Add MariaDB

SURFscz · Nov 2, 2023 · a773e96 · a773e96
1 parent 98f3357
commit a773e96
Show file tree

Hide file tree

Showing 6 changed files with 234 additions and 6 deletions.
diff --git a/provision.yml b/provision.yml
@@ -97,6 +97,7 @@
     - { role: docker_metadata,              tags: ['meta', 'docker_metadata'] }
     - { role: docker_ldap,                  tags: ['ldap', 'docker_ldap'] }
     - { role: docker_plsc,                  tags: ['plsc', 'docker_plsc'] }
+    - { role: docker_db,                    tags: ['db', 'docker_db'] }
 
 - name: "lb"
   hosts: lb
@@ -108,12 +109,12 @@
     - { role: tls_fixed_cert,  tags: ['lb','tls_fixedcert'],   when: use_fixed_cert     }
     - { role: lb_haproxy,      tags: ['lb','haproxy']                                   }
 
-- name: "database"
-  hosts: db
-  tasks:
-    - { import_tasks: "tasks/versions.yml", tags: ['common'] }
-  roles:
-    - { role: db_server,        tags: ['db', 'db-server'] }
+# - name: "database"
+#   hosts: db
+#   tasks:
+#     - { import_tasks: "tasks/versions.yml", tags: ['common'] }
+#   roles:
+#     - { role: db_server,        tags: ['db', 'db-server'] }
 
 - name: "sbs"
   hosts: sbs

diff --git a/roles/docker_db/defaults/main.yml b/roles/docker_db/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+mariadb_dir: "/opt/mariadb"
+mariadb_conf_dir: "{{mariadb_dir}}/conf.d"
+mariadb_cert_dir: "{{mariadb_dir}}/cert"
+mariadb_data_dir: "{{mariadb_dir}}/data"
diff --git a/roles/docker_db/files/type.conf b/roles/docker_db/files/type.conf
@@ -0,0 +1,2 @@
+[Service]
+Type=exec
diff --git a/roles/docker_db/handlers/main.yml b/roles/docker_db/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: restart MariaDB
+  systemd:
+    daemon_reload: true
+    name: "mariadb"
+    state: "restarted"
+    enabled: true
diff --git a/roles/docker_db/tasks/main.yml b/roles/docker_db/tasks/main.yml
@@ -0,0 +1,207 @@
+# ---
+# - name: Install mariadb repo key
+#   apt_key:
+#     data: |
+#       -----BEGIN PGP PUBLIC KEY BLOCK-----
+#
+#       xsFNBFb8EKsBEADwGmleOSVThrbCyCVUdCreMTKpmD5p5aPz/0jc66050MAb71Hv
+#       TVcfuMqHYO8O66qXLpEdqZpuk4D+rw1oKyC+d8uPD2PSHRqBXnR0Qf+LVTZvtO92
+#       3R7pYnC2x6V6iVGpKQYFP8cwh2B1qgIa+9y/N8cQIqfD+0ghyiUjjTYek3YFBnqa
+#       L/2h2V0Mt0DkBrDK80LqEY10PAFDfJjINAW9XNHZzi2KqUx5w1z8rItokXV6fYE5
+#       ItyGMR6WVajJg5D4VCiZd0ymuQP2bGkrRbl6FH5vofVSkahKMJeHs2lbvMvNyS3c
+#       n8vxoBvbbcwSAV1gvB1uzXXxv0kdkFZjhU1Tss4+Dak8qeEmIrC5qYycLxIdVEhT
