--- - name: mariadb hosts: all tasks: - name: Create /home/docker/mariadb.{{inventory_hostname}} dir ansible.builtin.file: path: /home/docker/mariadb.{{inventory_hostname}} owner: root group: docker state: directory mode: '0550' - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW) blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh create: yes mode: 0550 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | cd /home/docker/mariadb.{{inventory_hostname}} mysqlpassword=$(pwgen -s 32 1) [ -f env.db ] || echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD! " >env.db [ -f env.phpmyadmin ] || echo "PMA_USER=root PMA_PASSWORD=!MYSQLPASSWORD! " >env.phpmyadmin chmod 440 env.db env.phpmyadmin chown root:docker env.db env.phpmyadmin sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin backup: yes validate: /bin/bash -n %s - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang lineinfile: path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh insertbefore: BOF line: "#!/bin/bash -e" - name: Gen initial passwords if not exists ansible.builtin.shell: ./genpw.sh args: chdir: /home/docker/mariadb.{{inventory_hostname}} creates: /home/docker/mariadb.{{inventory_hostname}}/env.db - name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh (generate SSL-Certificate) blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh create: yes mode: 0550 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | cd /home/docker/mariadb.{{inventory_hostname}} [ -d ssl ] && rm -r ssl mkdir ssl cd ssl openssl genrsa 4096 > ca-key.pem openssl req -new -x509 -nodes -days 109500 -key ca-key.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > ca-cert.pem openssl req -newkey rsa:4096 -days 109500 -nodes -keyout server-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > server-req.pem openssl rsa -in server-key-pkcs8.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem openssl req -newkey rsa:4096 -days 109500 -nodes -keyout client-key-pkcs8.pem -subj "/C=MD/ST=mariadb/L=mariadb/O=DB/CN=mariadb.{{inventory_hostname}}" > client-req.pem openssl rsa -in client-key-pkcs8.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 109500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem chmod 400 *.pem chown 999 *.pem backup: yes validate: /bin/bash -n %s - name: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh shebang lineinfile: path: /home/docker/mariadb.{{inventory_hostname}}/genssl.sh insertbefore: BOF line: "#!/bin/bash -e" - name: Gen initial SSL if not exists ansible.builtin.shell: ./genssl.sh args: chdir: /home/docker/mariadb.{{inventory_hostname}} creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/client-cert.pem - name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (generate SSL-Certificate) blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf create: yes mode: 0550 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | [mariadbd] ssl=1 ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem backup: yes - name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml create: yes mode: 0440 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | services: mariadb.{{inventory_hostname}}: image: mariadb:lts cap_add: - SYS_NICE restart: unless-stopped networks: - mariadb.{{inventory_hostname}}--network volumes: - ./db-data:/var/lib/mysql - /etc/localtime:/etc/localtime:ro - /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf - ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf - ./ssl/ca-cert.pem:/etc/mysql/ca-cert.pem - ./ssl/server-cert.pem:/etc/mysql/server-cert.pem - ./ssl/server-key.pem:/etc/mysql/server-key.pem env_file: - env.db - /home/docker/_defaults/mariadb/mariadb.env ports: - 0.0.0.0:33306:3306 mariadb.{{inventory_hostname}}--phpmyadmin: image: phpmyadmin:latest restart: unless-stopped env_file: env.phpmyadmin environment: - PMA_ARBITRARY=0 - PMA_HOST=mariadb.{{inventory_hostname}} volumes: - /etc/localtime:/etc/localtime:ro networks: - mariadb.{{inventory_hostname}}--network - traefik labels: - traefik.enable=true # HTTPS - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb.{{ ansible_facts['nodename'] }}`) - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true # Proxy to service-port - traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80 - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }} # cert via letsencrypt - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt # Traefik network - traefik.docker.network=traefik # auth - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file,default-basic-auth@file networks: mariadb.{{inventory_hostname}}--network: driver: bridge driver_opts: com.docker.network.bridge.name: br-mariadb traefik: external: true backup: yes notify: Restart mariadb # - name: Start mariadb # ansible.builtin.shell: docker-compose up -d # args: # chdir: /home/docker/mariadb.{{inventory_hostname}} # creates: /home/docker/mariadb.{{inventory_hostname}}/db-data/ibdata1 # # - name: Wait until mariadb install is finished # wait_for: # path: /home/docker/mariadb.{{inventory_hostname}}/db-data/ibdata1 handlers: - name: Restart mariadb ansible.builtin.shell: docker-compose up -d --force-recreate args: chdir: /home/docker/mariadb.{{inventory_hostname}}