debian.ansible.mariadb.server/mariadb.yml

---
- name: mariadb
  hosts: all
  tasks:

    - name: Create /home/docker/mariadb.{{inventory_hostname}} dir
      ansible.builtin.file:
        path: /home/docker/mariadb.{{inventory_hostname}}
        owner: root
        group: docker
        state: directory
        mode: '0550'

    - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW)
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh
        create: yes
        mode: 0550
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          cd /home/docker/mariadb.{{inventory_hostname}}

          mysqlpassword=$(pwgen -s 32 1)

          [ -f env.db ] || echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD!
          " >env.db

          [ -f env.phpmyadmin ] || echo "PMA_USER=root
          PMA_PASSWORD=!MYSQLPASSWORD!
          " >env.phpmyadmin

          chmod 440 env.db env.phpmyadmin
          chown root:docker env.db env.phpmyadmin
          sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin

        backup: yes
        validate: /bin/bash -n %s

    - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang
      lineinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh
        insertbefore: BOF
        line: "#!/bin/bash -e"

    - name: Gen initial passwords if not exists
      ansible.builtin.shell: ./genpw.sh
      args:
        chdir: /home/docker/mariadb.{{inventory_hostname}}
        creates: /home/docker/mariadb.{{inventory_hostname}}/env.db


    - name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh (generate SSL-Certificate)
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh
        create: yes
        mode: 0550
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          cd /home/docker/mariadb.{{inventory_hostname}}

          [ -d ssl ] && rm -r ssl
          mkdir ssl
          cd ssl
          
          openssl genrsa 4096 > ca-key.pem
          openssl req -new -x509 -nodes -days 109500 -key ca-key.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > ca-cert.pem

          openssl req -newkey rsa:4096 -days 109500 -nodes -keyout server-key-pkcs8.pem  -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > server-req.pem
          openssl rsa -in server-key-pkcs8.pem -out server-key.pem
          openssl x509 -req -in server-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

          openssl req -newkey rsa:4096 -days 109500 -nodes -keyout client-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > client-req.pem
          openssl rsa -in client-key-pkcs8.pem -out client-key.pem
          openssl x509 -req -in client-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

          chmod 400 *.pem
          chown 999 *.pem

        backup: yes
        validate: /bin/bash -n %s

    - name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh shebang
      lineinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh
        insertbefore: BOF
        line: "#!/bin/bash -e"

    - name: Gen initial SSL if not exists
      ansible.builtin.shell: ./genssl.sh
      args:
        chdir: /home/docker/mariadb.{{inventory_hostname}}
        creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/client-cert.pem

    - name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb)
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf
        create: yes
        mode: 0444
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          [mariadbd]
          ssl=1
          ssl-ca=/etc/mysql/ca-cert.pem
          ssl-cert=/etc/mysql/server-cert.pem
          ssl-key=/etc/mysql/server-key.pem
        backup: yes

    - name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin)
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/phpmyadmin-config.user.inc.php
        create: yes
        mode: 0444
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          // IP address / host of your instance
          $cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}';
          // Use SSL for connection
          $cfg['Servers'][$i]['ssl'] = true;
          // Client secret key
          $cfg['Servers'][$i]['ssl_key'] = '/etc/phpmyadmin/client-key.pem';
          // Client certificate
          $cfg['Servers'][$i]['ssl_cert'] = '/etc/phpmyadmin/client-cert.pem';
          // Server certification authority
          $cfg['Servers'][$i]['ssl_ca'] = '/etc/phpmyadmin/ca-cert.pem';
          // Disable SSL verification
          //$cfg['Servers'][$i]['ssl_verify'] = false;
        backup: yes

    - name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml
        create: yes
        mode: 0440
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
        
          services:

            mariadb.{{inventory_hostname}}:
              image: mariadb:lts
              cap_add:
                - SYS_NICE
              restart: unless-stopped
              networks:
                - mariadb.{{inventory_hostname}}--network
              volumes:
                - ./db-data:/var/lib/mysql
                - /etc/localtime:/etc/localtime:ro
                - /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro
                - ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro
                - ./ssl/ca-cert.pem:/etc/mysql/ca-cert.pem:ro
                - ./ssl/server-cert.pem:/etc/mysql/server-cert.pem:ro
                - ./ssl/server-key.pem:/etc/mysql/server-key.pem:ro
              env_file:
                - env.db
                - /home/docker/_defaults/mariadb/mariadb.env
              ports:
                - 0.0.0.0:33306:3306