+#       Z8N8+P7Dll+QGOZKu9+OzhQ+byzpLFhUHKys53eXo/HrfWtw3DdP21yyb5P3QcgF
+#       scxfZHzZtFNUL6XaVnauZM2lqquUW+lMNdKKGCBJ6co4QxjocsxfISyarcFj6ZR0
+#       5Hf6VU3Y7AyuFZdL0SQWPv9BSu/swBOimrSiiVHbtE49Nx1x/d1wn1peYl07WRUv
+#       C10eF36ZoqEuSGmDz59mWlwB3daIYAsAAiBwgcmN7aSB8XD4ZPUVSEZvwSm/IwuS
+#       Rkpde+kIhTLjyv5bRGqU2P/Mi56dB4VFmMJaF26CiRXatxhXOAIAF9dXCwARAQAB
+#       zS1NYXJpYURCIFNpZ25pbmcgS2V5IDxzaWduaW5nLWtleUBtYXJpYWRiLm9yZz7C
+#       wXgEEwEIACIFAlb8EKsCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPFl
+#       byTHTNHYJZ0P/2Z2RURRkSTHLKZ/GqSvPReReeB7AI+ZrDapkpG/26xp1Yw1isCO
+#       y99pvQ7hjTFhdZQ7xSRUiT/e27wJxR7s4G/ck5VOVjuJzGnByNLmwMjdN1ONIO9P
+#       hQAs2iF3uoIbVTxzXof2F8C0WSbKgEWbtqlCWlaapDpN8jKAWdsQsNMdXcdpJ2os
+#       WiacQRxLREBGjVRkAiqdjYkegQ4BZ0GtPULKjZWCUNkaat51b7O7V19nSy/T7MM7
+#       n+kqYQLMIHCF8LGd3QQsNppRnolWVRzXMdtR2+9iI21qv6gtHcMiAg6QcKA7halL
+#       kCdIS2nWR8g7nZeZjq5XhckeNGrGX/3w/m/lwczYjMUer+qs2ww5expZJ7qhtSta
+#       lE3EtL/l7zE4RlknqwDZ0IXtxCNPu2UovCzZmdZm8UWfMSKk/3VgL8HgzYRr8fo0
+#       yj0XkckJ7snXvuhoviW2tjm46PyHPWRKgW4iEzUrB+hiXpy3ikt4rLRg/iMqKjyf
+#       mvcE/VdmFVtsfbfRVvlaWiIWCndRTVBkAaTu8DwrGyugQsbjEcK+4E25/SaKIJIw
+#       qfxpyBVhru21ypgEMAw1Y8KC7KntB7jzpFotE4wpv1jZKUZuy71ofr7g3/2O+7nW
+#       LrR1mncbuT6yXo316r56dfKzOxQJBnYFwTjXfa65yBArjQBUCPNYOKr0wkYEEhEI
+#       AAYFAlb8JFYACgkQy8sIKhu5Q9snYACgh3id41CYTHELOQ/ymj4tiuFt1lcAn3JU
+#       9wH3pihM9ISvoeuGnwwHhcKnwsFcBBIBCAAGBQJW/CSEAAoJEJFxGJmV5Fqe11cP
+#       /A3QhvqleuRaXoS5apIY3lrDL79Wo0bkydM3u2Ft9EqVVG5zZvlmWaXbw5wkPhza
+#       7YUjrD7ylaE754lHI48jJp3KY7RosClY/Kuk56GJI/SoMKx4v518pAboZ4hjY9MY
+#       gmiAuZEYx5Ibv1pj0+hkzRI78+f6+d5QTQ6y/35ZjSSJcBgCMAr/JRsmOkHu6cY6
+#       qOpq4g8mvRAX5ivRm4UxE2gnxZyd2LjY2/S2kCZvHWVaZuiTD0EU1jYPoOo6fhc8
+#       zjs5FWS56C1vp7aFOGBvsH3lwYAYi1K2S+/B4nqpitYJz/T0zFzzyYe7ZG77DXKD
+#       /XajD22IzRGKjoeVPFBx+2V0YCCpWZkqkfZ2Dt3QVW//QIpVsOJnmaqolDg1sxoa
+#       BEYBtCtovU0wh1pXWwfn7IgjIkPNl0AU8mW8Ll91WF+Lss/oMrUJMKVDenTJ6/ZO
+#       06c+JFlP7dS3YGMsifwgy5abA4Xy4GWpAsyEM68mqsJUc7ZANZcQAKr6+DryzSfI
+#       Olsn3kJzOtb/c3JhVmblEO6XzdfZJK/axPOp3mF1oEBoJ56fGwO2usgVwQDyLt3J
+#       iluJrCvMSBL9KtBZWrTZH5t3rTMN0NUALy4Etd6Y8V94i8c5NixMDyjRU7aKJAAw
+#       tUvxLd12dqtaXsuvGyzLbR4EDT/Q5DfLC1DZWpgtUtCVwsFcBBIBCAAGBQJW/CS2
+#       AAoJEEHdwLQNpW8iMUoP/AjFKyZ+inQTI2jJJBBtrLjxaxZSG5ggCovowWn8NWv6
+#       bQBm2VurYVKhvY1xUyxoLY8KN+MvoeTdpB3u7z+M6x+CdfoTGqWQ2yapOC0eEJBF
