olli/debian.ansible.mariadb.server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
olli 2024-05-26 12:33:49 +02:00
parent ec7fb5855a
commit 7c95641de0
1 changed files with 249 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

249
mariadb.yml Normal file
View File

@ -0,0 +1,249 @@
---
- name: mariadb
hosts: all
tasks:
- name: Create /home/docker/mariadb.{{inventory_hostname}} dir
ansible.builtin.file:
path: /home/docker/mariadb.{{inventory_hostname}}
owner: root
group: docker
state: directory
mode: '0550'
- name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW)
blockinfile:
path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh
create: yes
mode: 0550
owner: root
group: docker
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
cd /home/docker/mariadb.{{inventory_hostname}}
mysqlpassword=$(pwgen -s 32 1)
[ -f env.db ] || echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD!
" >env.db
[ -f env.phpmyadmin ] || echo "PMA_USER=root
PMA_PASSWORD=!MYSQLPASSWORD!
" >env.phpmyadmin
chmod 440 env.db env.phpmyadmin
chown root:docker env.db env.phpmyadmin
sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin
backup: yes
validate: /bin/bash -n %s
notify: run genpw.sh
- name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang
lineinfile:
path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh
insertbefore: BOF
line: "#!/bin/bash -e"
- name: Gen initial passwords if not exists
ansible.builtin.shell: ./genpw.sh
args:
chdir: /home/docker/mariadb.{{inventory_hostname}}
creates: /home/docker/mariadb.{{inventory_hostname}}/env
- name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh (generate SSL-Certificate)
blockinfile:
path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh
create: yes
mode: 0550
owner: root
group: docker
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
cd /home/docker/mariadb.{{inventory_hostname}}
[ -d ssl ] && rm -r ssl
mkdir ssl
cd ssl
openssl genrsa 4096 > ca-key.pem
openssl req -new -x509 -nodes -days 109500 -key ca-key.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > ca-cert.pem
openssl req -newkey rsa:4096 -days 109500 -nodes -keyout server-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > server-req.pem
openssl rsa -in server-key-pkcs8.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl req -newkey rsa:4096 -days 109500 -nodes -keyout client-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > client-req.pem
openssl rsa -in client-key-pkcs8.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
chmod 400 *.pem
chown mysql *.pem
backup: yes
validate: /bin/bash -n %s
notify: run sslpw.sh
- name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh shebang
lineinfile:
path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh
insertbefore: BOF
line: "#!/bin/bash -e"
- name: Gen initial SSL if not exists
ansible.builtin.shell: ./genssl.sh
args:
chdir: /home/docker/mariadb.{{inventory_hostname}}
creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/client-cert.pem
- name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (generate SSL-Certificate)
blockinfile:
path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf
create: yes
mode: 0550
owner: root
group: docker
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
ssl=1
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
backup: yes
- name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration
blockinfile:
path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml
create: yes
mode: 0440
owner: root
group: docker
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
services:
mariadb.{{inventory_hostname}}:
image: mariadb:lts
cap_add:
- SYS_NICE
restart: unless-stopped
networks:
- mariadb.{{inventory_hostname}}--network
hostname: mysq
volumes:
- ./db-data:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
- /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf
- ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf
- ./ssl/ca-cert.pem:/etc/mysql/ca-cert.pem
- ./ssl/server-cert.pem:/etc/mysql/server-cert.pem
- ./ssl/server-key.pem:/etc/mysql/server-key.pem
env_file:
- env.db
- /home/docker/_defaults/mariadb/mariadb.env
ports:
- 0.0.0.0:33306:3306
mariadb.{{inventory_hostname}}--phpmyadmin:
image: phpmyadmin:latest
restart: unless-stopped
env_file: env.phpmyadmin
environment:
- PMA_ARBITRARY=0
- PMA_HOST=mariadb.{{inventory_hostname}}
volumes:
- /etc/localtime:/etc/localtime:ro
networks:
- mariadb.{{inventory_hostname}}--network
- traefik
labels:
- traefik.enable=true
# HTTPS
- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb-phpmyadmin.{{ ansible_facts['nodename'] }}`)
- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https
- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true
# Proxy to service-port
- traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80
- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }}
# cert via letsencrypt
- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt
# Traefik network
- traefik.docker.network=traefik
networks:
mariadb.{{inventory_hostname}}--network:
driver: bridge
driver_opts:
com.docker.network.bridge.name: br-mariadb
traefik:
external: true
backup: yes
notify: Restart mariadb
- name: Start mariadb
ansible.builtin.shell: docker-compose up -d --force-recreate
args:
chdir: /home/docker/mariadb.{{inventory_hostname}}
creates: /home/docker/mariadb.{{inventory_hostname}}/db-data/sys/db.opt
- name: Wait until mariadb install is finished
wait_for:
path: /home/docker/mariadb.{{inventory_hostname}}/wp-data/index.php
- name: /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh
blockinfile:
path: /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh
mode: "0500"
owner: root
group: root
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
# install mariadb Login URL: https://mariadb.{{inventory_hostname}}/wp-login.php
cd /home/docker/mariadb.{{inventory_hostname}}
if ! docker-compose run mariadb.{{inventory_hostname}}--cli wp core is-installed
then
until wget -t1 --timeout=15 https://mariadb.{{inventory_hostname}} >/dev/null 2>&1
do
sleep 5
done
# [ ...]
fi
backup: yes
validate: /bin/bash -n %s
notify: run mariadb.init
- name: Run mariadb.init after install
ansible.builtin.shell: bash /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh
args:
chdir: /home/docker/mariadb.{{inventory_hostname}}
creates: /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.log
handlers:
- name: run genpw.sh
ansible.builtin.shell: ./genpw.sh
args:
chdir: /home/docker/mariadb.{{inventory_hostname}}
notify: Restart mariadb
- name: run genssl.sh
ansible.builtin.shell: ./genssl.sh
args:
chdir: /home/docker/mariadb.{{inventory_hostname}}
notify: Restart mariadb
- name: run mariadb.init
ansible.builtin.shell: bash /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh
- name: Restart mariadb
ansible.builtin.shell: docker-compose up -d --force-recreate
args:
chdir: /home/docker/mariadb.{{inventory_hostname}}