From 1047752534b01fe7aa66a6a4988167c4e467d07f Mon Sep 17 00:00:00 2001
From: Jason Rothstein <fdragon@fdragon.org>
Date: Sun, 31 Oct 2021 01:29:43 -0500
Subject: [PATCH] Find certificates and include them by direct name

---
 tasks/main.yml                                    | 15 +++++++++++++++
 templates/Fedora/34/etc/my.cnf.d/client.cnf       |  2 ++
 .../Fedora/34/etc/my.cnf.d/mariadb-server.cnf     | 13 +++++++++++--
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 5faf5d2..a0bdd60 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -74,6 +74,21 @@
   loop: '{{ ensure_mariadb.seboolean_list }}'
   loop_control:
     label: '{{ item.name }} will be {{ item.state }}'
+- name: 'find certificates'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_mariadb is defined
+    - ensure_mariadb.template_list is defined
+    - ensure_mariadb.template_list is iterable
+  ansible.builtin.find:
+    file_type: 'file'
+    paths:
+      - '/etc/httpd/md/domains/'
+    patterns:
+      - 'pubcert.pem'
+      - 'privkey.pem'
+    recursive: 'yes'
+  register: 'certificates'
 - name: 'ensure configurations'
   when:
     - ansible_system == 'Linux'
diff --git a/templates/Fedora/34/etc/my.cnf.d/client.cnf b/templates/Fedora/34/etc/my.cnf.d/client.cnf
index 2d4114c..05442bf 100644
--- a/templates/Fedora/34/etc/my.cnf.d/client.cnf
+++ b/templates/Fedora/34/etc/my.cnf.d/client.cnf
@@ -9,4 +9,6 @@ default-character-set = utf8mb4
 # If you use the same .cnf file for MySQL and MariaDB,
 # use it for MariaDB-only client options
 [client-mariadb]
+ssl
+ssl-verify-server-cert
 
diff --git a/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf b/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf
index 18d1a69..5bed3ee 100644
--- a/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf
+++ b/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf
@@ -20,8 +20,17 @@ log-error=/var/log/mariadb/mariadb.log
 pid-file=/run/mariadb/mariadb.pid
 character-set-server = utf8mb4
 ssl-ca=/etc/pki/tls/certs/ca-bundle.crt
-ssl-cert=/etc/httpd/md/domains/*/pubcert.pem
-ssl-key=/etc/httpd/md/domains/*/privkey.pem
+{% for certificate in certificates.files %}
+{% if certificate.path is regex('/pubcert.pem$') %}
+ssl-cert={% certificate.path %}
+{% endif %}
+{% endfor %}
+{% for certificate in certificates.files %}
+{% if certificate.path is regex('/privkey.pem$') %}
+ssl-key={% certificate.path %}
+{% endif %}
+{% endfor %}
+tls-version=TLSv1.2,TLSv1.3
 
 
 #