /var/log/mysql/mariadb-slow.log -#long_query_time = 10 -#log_slow_rate_limit = 1000 -#log_slow_verbosity = query_plan -#log-queries-not-using-indexes -# -# The following can be used as easy to replay backup logs or for replication. -# note: if you are setting up a replication slave, see README.Debian about -# other settings you may need to change. -#server-id = 1 -#log_bin = /var/log/mysql/mysql-bin.log -expire_logs_days = 10 -#max_binlog_size = 100M -#binlog_do_db = include_database_name -#binlog_ignore_db = exclude_database_name - -# -# * Security Features -# -# Read the manual, too, if you want chroot! -#chroot = /var/lib/mysql/ -# -# For generating SSL certificates you can use for example the GUI tool "tinyca". -# -ssl-ca = /etc/ssl/certs/ca-certificates.crt -ssl-cert = /etc/mysql/mysql.pem -ssl-key = /etc/mysql/mysql.key -# -# Accept only connections using the latest and most secure TLS protocol version. -# ..when MariaDB is compiled with OpenSSL: -ssl-cipher = TLSv1.2 -# ..when MariaDB is compiled with YaSSL (default in Debian): -#ssl = on - -# -# * Character sets -# -# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full -# utf8 4-byte character set. See also client.cnf -# -character-set-server = utf8mb4 -collation-server = utf8mb4_general_ci - -# -# * InnoDB -# -# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. -# Read the manual for more InnoDB related options. There are many! - -# -# * Unix socket authentication plugin is built-in since 10.0.22-6 -# -# Needed so the root database user can authenticate without a password but -# only when running as the unix root user. -# -# Also available for other users if required. -# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/ - -# this is only for embedded server -[embedded] - -# This group is only read by MariaDB servers, not by MySQL. -# If you use the same .cnf file for MySQL and MariaDB, -# you can put MariaDB-only options here -[mariadb] - -# This group is only read by MariaDB-10.3 servers. -# If you use the same .cnf file for MariaDB of different versions, -# use this group for options that older servers don't understand -[mariadb-10.3] diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 79d7ef0..239affe 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -8,24 +8,13 @@ become: yes - name: Config File - copy: - src: 50-server.cnf + template: + src: 50-server.cnf.j2 dest: /etc/mysql/mariadb.conf.d/50-server.cnf become: yes notify: - Restart MariaDB -- name: Generate SSL Certificates - include_role: - name: signed_certificate - vars: - cert_name: mysql - ca_path: /etc/mysql - key_path: /etc/mysql - cert_path: /etc/mysql - owner: mysql - group: mysql - - name: Check for changed cert command: /bin/true when: diff --git a/roles/mariadb/templates/50-server.cnf.j2 b/roles/mariadb/templates/50-server.cnf.j2 new file mode 100644 index 0000000..c18a635 --- /dev/null +++ b/roles/mariadb/templates/50-server.cnf.j2 @@ -0,0 +1,84 @@ +# This file is managed by Ansible. Do NOT change. + +[server] + +[mysqld] + +# +# * Basic Settings +# +user = mysql +pid-file = /run/mysqld/mysqld.pid +socket = /run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +#skip-external-locking + +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = {{ mdb.address }} + +# +# * Fine Tuning +# +#key_buffer_size = 16M +#max_allowed_packet = 16M +#thread_stack = 192K +#thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +#myisam_recover_options = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 + +# +# * Query Cache Configuration +# +#query_cache_limit = 1M +query_cache_size = 16M + +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_warnings = 4 +log_error = /var/log/mysql/error.log +# +# Enable the slow query log to see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mariadb-slow.log +#long_query_time = 10 +#log_slow_rate_limit = 1000 +#log_slow_verbosity = query_plan +#log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +#max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = exclude_database_name + +{% if mdb.ssl.enable %} +ssl-ca = {{ mdb.ssl.ca }} +ssl-cert = {{ mdb.ssl.cert }} +ssl-key = {{ mdb.ssl.key }} +ssl-cipher = TLSv1.2 +{% endif %} + +character-set-server = utf8mb4 +collation-server = utf8mb4_general_ci + -- cgit v1.2.3