            mariadb.{{inventory_hostname}}--phpmyadmin:
              image: phpmyadmin:latest
              restart: unless-stopped
              env_file: env.phpmyadmin
              environment:
                - PMA_ARBITRARY=0
                - PMA_HOST=mariadb.{{inventory_hostname}}
              volumes:
                - /etc/localtime:/etc/localtime:ro
                - ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro
                - ./ssl/ca-cert.pem:/etc/phpmyadmin/ca-cert.pem:ro
                - ./ssl/client-cert.pem:/etc/phpmyadmin/client-cert.pem:ro
                - ./ssl/client-key.pem:/etc/phpmyadmin/client-key.pem:ro
              networks:
                - mariadb.{{inventory_hostname}}--network
                - traefik
              labels:
                - traefik.enable=true
                # HTTPS
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb.{{ ansible_facts['nodename'] }}`)
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true
                # Proxy to service-port
                - traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }}
                # cert via letsencrypt
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt
                # Traefik network
                - traefik.docker.network=traefik
                # auth
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file,default-basic-auth@file

          networks:
            mariadb.{{inventory_hostname}}--network:
              driver: bridge
              driver_opts:
                com.docker.network.bridge.name: br-mariadb
            traefik:
              external: true

        backup: yes        
      notify: Restart mariadb


  handlers:

    - name: Restart mariadb
      ansible.builtin.shell: docker-compose up -d --force-recreate
      args:
        chdir: /home/docker/mariadb.{{inventory_hostname}}
first commit 2024-05-26 12:33:49 +02:00			`---`
			`- name: mariadb`
			`hosts: all`
			`tasks:`

			`- name: Create /home/docker/mariadb.{{inventory_hostname}} dir`
			`ansible.builtin.file:`
			`path: /home/docker/mariadb.{{inventory_hostname}}`
			`owner: root`
			`group: docker`
			`state: directory`
			`mode: '0550'`

			`- name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW)`
			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh`
			`create: yes`
			`mode: 0550`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`cd /home/docker/mariadb.{{inventory_hostname}}`

			`mysqlpassword=$(pwgen -s 32 1)`

			`[ -f env.db ] \|\| echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD!`
			`" >env.db`

			`[ -f env.phpmyadmin ] \|\| echo "PMA_USER=root`
			`PMA_PASSWORD=!MYSQLPASSWORD!`
			`" >env.phpmyadmin`

			`chmod 440 env.db env.phpmyadmin`
			`chown root:docker env.db env.phpmyadmin`
			`sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin`

			`backup: yes`
			`validate: /bin/bash -n %s`

			`- name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang`
			`lineinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh`
			`insertbefore: BOF`
			`line: "#!/bin/bash -e"`

			`- name: Gen initial passwords if not exists`
			`ansible.builtin.shell: ./genpw.sh`
			`args:`
			`chdir: /home/docker/mariadb.{{inventory_hostname}}`
mariadb.yml aktualisiert 2024-05-26 19:01:33 +02:00			`creates: /home/docker/mariadb.{{inventory_hostname}}/env.db`
first commit 2024-05-26 12:33:49 +02:00

			`- name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh (generate SSL-Certificate)`
			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh`
			`create: yes`
			`mode: 0550`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`cd /home/docker/mariadb.{{inventory_hostname}}`

			`[ -d ssl ] && rm -r ssl`
			`mkdir ssl`
			`cd ssl`

			`openssl genrsa 4096 > ca-key.pem`
			`openssl req -new -x509 -nodes -days 109500 -key ca-key.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > ca-cert.pem`

			`openssl req -newkey rsa:4096 -days 109500 -nodes -keyout server-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > server-req.pem`
			`openssl rsa -in server-key-pkcs8.pem -out server-key.pem`
			`openssl x509 -req -in server-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem`

			`openssl req -newkey rsa:4096 -days 109500 -nodes -keyout client-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > client-req.pem`
			`openssl rsa -in client-key-pkcs8.pem -out client-key.pem`
			`openssl x509 -req -in client-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem`

			`chmod 400 *.pem`
bmariadb.yml aktualisiert 2024-05-26 17:47:43 +02:00			`chown 999 *.pem`
first commit 2024-05-26 12:33:49 +02:00
			`backup: yes`
			`validate: /bin/bash -n %s`

			`- name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh shebang`
			`lineinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh`
			`insertbefore: BOF`
			`line: "#!/bin/bash -e"`

