From a773e96b99a3b30b015d7d7df954fa80cb3c4838 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Thu, 2 Nov 2023 12:04:14 +0100 Subject: [PATCH] Add MariaDB --- provision.yml | 13 +- roles/docker_db/defaults/main.yml | 5 + roles/docker_db/files/type.conf | 2 + roles/docker_db/handlers/main.yml | 7 + roles/docker_db/tasks/main.yml | 207 +++++++++++++++++++++++ roles/docker_db/templates/60-sram.cnf.j2 | 6 + 6 files changed, 234 insertions(+), 6 deletions(-) create mode 100644 roles/docker_db/defaults/main.yml create mode 100644 roles/docker_db/files/type.conf create mode 100644 roles/docker_db/handlers/main.yml create mode 100644 roles/docker_db/tasks/main.yml create mode 100644 roles/docker_db/templates/60-sram.cnf.j2 diff --git a/provision.yml b/provision.yml index 0b4f87111..b4c7186c8 100644 --- a/provision.yml +++ b/provision.yml @@ -97,6 +97,7 @@ - { role: docker_metadata, tags: ['meta', 'docker_metadata'] } - { role: docker_ldap, tags: ['ldap', 'docker_ldap'] } - { role: docker_plsc, tags: ['plsc', 'docker_plsc'] } + - { role: docker_db, tags: ['db', 'docker_db'] } - name: "lb" hosts: lb @@ -108,12 +109,12 @@ - { role: tls_fixed_cert, tags: ['lb','tls_fixedcert'], when: use_fixed_cert } - { role: lb_haproxy, tags: ['lb','haproxy'] } -- name: "database" - hosts: db - tasks: - - { import_tasks: "tasks/versions.yml", tags: ['common'] } - roles: - - { role: db_server, tags: ['db', 'db-server'] } +# - name: "database" +# hosts: db +# tasks: +# - { import_tasks: "tasks/versions.yml", tags: ['common'] } +# roles: +# - { role: db_server, tags: ['db', 'db-server'] } - name: "sbs" hosts: sbs diff --git a/roles/docker_db/defaults/main.yml b/roles/docker_db/defaults/main.yml new file mode 100644 index 000000000..81d5e2b27 --- /dev/null +++ b/roles/docker_db/defaults/main.yml @@ -0,0 +1,5 @@ +--- +mariadb_dir: "/opt/mariadb" +mariadb_conf_dir: "{{mariadb_dir}}/conf.d" +mariadb_cert_dir: "{{mariadb_dir}}/cert" +mariadb_data_dir: "{{mariadb_dir}}/data" diff --git a/roles/docker_db/files/type.conf b/roles/docker_db/files/type.conf new file mode 100644 index 000000000..633f6345c --- /dev/null +++ b/roles/docker_db/files/type.conf @@ -0,0 +1,2 @@ +[Service] +Type=exec diff --git a/roles/docker_db/handlers/main.yml b/roles/docker_db/handlers/main.yml new file mode 100644 index 000000000..6ee8b73f1 --- /dev/null +++ b/roles/docker_db/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart MariaDB + systemd: + daemon_reload: true + name: "mariadb" + state: "restarted" + enabled: true diff --git a/roles/docker_db/tasks/main.yml b/roles/docker_db/tasks/main.yml new file mode 100644 index 000000000..03985226b --- /dev/null +++ b/roles/docker_db/tasks/main.yml @@ -0,0 +1,207 @@ +# --- +# - name: Install mariadb repo key +# apt_key: +# data: | +# -----BEGIN PGP PUBLIC KEY BLOCK----- +# +# xsFNBFb8EKsBEADwGmleOSVThrbCyCVUdCreMTKpmD5p5aPz/0jc66050MAb71Hv +# TVcfuMqHYO8O66qXLpEdqZpuk4D+rw1oKyC+d8uPD2PSHRqBXnR0Qf+LVTZvtO92 +# 3R7pYnC2x6V6iVGpKQYFP8cwh2B1qgIa+9y/N8cQIqfD+0ghyiUjjTYek3YFBnqa +# L/2h2V0Mt0DkBrDK80LqEY10PAFDfJjINAW9XNHZzi2KqUx5w1z8rItokXV6fYE5 +# ItyGMR6WVajJg5D4VCiZd0ymuQP2bGkrRbl6FH5vofVSkahKMJeHs2lbvMvNyS3c +# n8vxoBvbbcwSAV1gvB1uzXXxv0kdkFZjhU1Tss4+Dak8qeEmIrC5qYycLxIdVEhT +# Z8N8+P7Dll+QGOZKu9+OzhQ+byzpLFhUHKys53eXo/HrfWtw3DdP21yyb5P3QcgF +# scxfZHzZtFNUL6XaVnauZM2lqquUW+lMNdKKGCBJ6co4QxjocsxfISyarcFj6ZR0 +# 5Hf6VU3Y7AyuFZdL0SQWPv9BSu/swBOimrSiiVHbtE49Nx1x/d1wn1peYl07WRUv +# C10eF36ZoqEuSGmDz59mWlwB3daIYAsAAiBwgcmN7aSB8XD4ZPUVSEZvwSm/IwuS +# Rkpde+kIhTLjyv5bRGqU2P/Mi56dB4VFmMJaF26CiRXatxhXOAIAF9dXCwARAQAB +# zS1NYXJpYURCIFNpZ25pbmcgS2V5IDxzaWduaW5nLWtleUBtYXJpYWRiLm9yZz7C +# wXgEEwEIACIFAlb8EKsCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPFl +# byTHTNHYJZ0P/2Z2RURRkSTHLKZ/GqSvPReReeB7AI+ZrDapkpG/26xp1Yw1isCO +# y99pvQ7hjTFhdZQ7xSRUiT/e27wJxR7s4G/ck5VOVjuJzGnByNLmwMjdN1ONIO9P +# hQAs2iF3uoIbVTxzXof2F8C0WSbKgEWbtqlCWlaapDpN8jKAWdsQsNMdXcdpJ2os +# WiacQRxLREBGjVRkAiqdjYkegQ4BZ0GtPULKjZWCUNkaat51b7O7V19nSy/T7MM7 +# n+kqYQLMIHCF8LGd3QQsNppRnolWVRzXMdtR2+9iI21qv6gtHcMiAg6QcKA7halL +# kCdIS2nWR8g7nZeZjq5XhckeNGrGX/3w/m/lwczYjMUer+qs2ww5expZJ7qhtSta +# lE3EtL/l7zE4RlknqwDZ0IXtxCNPu2UovCzZmdZm8UWfMSKk/3VgL8HgzYRr8fo0 +# yj0XkckJ7snXvuhoviW2tjm46PyHPWRKgW4iEzUrB+hiXpy3ikt4rLRg/iMqKjyf +# mvcE/VdmFVtsfbfRVvlaWiIWCndRTVBkAaTu8DwrGyugQsbjEcK+4E25/SaKIJIw +# qfxpyBVhru21ypgEMAw1Y8KC7KntB7jzpFotE4wpv1jZKUZuy71ofr7g3/2O+7nW +# LrR1mncbuT6yXo316r56dfKzOxQJBnYFwTjXfa65yBArjQBUCPNYOKr0wkYEEhEI +# AAYFAlb8JFYACgkQy8sIKhu5Q9snYACgh3id41CYTHELOQ/ymj4tiuFt1lcAn3JU +# 9wH3pihM9ISvoeuGnwwHhcKnwsFcBBIBCAAGBQJW/CSEAAoJEJFxGJmV5Fqe11cP +# /A3QhvqleuRaXoS5apIY3lrDL79Wo0bkydM3u2Ft9EqVVG5zZvlmWaXbw5wkPhza +# 7YUjrD7ylaE754lHI48jJp3KY7RosClY/Kuk56GJI/SoMKx4v518pAboZ4hjY9MY +# gmiAuZEYx5Ibv1pj0+hkzRI78+f6+d5QTQ6y/35ZjSSJcBgCMAr/JRsmOkHu6cY6 +# qOpq4g8mvRAX5ivRm4UxE2gnxZyd2LjY2/S2kCZvHWVaZuiTD0EU1jYPoOo6fhc8 +# zjs5FWS56C1vp7aFOGBvsH3lwYAYi1K2S+/B4nqpitYJz/T0zFzzyYe7ZG77DXKD +# /XajD22IzRGKjoeVPFBx+2V0YCCpWZkqkfZ2Dt3QVW//QIpVsOJnmaqolDg1sxoa +# BEYBtCtovU0wh1pXWwfn7IgjIkPNl0AU8mW8Ll91WF+Lss/oMrUJMKVDenTJ6/ZO +# 06c+JFlP7dS3YGMsifwgy5abA4Xy4GWpAsyEM68mqsJUc7ZANZcQAKr6+DryzSfI +# Olsn3kJzOtb/c3JhVmblEO6XzdfZJK/axPOp3mF1oEBoJ56fGwO2usgVwQDyLt3J +# iluJrCvMSBL9KtBZWrTZH5t3rTMN0NUALy4Etd6Y8V94i8c5NixMDyjRU7aKJAAw +# tUvxLd12dqtaXsuvGyzLbR4EDT/Q5DfLC1DZWpgtUtCVwsFcBBIBCAAGBQJW/CS2 +# AAoJEEHdwLQNpW8iMUoP/AjFKyZ+inQTI2jJJBBtrLjxaxZSG5ggCovowWn8NWv6 +# bQBm2VurYVKhvY1xUyxoLY8KN+MvoeTdpB3u7z+M6x+CdfoTGqWQ2yapOC0eEJBF +# O+GFho2WE0msiO0IaVJrzdFTPE0EYR2BHziLu0DDSZADe1WYEqkkrZsCNgi6EMng +# mX2h+DK2GlC3W2tY9sc63DsgzjcMBO9uYmpHj6nizsIrETqouVNUCLT0t8iETa25 +# Mehq/I92I70Qfebv7R4eMrs+tWXKyPU0OjV+8b8saZsv1xn98UkeXwYx4JI04OTw +# nBeJG8yPrGDBO5iucmtaCvwGQ3c76qBivrA8eFz3azRxQYWWiFrkElTg+C/E83JQ +# WgqPvPZkI5UHvBwBqcoIXG15AJoXA/ZWIB8nPKWKaV5KDnY3DBuA4rh5Mhy3xwcC +# /22E/CmZMXjUUvDnlPgXCYAYU0FBbGk7JpSYawtNfdAN2XBRPq5sDKLLxftx7D8u +# ESJXXAlPxoRh7x1ArdGM+EowlJJ0xpINBaT0Z/Hk0jxNIFEak796/WeGqewdOIki +# dAs4tppUfzosla5K+qXfWwmhcKmpwA4oynE8wIaoXptoi8+rxaw4N6wAXlSrVxeC +# VTnb7+UY/BT2Wx6IQ10C9jrsj6XIffMvngIinCD9Czvadmr7BEIxKt1LP+gGA8Zg +# wsFcBBIBCgAGBQJYE6oDAAoJEL7YRJ/O6NqIJ24P+QFNa2O+Q1rLKrQiuPw4Q73o +# 7/blUpFNudZfeCDpDbUgJ01u1RHnWOyLcyknartAosFDJIpgcXY5I8jsBIO5IZPR +# C/UKxZB3RYOhj49bySD9RNapHyq+Y56j9JUoz6tkKFBd+6g85Ej8d924xM1UnRCS +# 9cfI9W0fSunbCi2CXLbXFF7V+m3Ou1SVYGIAxpMn4RXyYfuqeB5wROR2GA5Ef6T3 +# S5byh1dRSEgnrBToENtp5n7Jwsc9pDofjtaUkO854l45IqFarGjCHZwtNRKd2lcK +# FMnd1jS0nfGkUbn3qNJam1qaGWx4gXaT845VsYYVTbxtkKi+qPUIoOyYx4NEm6fC +# ZywH72oP+fmUT/fbfSHa5j137dRqokkR6RFjnEMBl6WHwgqqUqeIT6t9uV6WWzX9 +# lNroZFAFL/de7H31iIRuZcm38DUZOfjVf9glweu4yFvuJ7cQtyQydFQJV4LGDT/C +# 8e9TWrV1/gWMyMGQlZsRWa+h+FfFUccQtfSdXpvSxtXfop+fVQmJgUUl92jh4K9j +# c9a6rIp5v1Q1yEgs2iS50/V/NMSmEcE1XMOxFt9fX9T+XmKAWZ8L25lpILsHT3mB +# VWrpHdbawUaiBp9elxhn6tFiTFR7qA7dlUyWrI+MMlINwSZ2AAXvmA2IajH/UIlh +# xotxmSNiZYIQ6UbD3fk4wsFzBBABCgAdFiEEmy/52H2krRdju+d2+GQcuhDvLUgF +# Ally44wACgkQ+GQcuhDvLUgkjQ//c3mBxfJm6yLAJD4s4OgsPv4pcp/EKmPcdztm +# W0/glwopUZmq9oNo3VMMCGtusrQgpACzfUlesu9NWlPCB3olZkeGugygo0zuQBKs +# 55eG7bPzMLyfSqLKyogYocaGc4lpf4lbvlvxy37YGVrGpwT9i8t2REtM6iPKDcMM +# sgVtNlqFdq3Fs2Haqt0m1EksX6/GSIrjK4LZEcPklrGPvUS3S+qkwuaGE/jXxncE +# 4jFQR9SYH6AHr6Vkt1CG9Dgpr+Ph0I9n0JRknBYoUZ1q51WdF946NplXkCskdzWG +# RHgMUCz3ZehF1FzpKgfO9Zd0YZsmivV/g6frUw/TayP9gxKPt7z2Lsxzyh8X7cg6 +# TAvdG9JbG0PyPJT1TZ8qpjP/PtqPclHsHQQIbGSDFWzRM5znhS+5sgyw8FWInjw8 +# JjxoOWMa50464EfGeb2jZfwtRimJAJLWEf/JnvO779nXf5YbvUZgfXaX7k/cvCVk +# U8M7oC7x8o6F0P2Lh6FgonklKEeIRtZBUNZ0Lk9OShVqlU9/v16MHq/Eyu/Mbs0D +# en3vYgiYxOBR8czD1Wh4vsKiGfOzQ6oWti/DCURV+iTYhJc7mSWM6STzUFr0nCnF +# x6W0j/zH6ZgiFAGOyIXW2DwfjFvYRcBL1RWAEKsiFwYrNV+MDonjKXjpVB1Ra90o +# lLrZXAXCwHMEEgEKAB0WIQRMRw//78TT3Fl3hlXOGj3V48lPSQUCXAAgOgAKCRDO +# Gj3V48lPSQxAB/43qoWteVZEiN3JW4FnHg+S60TnHSP69FKV+363XYKDa23pNpv4 +# tiJumo9Kvb4UoDft766/URHm5RKyPtrxy+wqotamrkGJUTtP2a68h7C31VX+pf6i +# iQKmxRQz4zmW0pA5X01+AgpvcDH++Fv5NLBpnjqPdTh5b0gvr89E0zMNldNYOZu1 +# 0H/mukrnGlFDu/osBuy+XJtP2MeasazVMLvjKs+hr//E+iLI9DZOwFBK6AX5gkkI +# UEHkSeb4//AHwvanUMin9un9+F9iR+qDuDEKxuevYzM0owuoVcK5pAsRnRQJlnHW +# /0BQ6FtNGpmljhvUk8a/l3xFf3z/uJG5vVKVzsFNBFb8EKsBEADDfCMsu2U1CdJh +# r4xp6z4J89/tMnpCQASC8DQhtZ6bWG/ksyKt2DnDQ050XBEng+7epzHWA2UgT0li +# Y05zZmFs1X7QeZr16B7JANq6fnHOdZB0ThS7JEYbProkMxcqAFLAZJCpZT534Gpz +# W7qHwzjV+d13IziCHdi6+DD5eavYzBqY8QzjlOXbmIlY7dJUCwXTECUfirc6kH86 +# CS8fXZTke4QYZ55VnrOomB4QGqP371kwBETnhlhi74+pvi3jW05Z5x1tVMwuugyz +# zkseZp1VYmJq5SHNFZ/pnAQLE9gUDTb6UWcPBwQh9Sw+7ahSK74lJKYm3wktyvZh +# zAxbNyzs1M56yeFP6uFwJTBfNByyMAa6TGUhNkxlLcYjxKbVmoAnKCVM8t41TlLv +# /a0ki8iQxqvphVLufksR9IpN6d3F15j6GeyVtxBEv04iv4vbuKthWytb+gjX4bI8 +# CAo9jGHevmtdiw/SbeKx2YBM1MF6eua37rFMooOBj4X7VfQCyS+crNsOQn8nJGah +# YbzUDCCgnX+pqN9iZvXisMS79wVyD5DyISFDvT/5jY7IXxPibxr10P/8lfW1d72u +# xyI2UiZKZpyHCt4k47yMq4KQGLGuhxJ6q6O3bi2aXRuz8bLqTBLca9dmx9wZFvRh +# 6jS/SKEg7eFcY0xbb6RVIv1UwGDYfQARAQABwsFfBBgBCAAJBQJW/BCrAhsMAAoJ +# EPFlbyTHTNHYEBIQAJhFTh1u34Q+5bnfiM2dAdCr6T6w4Y1v9ePiIYdSImeseJS2 +# yRglpLcMjW0uEA9KXiRtC/Nm/ClnqYJzCKeIaweHqH6dIgJKaXZFt1Uaia7X9tDD +# wqALGu97irUrrV1Kh9IkM0J29Vid5amakrdS4mwt2uEISSnCi7pfVoEro+S7tYQ9 +# iH6APVIwqWvcaty3cANdwKWfUQZ6a9IQ08xqzaMhMp2VzhVrWkq3B0j2aRoZR7BN +# LH2I7Z0giIM8ARjZs99aTRL+SfMEQ3sUxNLb3KWP/n1lSFbrk4HGzqUBBfczESlN +# c0970C6znK0H0HD11/3BTkMuPqww+Tzex4dpMQllMEKZ3wEyd9v6ba+nj/P1FHSE +# y/VN6IXzd82s1lYOonKTdmXAIROcHnb0QUzwsd/mhB3jKhEDOV2ZcBTD3yHv8m7C +# 9G9y4hV+7yQlnPlSg3DjBp3SS5r+sOObCIy2Ad32upoXkilWa9g7GZSuhY9kyKqe +# Eba1lgXXaQykEeqx0pexkWavNnb9JaPrAZHDjUGcXrREmjEyXyElRoD4CrWXySe4 +# 6jCuNhVVlkLGo7osefynXa/+PNjQjURtx8en7M9A1FkQuRAxE8KIZgZzYxkGl5o5 +# POSFCA4JUoRPDcrl/sI3fuq2dIOE/BJ2r8dV+LddiR+iukhXRwJXH8RVVEUS +# =mCOI +# -----END PGP PUBLIC KEY BLOCK----- +# +# - name: Install mariadb repo +# apt_repository: +# filename: "mariadb" +# repo: "deb https://mirror.rackspace.com/mariadb/repo/10.5/debian bullseye main" +# update_cache: true +# +# - name: Create mariadb.service.d directory +# file: +# path: /etc/systemd/system/mariadb.service.d +# state: directory +# mode: '0755' +# +# - name: Set mysql systemd Type=exec +# copy: +# src: type.conf +# dest: /etc/systemd/system/mariadb.service.d/type.conf +# +# - name: Ensure that packages are installed +# apt: +# name: +# - mariadb-server +# - python3-pymysql +# state: present + +- name: Ensure that a number of directories exist + file: + path: "{{ item.path }}" + state: "directory" + # owner: "{{ ldap_user }}" + # group: "{{ ldap_group }}" + mode: "{{ item.mode }}" + # tags: "ldap" + with_items: + - { path: "{{mariadb_conf_dir}}", mode: "0755" } + - { path: "{{mariadb_cert_dir}}", mode: "0755" } + +- name: Create wildcard backend key + copy: + content: "{{wildcard_backend_cert.priv}}" + dest: "{{mariadb_cert_dir}}/backend.key" + owner: "root" + group: "ssl-cert" + mode: 0644 + no_log: "{{sram_ansible_nolog}}" + +- name: Create wildcard backend cert + copy: + content: "{{wildcard_backend_cert.pub}}" + dest: "{{mariadb_cert_dir}}/backend.crt" + owner: "root" + group: "root" + mode: 0644 + +- name: Install mariadb config + template: + src: 60-sram.cnf.j2 + # dest: /etc/mysql/mariadb.conf.d/60-scz.cnf + dest: "{{mariadb_conf_dir}}/sram.cnf" + # notify: restart MariaDB + +# - name: add mysql user to ssl-cert group +# user: +# name: mysql +# groups: ssl-cert +# append: yes + +# - name: Add admin user +# mysql_user: +# name: '{{ db_admin_user }}' +# host: '%' +# password: '{{ db_admin_password }}' +# priv: '*.*:ALL,GRANT' +# state: present +# login_unix_socket: /var/run/mysqld/mysqld.sock +# check_implicit_admin: yes + +- name: Create the database container + docker_container: + name: db + image: mariadb:11 + # restart_policy: "always" + # restart: true + state: started + # pull: true + ports: + - 3306:3306 + env: + MARIADB_ROOT_PASSWORD: "{{ db_admin_password }}" + MYSQL_ROOT_HOST: "%" + mounts: + - type: bind + source: "{{ mariadb_conf_dir }}/sram.cnf" + target: "/etc/mysql/conf.d/60-sram.cnf" + volumes: + - "{{ mariadb_cert_dir }}:{{ mariadb_cert_dir }}" + - "{{ mariadb_data_dir }}:/var/lib/mysql:Z" + networks: + - name: "traefik" diff --git a/roles/docker_db/templates/60-sram.cnf.j2 b/roles/docker_db/templates/60-sram.cnf.j2 new file mode 100644 index 000000000..660ebc0eb --- /dev/null +++ b/roles/docker_db/templates/60-sram.cnf.j2 @@ -0,0 +1,6 @@ +[mysqld] +bind-address = 0.0.0.0 + +ssl-cert = {{ mariadb_cert_dir }}/backend.crt +ssl-key = {{ mariadb_cert_dir }}/backend.key +require_secure_transport = ON