mariadb.yml aktualisiert
This commit is contained in:
parent
05661d3c8b
commit
f41341d73a
81
mariadb.yml
81
mariadb.yml
@ -50,43 +50,47 @@
|
|||||||
chdir: /home/docker/mariadb.{{inventory_hostname}}
|
chdir: /home/docker/mariadb.{{inventory_hostname}}
|
||||||
creates: /home/docker/mariadb.{{inventory_hostname}}/env.db
|
creates: /home/docker/mariadb.{{inventory_hostname}}/env.db
|
||||||
|
|
||||||
|
- name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update
|
||||||
- name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh (generate SSL-Certificate)
|
|
||||||
blockinfile:
|
blockinfile:
|
||||||
path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh
|
path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update
|
||||||
create: yes
|
create: yes
|
||||||
mode: 0550
|
mode: 0550
|
||||||
owner: root
|
owner: root
|
||||||
group: docker
|
group: root
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
block: |
|
block: |
|
||||||
cd /home/docker/mariadb.{{inventory_hostname}}
|
cd /home/docker/mariadb.{{inventory_hostname}}
|
||||||
|
mkdir -p ssl
|
||||||
|
|
||||||
[ -d ssl ] && rm -r ssl
|
# take letsencrypt-certs from traefik and check for new ones
|
||||||
mkdir ssl
|
new=0
|
||||||
cd ssl
|
for ssl in key certificate
|
||||||
|
do
|
||||||
|
touch ssl/${ssl}.pem
|
||||||
|
until [ -s "ssl/${ssl}.pem.new" ]
|
||||||
|
do
|
||||||
|
cat /home/docker/traefik/letsencrypt/acme.json | jq -r ".letsencrypt.Certificates[] | select(.domain.main==\"mail.{{inventory_hostname}}\") | .${ssl}" | base64 -d >ssl/${ssl}.pem.new
|
||||||
|
done
|
||||||
|
old=$(shasum ssl/${ssl}.pem)
|
||||||
|
new=$(shasum ssl/${ssl}.pem.new)
|
||||||
|
if ! [ "$new" = "$old" ]
|
||||||
|
then
|
||||||
|
new=1
|
||||||
|
mv ssl/${ssl}.pem.new >shasum ssl/${ssl}.pem
|
||||||
|
else
|
||||||
|
rm ssl/${ssl}.pem.new
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
# take letsencrypt-certs from traefik
|
chmod 400 ssl/*.pem
|
||||||
cat /home/docker/traefik/letsencrypt/acme.json | jq -r ".letsencrypt.Certificates[] | select(.domain.main==\"mail.{{inventory_hostname}}\") | .key" | base64 -d >/home/docker/mailcow-dockerized/data/assets/ssl/server-key.pem
|
chown 999:33 ssl/*.pem
|
||||||
cat /home/docker/traefik/letsencrypt/acme.json | jq -r ".letsencrypt.Certifcates[] | select(.domain.main==\"mail.{{inventory_hostname}}\") | .certificate" | base64 -d >/home/docker/mailcow-dockerized/data/assets/ssl/server-cert.pem
|
|
||||||
docker restart $(docker ps -qaf name=postfix-mailcow)
|
if [ -n "$new" ]
|
||||||
docker restart $(docker ps -qaf name=dovecot-mailcow)
|
then
|
||||||
|
docker compose down
|
||||||
|
docker compose up -d
|
||||||
|
fi
|
||||||
|
|
||||||
chmod 400 *.pem
|
|
||||||
chown 999 *.pem
|
|
||||||
#openssl genrsa 4096 > ca-key.pem
|
|
||||||
#openssl req -new -x509 -nodes -days 109500 -key ca-key.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > ca-cert.pem
|
|
||||||
#
|
|
||||||
#openssl req -newkey rsa:4096 -days 109500 -nodes -keyout server-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > server-req.pem
|
|
||||||
#openssl rsa -in server-key-pkcs8.pem -out server-key.pem
|
|
||||||
#openssl x509 -req -in server-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
|
|
||||||
#
|
|
||||||
#openssl req -newkey rsa:4096 -days 109500 -nodes -keyout client-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > client-req.pem
|
|
||||||
#openssl rsa -in client-key-pkcs8.pem -out client-key.pem
|
|
||||||
#openssl x509 -req -in client-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
|
|
||||||
#
|
|
||||||
#chmod 400 *.pem
|
|
||||||
#chown 999 *.pem
|
|
||||||
backup: yes