+#       O+GFho2WE0msiO0IaVJrzdFTPE0EYR2BHziLu0DDSZADe1WYEqkkrZsCNgi6EMng
+#       mX2h+DK2GlC3W2tY9sc63DsgzjcMBO9uYmpHj6nizsIrETqouVNUCLT0t8iETa25
+#       Mehq/I92I70Qfebv7R4eMrs+tWXKyPU0OjV+8b8saZsv1xn98UkeXwYx4JI04OTw
+#       nBeJG8yPrGDBO5iucmtaCvwGQ3c76qBivrA8eFz3azRxQYWWiFrkElTg+C/E83JQ
+#       WgqPvPZkI5UHvBwBqcoIXG15AJoXA/ZWIB8nPKWKaV5KDnY3DBuA4rh5Mhy3xwcC
+#       /22E/CmZMXjUUvDnlPgXCYAYU0FBbGk7JpSYawtNfdAN2XBRPq5sDKLLxftx7D8u
+#       ESJXXAlPxoRh7x1ArdGM+EowlJJ0xpINBaT0Z/Hk0jxNIFEak796/WeGqewdOIki
+#       dAs4tppUfzosla5K+qXfWwmhcKmpwA4oynE8wIaoXptoi8+rxaw4N6wAXlSrVxeC
+#       VTnb7+UY/BT2Wx6IQ10C9jrsj6XIffMvngIinCD9Czvadmr7BEIxKt1LP+gGA8Zg
+#       wsFcBBIBCgAGBQJYE6oDAAoJEL7YRJ/O6NqIJ24P+QFNa2O+Q1rLKrQiuPw4Q73o
+#       7/blUpFNudZfeCDpDbUgJ01u1RHnWOyLcyknartAosFDJIpgcXY5I8jsBIO5IZPR
+#       C/UKxZB3RYOhj49bySD9RNapHyq+Y56j9JUoz6tkKFBd+6g85Ej8d924xM1UnRCS
+#       9cfI9W0fSunbCi2CXLbXFF7V+m3Ou1SVYGIAxpMn4RXyYfuqeB5wROR2GA5Ef6T3
+#       S5byh1dRSEgnrBToENtp5n7Jwsc9pDofjtaUkO854l45IqFarGjCHZwtNRKd2lcK
+#       FMnd1jS0nfGkUbn3qNJam1qaGWx4gXaT845VsYYVTbxtkKi+qPUIoOyYx4NEm6fC
+#       ZywH72oP+fmUT/fbfSHa5j137dRqokkR6RFjnEMBl6WHwgqqUqeIT6t9uV6WWzX9
+#       lNroZFAFL/de7H31iIRuZcm38DUZOfjVf9glweu4yFvuJ7cQtyQydFQJV4LGDT/C
+#       8e9TWrV1/gWMyMGQlZsRWa+h+FfFUccQtfSdXpvSxtXfop+fVQmJgUUl92jh4K9j
+#       c9a6rIp5v1Q1yEgs2iS50/V/NMSmEcE1XMOxFt9fX9T+XmKAWZ8L25lpILsHT3mB
+#       VWrpHdbawUaiBp9elxhn6tFiTFR7qA7dlUyWrI+MMlINwSZ2AAXvmA2IajH/UIlh
+#       xotxmSNiZYIQ6UbD3fk4wsFzBBABCgAdFiEEmy/52H2krRdju+d2+GQcuhDvLUgF
+#       Ally44wACgkQ+GQcuhDvLUgkjQ//c3mBxfJm6yLAJD4s4OgsPv4pcp/EKmPcdztm
+#       W0/glwopUZmq9oNo3VMMCGtusrQgpACzfUlesu9NWlPCB3olZkeGugygo0zuQBKs
+#       55eG7bPzMLyfSqLKyogYocaGc4lpf4lbvlvxy37YGVrGpwT9i8t2REtM6iPKDcMM
+#       sgVtNlqFdq3Fs2Haqt0m1EksX6/GSIrjK4LZEcPklrGPvUS3S+qkwuaGE/jXxncE
+#       4jFQR9SYH6AHr6Vkt1CG9Dgpr+Ph0I9n0JRknBYoUZ1q51WdF946NplXkCskdzWG
+#       RHgMUCz3ZehF1FzpKgfO9Zd0YZsmivV/g6frUw/TayP9gxKPt7z2Lsxzyh8X7cg6
+#       TAvdG9JbG0PyPJT1TZ8qpjP/PtqPclHsHQQIbGSDFWzRM5znhS+5sgyw8FWInjw8
+#       JjxoOWMa50464EfGeb2jZfwtRimJAJLWEf/JnvO779nXf5YbvUZgfXaX7k/cvCVk
+#       U8M7oC7x8o6F0P2Lh6FgonklKEeIRtZBUNZ0Lk9OShVqlU9/v16MHq/Eyu/Mbs0D
+#       en3vYgiYxOBR8czD1Wh4vsKiGfOzQ6oWti/DCURV+iTYhJc7mSWM6STzUFr0nCnF
+#       x6W0j/zH6ZgiFAGOyIXW2DwfjFvYRcBL1RWAEKsiFwYrNV+MDonjKXjpVB1Ra90o
+#       lLrZXAXCwHMEEgEKAB0WIQRMRw//78TT3Fl3hlXOGj3V48lPSQUCXAAgOgAKCRDO
+#       Gj3V48lPSQxAB/43qoWteVZEiN3JW4FnHg+S60TnHSP69FKV+363XYKDa23pNpv4
