--- - name: mariadb hosts: all tasks: - name: Create /home/docker/mariadb.{{inventory_hostname}} dir ansible.builtin.file: path: /home/docker/mariadb.{{inventory_hostname}} owner: root group: docker state: directory mode: '0550' - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW) blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh create: yes mode: 0550 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | cd /home/docker/mariadb.{{inventory_hostname}} mysqlpassword=$(pwgen -s 32 1) [ -f env.db ] || echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD! " >env.db [ -f env.phpmyadmin ] || echo "PMA_USER=root PMA_PASSWORD=!MYSQLPASSWORD! " >env.phpmyadmin chmod 440 env.db env.phpmyadmin chown root:docker env.db env.phpmyadmin sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin backup: yes validate: /bin/bash -n %s - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang lineinfile: path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh insertbefore: BOF line: "#!/bin/bash -e" - name: Gen initial passwords if not exists ansible.builtin.shell: ./genpw.sh args: chdir: /home/docker/mariadb.{{inventory_hostname}} creates: /home/docker/mariadb.{{inventory_hostname}}/env.db - name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update blockinfile: path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update create: yes mode: 0550 owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | cd /home/docker/mariadb.{{inventory_hostname}} mkdir -p ssl # take letsencrypt-certs from traefik and check for new ones new=0 for ssl in key certificate do touch ssl/${ssl}.pem until [ -s "ssl/${ssl}.pem.new" ] do cat /home/docker/traefik/letsencrypt/acme.json | jq -r ".letsencrypt.Certificates[] | select(.domain.main==\"mail.{{inventory_hostname}}\") | .${ssl}" | base64 -d >ssl/${ssl}.pem.new sleep 5 done old=$(shasum ssl/${ssl}.pem) new=$(shasum ssl/${ssl}.pem.new) if ! [ "$new" = "$old" ] then new=1 mv ssl/${ssl}.pem.new >shasum ssl/${ssl}.pem else rm ssl/${ssl}.pem.new fi done chmod 400 ssl/*.pem chown 999:33 ssl/*.pem if [ -n "$new" ] then docker compose down docker compose up -d fi backup: yes validate: /bin/bash -n %s - name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update shebang lineinfile: path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update insertbefore: BOF line: "#!/bin/bash -e" - name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb) blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf create: yes mode: 0444 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | [mariadbd] ssl=1 ssl-cert=/etc/mysql/certificate.pem ssl-key=/etc/mysql/key.pem backup: yes - name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin) blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/phpmyadmin-config.user.inc.php create: yes mode: 0444 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | // IP address / host of your instance $cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}'; // Use SSL for connection $cfg['Servers'][$i]['ssl'] = true; // Disable SSL verification $cfg['Servers'][$i]['ssl_verify'] = false; backup: yes - name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration blockinfile: path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml create: yes mode: 0440 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | services: mariadb.{{inventory_hostname}}: image: mariadb:lts cap_add: - SYS_NICE restart: unless-stopped networks: - mariadb.{{inventory_hostname}}--network volumes: - ./db-data:/var/lib/mysql - /etc/localtime:/etc/localtime:ro - /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro - ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro - ./ssl/certificate.pem:/etc/mysql/certificate.pem:ro - ./ssl/key.pem:/etc/mysql/key.pem:ro env_file: - env.db - /home/docker/_defaults/mariadb/mariadb.env ports: - 0.0.0.0:33306:3306 mariadb.{{inventory_hostname}}--phpmyadmin: image: phpmyadmin:latest restart: unless-stopped env_file: env.phpmyadmin environment: - PMA_ARBITRARY=0 - PMA_HOST=mariadb.{{inventory_hostname}} volumes: - /etc/localtime:/etc/localtime:ro - ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro networks: - mariadb.{{inventory_hostname}}--network - traefik labels: - traefik.enable=true # HTTPS - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb.{{ ansible_facts['nodename'] }}`) - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true # Proxy to service-port - traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80 - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }} # cert via letsencrypt - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt # Traefik network - traefik.docker.network=traefik # auth - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file,default-basic-auth@file networks: mariadb.{{inventory_hostname}}--network: driver: bridge driver_opts: com.docker.network.bridge.name: br-mariadb traefik: external: true backup: yes notify: Restart mariadb - name: Get letsencrypt cert from traefik ansible.builtin.shell: /usr/local/sbin/autoupdate.d/mariadb-ssl.update args: chdir: /home/docker/mariadb.{{inventory_hostname}} creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/certificate.pem handlers: - name: Restart mariadb ansible.builtin.shell: docker-compose up -d --force-recreate args: chdir: /home/docker/mariadb.{{inventory_hostname}}