			`- name: Gen initial SSL if not exists`
			`ansible.builtin.shell: ./genssl.sh`
			`args:`
			`chdir: /home/docker/mariadb.{{inventory_hostname}}`
			`creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/client-cert.pem`

mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb)`
first commit 2024-05-26 12:33:49 +02:00			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf`
			`create: yes`
mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`mode: 0444`
first commit 2024-05-26 12:33:49 +02:00			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
mariadb.yml aktualisiert 2024-05-26 22:32:59 +02:00			`[mariadbd]`
first commit 2024-05-26 12:33:49 +02:00			`ssl=1`
			`ssl-ca=/etc/mysql/ca-cert.pem`
			`ssl-cert=/etc/mysql/server-cert.pem`
			`ssl-key=/etc/mysql/server-key.pem`
			`backup: yes`

mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin)`
			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/phpmyadmin-config.user.inc.php`
			`create: yes`
			`mode: 0444`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`// IP address / host of your instance`
			`$cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}';`
			`// Use SSL for connection`
			`$cfg['Servers'][$i]['ssl'] = true;`
			`// Client secret key`
			`$cfg['Servers'][$i]['ssl_key'] = '/etc/phpmyadmin/client-key.pem';`
			`// Client certificate`
			`$cfg['Servers'][$i]['ssl_cert'] = '/etc/phpmyadmin/client-cert.pem';`
			`// Server certification authority`
			`$cfg['Servers'][$i]['ssl_ca'] = '/etc/phpmyadmin/ca-cert.pem';`
			`// Disable SSL verification`
			`//$cfg['Servers'][$i]['ssl_verify'] = false;`
			`backup: yes`

first commit 2024-05-26 12:33:49 +02:00			`- name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration`
			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml`
			`create: yes`
			`mode: 0440`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`

			`services:`

			`mariadb.{{inventory_hostname}}:`
			`image: mariadb:lts`
			`cap_add:`
			`- SYS_NICE`
			`restart: unless-stopped`
			`networks:`
			`- mariadb.{{inventory_hostname}}--network`
			`volumes:`
			`- ./db-data:/var/lib/mysql`
			`- /etc/localtime:/etc/localtime:ro`
mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro`
			`- ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro`
			`- ./ssl/ca-cert.pem:/etc/mysql/ca-cert.pem:ro`
			`- ./ssl/server-cert.pem:/etc/mysql/server-cert.pem:ro`
			`- ./ssl/server-key.pem:/etc/mysql/server-key.pem:ro`
first commit 2024-05-26 12:33:49 +02:00			`env_file:`
			`- env.db`
			`- /home/docker/_defaults/mariadb/mariadb.env`
			`ports:`
			`- 0.0.0.0:33306:3306`

			`mariadb.{{inventory_hostname}}--phpmyadmin:`
			`image: phpmyadmin:latest`
			`restart: unless-stopped`
			`env_file: env.phpmyadmin`
			`environment:`
			`- PMA_ARBITRARY=0`
			`- PMA_HOST=mariadb.{{inventory_hostname}}`
			`volumes:`
			`- /etc/localtime:/etc/localtime:ro`
mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro`
			`- ./ssl/ca-cert.pem:/etc/phpmyadmin/ca-cert.pem:ro`
			`- ./ssl/client-cert.pem:/etc/phpmyadmin/client-cert.pem:ro`
			`- ./ssl/client-key.pem:/etc/phpmyadmin/client-key.pem:ro`
first commit 2024-05-26 12:33:49 +02:00			`networks:`
			`- mariadb.{{inventory_hostname}}--network`
			`- traefik`
			`labels:`
			`- traefik.enable=true`
			`# HTTPS`
bmariadb.yml aktualisiert 2024-05-26 17:54:07 +02:00			- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb.{{ ansible_facts['nodename'] }}`)
first commit 2024-05-26 12:33:49 +02:00			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https`
			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true`
			`# Proxy to service-port`
			`- traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80`
			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }}`
			`# cert via letsencrypt`
			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt`
			`# Traefik network`
			`- traefik.docker.network=traefik`
mariadb.yml aktualisiert 2024-05-26 17:38:04 +02:00			`# auth`
bmariadb.yml aktualisiert 2024-05-26 17:57:05 +02:00			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file,default-basic-auth@file`
first commit 2024-05-26 12:33:49 +02:00
			`networks:`
			`mariadb.{{inventory_hostname}}--network:`
			`driver: bridge`
			`driver_opts:`
			`com.docker.network.bridge.name: br-mariadb`
			`traefik:`
			`external: true`

			`backup: yes`
			`notify: Restart mariadb`


			`handlers:`

			`- name: Restart mariadb`
			`ansible.builtin.shell: docker-compose up -d --force-recreate`
			`args:`
			`chdir: /home/docker/mariadb.{{inventory_hostname}}`