+#       tiJumo9Kvb4UoDft766/URHm5RKyPtrxy+wqotamrkGJUTtP2a68h7C31VX+pf6i
+#       iQKmxRQz4zmW0pA5X01+AgpvcDH++Fv5NLBpnjqPdTh5b0gvr89E0zMNldNYOZu1
+#       0H/mukrnGlFDu/osBuy+XJtP2MeasazVMLvjKs+hr//E+iLI9DZOwFBK6AX5gkkI
+#       UEHkSeb4//AHwvanUMin9un9+F9iR+qDuDEKxuevYzM0owuoVcK5pAsRnRQJlnHW
+#       /0BQ6FtNGpmljhvUk8a/l3xFf3z/uJG5vVKVzsFNBFb8EKsBEADDfCMsu2U1CdJh
+#       r4xp6z4J89/tMnpCQASC8DQhtZ6bWG/ksyKt2DnDQ050XBEng+7epzHWA2UgT0li
+#       Y05zZmFs1X7QeZr16B7JANq6fnHOdZB0ThS7JEYbProkMxcqAFLAZJCpZT534Gpz
+#       W7qHwzjV+d13IziCHdi6+DD5eavYzBqY8QzjlOXbmIlY7dJUCwXTECUfirc6kH86
+#       CS8fXZTke4QYZ55VnrOomB4QGqP371kwBETnhlhi74+pvi3jW05Z5x1tVMwuugyz
+#       zkseZp1VYmJq5SHNFZ/pnAQLE9gUDTb6UWcPBwQh9Sw+7ahSK74lJKYm3wktyvZh
+#       zAxbNyzs1M56yeFP6uFwJTBfNByyMAa6TGUhNkxlLcYjxKbVmoAnKCVM8t41TlLv
+#       /a0ki8iQxqvphVLufksR9IpN6d3F15j6GeyVtxBEv04iv4vbuKthWytb+gjX4bI8
+#       CAo9jGHevmtdiw/SbeKx2YBM1MF6eua37rFMooOBj4X7VfQCyS+crNsOQn8nJGah
+#       YbzUDCCgnX+pqN9iZvXisMS79wVyD5DyISFDvT/5jY7IXxPibxr10P/8lfW1d72u
+#       xyI2UiZKZpyHCt4k47yMq4KQGLGuhxJ6q6O3bi2aXRuz8bLqTBLca9dmx9wZFvRh
+#       6jS/SKEg7eFcY0xbb6RVIv1UwGDYfQARAQABwsFfBBgBCAAJBQJW/BCrAhsMAAoJ
+#       EPFlbyTHTNHYEBIQAJhFTh1u34Q+5bnfiM2dAdCr6T6w4Y1v9ePiIYdSImeseJS2
+#       yRglpLcMjW0uEA9KXiRtC/Nm/ClnqYJzCKeIaweHqH6dIgJKaXZFt1Uaia7X9tDD
+#       wqALGu97irUrrV1Kh9IkM0J29Vid5amakrdS4mwt2uEISSnCi7pfVoEro+S7tYQ9
+#       iH6APVIwqWvcaty3cANdwKWfUQZ6a9IQ08xqzaMhMp2VzhVrWkq3B0j2aRoZR7BN
+#       LH2I7Z0giIM8ARjZs99aTRL+SfMEQ3sUxNLb3KWP/n1lSFbrk4HGzqUBBfczESlN
+#       c0970C6znK0H0HD11/3BTkMuPqww+Tzex4dpMQllMEKZ3wEyd9v6ba+nj/P1FHSE
+#       y/VN6IXzd82s1lYOonKTdmXAIROcHnb0QUzwsd/mhB3jKhEDOV2ZcBTD3yHv8m7C
+#       9G9y4hV+7yQlnPlSg3DjBp3SS5r+sOObCIy2Ad32upoXkilWa9g7GZSuhY9kyKqe
+#       Eba1lgXXaQykEeqx0pexkWavNnb9JaPrAZHDjUGcXrREmjEyXyElRoD4CrWXySe4
+#       6jCuNhVVlkLGo7osefynXa/+PNjQjURtx8en7M9A1FkQuRAxE8KIZgZzYxkGl5o5
+#       POSFCA4JUoRPDcrl/sI3fuq2dIOE/BJ2r8dV+LddiR+iukhXRwJXH8RVVEUS
+#       =mCOI
+#       -----END PGP PUBLIC KEY BLOCK-----
+#
+# - name: Install mariadb repo
+#   apt_repository:
+#     filename: "mariadb"
+#     repo: "deb https://mirror.rackspace.com/mariadb/repo/10.5/debian bullseye main"
+#     update_cache: true
+#
+# - name: Create mariadb.service.d directory
+#   file:
+#     path: /etc/systemd/system/mariadb.service.d
+#     state: directory
+#     mode: '0755'
+#
+# - name: Set mysql systemd Type=exec
+#   copy:
+#     src: type.conf
