diff --git a/mariadb.yml b/mariadb.yml new file mode 100644 index 0000000..731b84a --- /dev/null +++ b/mariadb.yml @@ -0,0 +1,249 @@ +--- +- name: mariadb + hosts: all + tasks: + + - name: Create /home/docker/mariadb.{{inventory_hostname}} dir + ansible.builtin.file: + path: /home/docker/mariadb.{{inventory_hostname}} + owner: root + group: docker + state: directory + mode: '0550' + + - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW) + blockinfile: + path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh + create: yes + mode: 0550 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + cd /home/docker/mariadb.{{inventory_hostname}} + + mysqlpassword=$(pwgen -s 32 1) + + [ -f env.db ] || echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD! + " >env.db + + [ -f env.phpmyadmin ] || echo "PMA_USER=root + PMA_PASSWORD=!MYSQLPASSWORD! + " >env.phpmyadmin + + chmod 440 env.db env.phpmyadmin + chown root:docker env.db env.phpmyadmin + sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin + + backup: yes + validate: /bin/bash -n %s + notify: run genpw.sh + + - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang + lineinfile: + path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh + insertbefore: BOF + line: "#!/bin/bash -e" + + - name: Gen initial passwords if not exists + ansible.builtin.shell: ./genpw.sh + args: + chdir: /home/docker/mariadb.{{inventory_hostname}} + creates: /home/docker/mariadb.{{inventory_hostname}}/env + + + - name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh (generate SSL-Certificate) + blockinfile: + path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh + create: yes + mode: 0550 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + cd /home/docker/mariadb.{{inventory_hostname}} + + [ -d ssl ] && rm -r ssl + mkdir ssl + cd ssl + + openssl genrsa 4096 > ca-key.pem + openssl req -new -x509 -nodes -days 109500 -key ca-key.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > ca-cert.pem + + openssl req -newkey rsa:4096 -days 109500 -nodes -keyout server-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > server-req.pem + openssl rsa -in server-key-pkcs8.pem -out server-key.pem + openssl x509 -req -in server-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem + + openssl req -newkey rsa:4096 -days 109500 -nodes -keyout client-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > client-req.pem + openssl rsa -in client-key-pkcs8.pem -out client-key.pem + openssl x509 -req -in client-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem + + chmod 400 *.pem + chown mysql *.pem + + backup: yes + validate: /bin/bash -n %s + notify: run sslpw.sh + + - name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh shebang + lineinfile: + path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh + insertbefore: BOF + line: "#!/bin/bash -e" + + - name: Gen initial SSL if not exists + ansible.builtin.shell: ./genssl.sh + args: + chdir: /home/docker/mariadb.{{inventory_hostname}} + creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/client-cert.pem + + - name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (generate SSL-Certificate) + blockinfile: + path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf + create: yes + mode: 0550 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + ssl=1 + ssl-ca=/etc/mysql/ca-cert.pem + ssl-cert=/etc/mysql/server-cert.pem + ssl-key=/etc/mysql/server-key.pem + backup: yes + + - name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration + blockinfile: + path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml + create: yes + mode: 0440 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + + services: + + mariadb.{{inventory_hostname}}: + image: mariadb:lts + cap_add: + - SYS_NICE + restart: unless-stopped + networks: + - mariadb.{{inventory_hostname}}--network + hostname: mysq + volumes: + - ./db-data:/var/lib/mysql + - /etc/localtime:/etc/localtime:ro + - /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf + - ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf + - ./ssl/ca-cert.pem:/etc/mysql/ca-cert.pem + - ./ssl/server-cert.pem:/etc/mysql/server-cert.pem + - ./ssl/server-key.pem:/etc/mysql/server-key.pem + env_file: + - env.db + - /home/docker/_defaults/mariadb/mariadb.env + ports: + - 0.0.0.0:33306:3306 + + mariadb.{{inventory_hostname}}--phpmyadmin: + image: phpmyadmin:latest + restart: unless-stopped + env_file: env.phpmyadmin + environment: + - PMA_ARBITRARY=0 + - PMA_HOST=mariadb.{{inventory_hostname}} + volumes: + - /etc/localtime:/etc/localtime:ro + networks: + - mariadb.{{inventory_hostname}}--network + - traefik + labels: + - traefik.enable=true + # HTTPS + - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb-phpmyadmin.{{ ansible_facts['nodename'] }}`) + - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https + - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true + # Proxy to service-port + - traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80 + - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }} + # cert via letsencrypt + - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt + # Traefik network + - traefik.docker.network=traefik + + networks: + mariadb.{{inventory_hostname}}--network: + driver: bridge + driver_opts: + com.docker.network.bridge.name: br-mariadb + traefik: + external: true + + backup: yes + notify: Restart mariadb + + - name: Start mariadb + ansible.builtin.shell: docker-compose up -d --force-recreate + args: + chdir: /home/docker/mariadb.{{inventory_hostname}} + creates: /home/docker/mariadb.{{inventory_hostname}}/db-data/sys/db.opt + + - name: Wait until mariadb install is finished + wait_for: + path: /home/docker/mariadb.{{inventory_hostname}}/wp-data/index.php + + - name: /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh + blockinfile: + path: /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh + mode: "0500" + owner: root + group: root + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + # install mariadb Login URL: https://mariadb.{{inventory_hostname}}/wp-login.php + cd /home/docker/mariadb.{{inventory_hostname}} + if ! docker-compose run mariadb.{{inventory_hostname}}--cli wp core is-installed + then + until wget -t1 --timeout=15 https://mariadb.{{inventory_hostname}} >/dev/null 2>&1 + do + sleep 5 + done + # [ ...] + fi + backup: yes + validate: /bin/bash -n %s + notify: run mariadb.init + + - name: Run mariadb.init after install + ansible.builtin.shell: bash /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh + args: + chdir: /home/docker/mariadb.{{inventory_hostname}} + creates: /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.log + + + + handlers: + + - name: run genpw.sh + ansible.builtin.shell: ./genpw.sh + args: + chdir: /home/docker/mariadb.{{inventory_hostname}} + notify: Restart mariadb + + - name: run genssl.sh + ansible.builtin.shell: ./genssl.sh + args: + chdir: /home/docker/mariadb.{{inventory_hostname}} + notify: Restart mariadb + + + - name: run mariadb.init + ansible.builtin.shell: bash /home/docker/mariadb.{{inventory_hostname}}/mariadb.init.sh + + - name: Restart mariadb + ansible.builtin.shell: docker-compose up -d --force-recreate + args: + chdir: /home/docker/mariadb.{{inventory_hostname}} +