From f41341d73a62e1a18c7c4ae008b61efc0da9be09 Mon Sep 17 00:00:00 2001 From: olli Date: Mon, 27 May 2024 15:31:27 +0200 Subject: [PATCH] mariadb.yml aktualisiert --- mariadb.yml | 85 ++++++++++++++++++++++++----------------------------- 1 file changed, 39 insertions(+), 46 deletions(-) diff --git a/mariadb.yml b/mariadb.yml index d50568f..8c68ec6 100644 --- a/mariadb.yml +++ b/mariadb.yml @@ -50,43 +50,47 @@ chdir: /home/docker/mariadb.{{inventory_hostname}} creates: /home/docker/mariadb.{{inventory_hostname}}/env.db - - - name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh (generate SSL-Certificate) + - name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update blockinfile: - path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh + path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update create: yes mode: 0550 owner: root - group: docker + group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | cd /home/docker/mariadb.{{inventory_hostname}} + mkdir -p ssl + + # take letsencrypt-certs from traefik and check for new ones + new=0 + for ssl in key certificate + do + touch ssl/${ssl}.pem + until [ -s "ssl/${ssl}.pem.new" ] + do + cat /home/docker/traefik/letsencrypt/acme.json | jq -r ".letsencrypt.Certificates[] | select(.domain.main==\"mail.{{inventory_hostname}}\") | .${ssl}" | base64 -d >ssl/${ssl}.pem.new + done + old=$(shasum ssl/${ssl}.pem) + new=$(shasum ssl/${ssl}.pem.new) + if ! [ "$new" = "$old" ] + then + new=1 + mv ssl/${ssl}.pem.new >shasum ssl/${ssl}.pem + else + rm ssl/${ssl}.pem.new + fi + done + + chmod 400 ssl/*.pem + chown 999:33 ssl/*.pem + + if [ -n "$new" ] + then + docker compose down + docker compose up -d + fi - [ -d ssl ] && rm -r ssl - mkdir ssl - cd ssl - - # take letsencrypt-certs from traefik - cat /home/docker/traefik/letsencrypt/acme.json | jq -r ".letsencrypt.Certificates[] | select(.domain.main==\"mail.{{inventory_hostname}}\") | .key" | base64 -d >/home/docker/mailcow-dockerized/data/assets/ssl/server-key.pem - cat /home/docker/traefik/letsencrypt/acme.json | jq -r ".letsencrypt.Certifcates[] | select(.domain.main==\"mail.{{inventory_hostname}}\") | .certificate" | base64 -d >/home/docker/mailcow-dockerized/data/assets/ssl/server-cert.pem - docker restart $(docker ps -qaf name=postfix-mailcow) - docker restart $(docker ps -qaf name=dovecot-mailcow) - - chmod 400 *.pem - chown 999 *.pem - #openssl genrsa 4096 > ca-key.pem - #openssl req -new -x509 -nodes -days 109500 -key ca-key.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > ca-cert.pem - # - #openssl req -newkey rsa:4096 -days 109500 -nodes -keyout server-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > server-req.pem - #openssl rsa -in server-key-pkcs8.pem -out server-key.pem - #openssl x509 -req -in server-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem - # - #openssl req -newkey rsa:4096 -days 109500 -nodes -keyout client-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > client-req.pem - #openssl rsa -in client-key-pkcs8.pem -out client-key.pem - #openssl x509 -req -in client-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem - # - #chmod 400 *.pem - #chown 999 *.pem backup: yes validate: /bin/bash -n %s @@ -100,7 +104,7 @@ ansible.builtin.shell: ./genssl.sh args: chdir: /home/docker/mariadb.{{inventory_hostname}} - creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/client-cert.pem + creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/certificate.pem - name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb) blockinfile: @@ -113,9 +117,8 @@ block: | [mariadbd] ssl=1 - #ssl-ca=/etc/mysql/ca-cert.pem - ssl-cert=/etc/mysql/server-cert.pem - ssl-key=/etc/mysql/server-key.pem + ssl-cert=/etc/mysql/certificate.pem + ssl-key=/etc/mysql/key.pem backup: yes - name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin) @@ -131,14 +134,8 @@ $cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}'; // Use SSL for connection $cfg['Servers'][$i]['ssl'] = true; - // Client secret key - //$cfg['Servers'][$i]['ssl_key'] = '/etc/phpmyadmin/client-key.pem'; - // Client certificate - //$cfg['Servers'][$i]['ssl_cert'] = '/etc/phpmyadmin/client-cert.pem'; - // Server certification authority - //$cfg['Servers'][$i]['ssl_ca'] = '/etc/phpmyadmin/ca-cert.pem'; // Disable SSL verification - //$cfg['Servers'][$i]['ssl_verify'] = false; + $cfg['Servers'][$i]['ssl_verify'] = false; backup: yes - name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration @@ -165,9 +162,8 @@ - /etc/localtime:/etc/localtime:ro - /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro - ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro - #- ./ssl/ca-cert.pem:/etc/mysql/ca-cert.pem:ro - - ./ssl/server-cert.pem:/etc/mysql/server-cert.pem:ro - - ./ssl/server-key.pem:/etc/mysql/server-key.pem:ro + - ./ssl/certificate.pem:/etc/mysql/certificate.pem:ro + - ./ssl/key.pem:/etc/mysql/key.pem:ro env_file: - env.db - /home/docker/_defaults/mariadb/mariadb.env @@ -184,9 +180,6 @@ volumes: - /etc/localtime:/etc/localtime:ro - ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro - #- ./ssl/ca-cert.pem:/etc/phpmyadmin/ca-cert.pem:ro - #- ./ssl/client-cert.pem:/etc/phpmyadmin/client-cert.pem:ro - #- ./ssl/client-key.pem:/etc/phpmyadmin/client-key.pem:ro networks: - mariadb.{{inventory_hostname}}--network - traefik