+#     dest: /etc/systemd/system/mariadb.service.d/type.conf
+#
+# - name: Ensure that packages are installed
+#   apt:
+#     name:
+#       - mariadb-server
+#       - python3-pymysql
+#     state: present
+
+- name: Ensure that a number of directories exist
+  file:
+    path: "{{ item.path }}"
+    state: "directory"
+    # owner: "{{ ldap_user }}"
+    # group: "{{ ldap_group }}"
+    mode: "{{ item.mode }}"
+  # tags: "ldap"
+  with_items:
+    - { path: "{{mariadb_conf_dir}}",  mode: "0755" }
+    - { path: "{{mariadb_cert_dir}}",  mode: "0755" }
+
+- name: Create wildcard backend key
+  copy:
+    content: "{{wildcard_backend_cert.priv}}"
+    dest: "{{mariadb_cert_dir}}/backend.key"
+    owner: "root"
+    group: "ssl-cert"
+    mode: 0644
+  no_log: "{{sram_ansible_nolog}}"
+
+- name: Create wildcard backend cert
+  copy:
+    content: "{{wildcard_backend_cert.pub}}"
+    dest: "{{mariadb_cert_dir}}/backend.crt"
+    owner: "root"
+    group: "root"
+    mode: 0644
+
+- name: Install mariadb config
+  template:
+    src: 60-sram.cnf.j2
+    # dest: /etc/mysql/mariadb.conf.d/60-scz.cnf
+    dest: "{{mariadb_conf_dir}}/sram.cnf"
+  # notify: restart MariaDB
+
+# - name: add mysql user to ssl-cert group
+#   user:
+#     name: mysql
+#     groups: ssl-cert
+#     append: yes
+
+# - name: Add admin user
+#   mysql_user:
+#     name: '{{ db_admin_user }}'
+#     host: '%'
+#     password: '{{ db_admin_password }}'
+#     priv: '*.*:ALL,GRANT'
+#     state: present
+#     login_unix_socket: /var/run/mysqld/mysqld.sock
+#     check_implicit_admin: yes
+
+- name: Create the database container
+  docker_container:
+    name: db
+    image: mariadb:11
+    # restart_policy: "always"
+    # restart: true
+    state: started
+    # pull: true
+    ports:
+      - 3306:3306
+    env:
+      MARIADB_ROOT_PASSWORD: "{{ db_admin_password }}"
+      MYSQL_ROOT_HOST: "%"
+    mounts:
+      - type: bind
+        source: "{{ mariadb_conf_dir }}/sram.cnf"
+        target: "/etc/mysql/conf.d/60-sram.cnf"
+    volumes:
+      - "{{ mariadb_cert_dir }}:{{ mariadb_cert_dir }}"
+      - "{{ mariadb_data_dir }}:/var/lib/mysql:Z"
+    networks:
+      - name: "traefik"
diff --git a/roles/docker_db/templates/60-sram.cnf.j2 b/roles/docker_db/templates/60-sram.cnf.j2
@@ -0,0 +1,6 @@
+[mysqld]
+bind-address            = 0.0.0.0
+
+ssl-cert = {{ mariadb_cert_dir }}/backend.crt
+ssl-key = {{ mariadb_cert_dir }}/backend.key
+require_secure_transport = ON