|
backup: yes
|
||||||
validate: /bin/bash -n %s
|
validate: /bin/bash -n %s
|
||||||
|
|
||||||
@ -100,7 +104,7 @@
|
|||||||
ansible.builtin.shell: ./genssl.sh
|
ansible.builtin.shell: ./genssl.sh
|
||||||
args:
|
args:
|
||||||
chdir: /home/docker/mariadb.{{inventory_hostname}}
|
chdir: /home/docker/mariadb.{{inventory_hostname}}
|
||||||
creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/client-cert.pem
|
creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/certificate.pem
|
||||||
|
|
||||||
- name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb)
|
- name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb)
|
||||||
blockinfile:
|
blockinfile:
|
||||||
@ -113,9 +117,8 @@
|
|||||||
block: |
|
block: |
|
||||||
[mariadbd]
|
[mariadbd]
|
||||||
ssl=1
|
ssl=1
|
||||||
#ssl-ca=/etc/mysql/ca-cert.pem
|
ssl-cert=/etc/mysql/certificate.pem
|
||||||
ssl-cert=/etc/mysql/server-cert.pem
|
ssl-key=/etc/mysql/key.pem
|
||||||
ssl-key=/etc/mysql/server-key.pem
|
|
||||||
backup: yes
|
backup: yes
|
||||||
|
|
||||||
- name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin)
|
- name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin)
|
||||||
@ -131,14 +134,8 @@
|
|||||||
$cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}';
|
$cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}';
|
||||||
// Use SSL for connection
|
// Use SSL for connection
|
||||||
$cfg['Servers'][$i]['ssl'] = true;
|
$cfg['Servers'][$i]['ssl'] = true;
|
||||||
// Client secret key
|
|
||||||
//$cfg['Servers'][$i]['ssl_key'] = '/etc/phpmyadmin/client-key.pem';
|
|
||||||
// Client certificate
|
|
||||||
//$cfg['Servers'][$i]['ssl_cert'] = '/etc/phpmyadmin/client-cert.pem';
|
|
||||||
// Server certification authority
|
|
||||||
//$cfg['Servers'][$i]['ssl_ca'] = '/etc/phpmyadmin/ca-cert.pem';
|
|
||||||
// Disable SSL verification
|
// Disable SSL verification
|
||||||
//$cfg['Servers'][$i]['ssl_verify'] = false;
|
$cfg['Servers'][$i]['ssl_verify'] = false;
|
||||||
backup: yes
|
backup: yes
|
||||||
|
|
||||||
- name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration
|
- name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration
|
||||||
@ -165,9 +162,8 @@
|
|||||||
- /etc/localtime:/etc/localtime:ro
|
- /etc/localtime:/etc/localtime:ro
|
||||||
- /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro
|
- /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro
|
||||||
- ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro
|
- ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro
|
||||||
#- ./ssl/ca-cert.pem:/etc/mysql/ca-cert.pem:ro
|
- ./ssl/certificate.pem:/etc/mysql/certificate.pem:ro
|
||||||
- ./ssl/server-cert.pem:/etc/mysql/server-cert.pem:ro
|
- ./ssl/key.pem:/etc/mysql/key.pem:ro
|
||||||
- ./ssl/server-key.pem:/etc/mysql/server-key.pem:ro
|
|
||||||
env_file:
|
env_file:
|
||||||
- env.db
|
- env.db
|
||||||
- /home/docker/_defaults/mariadb/mariadb.env
|
- /home/docker/_defaults/mariadb/mariadb.env
|
||||||
@ -184,9 +180,6 @@
|
|||||||
volumes:
|
volumes:
|
||||||
- /etc/localtime:/etc/localtime:ro
|
- /etc/localtime:/etc/localtime:ro
|
||||||
- ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro
|
- ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro
|
||||||
#- ./ssl/ca-cert.pem:/etc/phpmyadmin/ca-cert.pem:ro
|
|
||||||
#- ./ssl/client-cert.pem:/etc/phpmyadmin/client-cert.pem:ro
|
|
||||||
#- ./ssl/client-key.pem:/etc/phpmyadmin/client-key.pem:ro
|
|
||||||
networks:
|
networks:
|
||||||
- mariadb.{{inventory_hostname}}--network
|
- mariadb.{{inventory_hostname}}--network
|
||||||
- traefik
|
- traefik
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user