From 25224177e4f8c2984cb91586991989ba7c379412 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 27 Apr 2025 12:38:38 -0500 Subject: [PATCH] Fedora 42 Signed-off-by: Jason Rothstein --- .../42/etc/httpd/conf.d/phpMyAdmin.conf | 46 ++++++ templates/Fedora/42/etc/my.cnf | 11 ++ .../Fedora/42/etc/my.cnf.d/auth_gssapi.cnf | 2 + templates/Fedora/42/etc/my.cnf.d/client.cnf | 14 ++ .../etc/my.cnf.d/cracklib_password_check.cnf | 2 + .../42/etc/my.cnf.d/enable_encryption.preset | 20 +++ .../etc/my.cnf.d/hashicorp_key_management.cnf | 117 ++++++++++++++ .../Fedora/42/etc/my.cnf.d/mariadb-server.cnf | 59 +++++++ .../Fedora/42/etc/my.cnf.d/mysql-clients.cnf | 23 +++ .../Fedora/42/etc/my.cnf.d/provider_bzip2.cnf | 3 + .../Fedora/42/etc/my.cnf.d/provider_lz4.cnf | 3 + .../Fedora/42/etc/my.cnf.d/provider_lzma.cnf | 3 + .../Fedora/42/etc/my.cnf.d/provider_lzo.cnf | 3 + .../42/etc/my.cnf.d/provider_snappy.cnf | 3 + templates/Fedora/42/etc/my.cnf.d/spider.cnf | 7 + .../Fedora/42/etc/phpMyAdmin/config.inc.php | 153 ++++++++++++++++++ .../systemd/system/mariadb-copytls.service | 11 ++ .../lib/systemd/system/mariadb-copytls.timer | 8 + .../42/usr/lib/systemd/system/mariadb.service | 64 ++++++++ .../usr/lib/systemd/system/mariadb@.service | 85 ++++++++++ vars/Fedora-42-default.yml | 130 +++++++++++++++ 21 files changed, 767 insertions(+) create mode 100644 templates/Fedora/42/etc/httpd/conf.d/phpMyAdmin.conf create mode 100644 templates/Fedora/42/etc/my.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/auth_gssapi.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/client.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/cracklib_password_check.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/enable_encryption.preset create mode 100644 templates/Fedora/42/etc/my.cnf.d/hashicorp_key_management.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/mariadb-server.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/mysql-clients.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/provider_bzip2.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/provider_lz4.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/provider_lzma.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/provider_lzo.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/provider_snappy.cnf create mode 100644 templates/Fedora/42/etc/my.cnf.d/spider.cnf create mode 100644 templates/Fedora/42/etc/phpMyAdmin/config.inc.php create mode 100644 templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.service create mode 100644 templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.timer create mode 100644 templates/Fedora/42/usr/lib/systemd/system/mariadb.service create mode 100644 templates/Fedora/42/usr/lib/systemd/system/mariadb@.service create mode 100644 vars/Fedora-42-default.yml diff --git a/templates/Fedora/42/etc/httpd/conf.d/phpMyAdmin.conf b/templates/Fedora/42/etc/httpd/conf.d/phpMyAdmin.conf new file mode 100644 index 0000000..98738c7 --- /dev/null +++ b/templates/Fedora/42/etc/httpd/conf.d/phpMyAdmin.conf @@ -0,0 +1,46 @@ +# phpMyAdmin - Web based MySQL browser written in php +# +# Allows only localhost by default +# +# But allowing phpMyAdmin to anyone other than localhost should be considered +# dangerous unless properly secured by SSL + +Alias /phpMyAdmin /usr/share/phpMyAdmin +Alias /phpmyadmin /usr/share/phpMyAdmin + + + AddDefaultCharset UTF-8 + Require ssl + + + + Require local + + +# These directories do not require access over HTTP - taken from the original +# phpMyAdmin upstream tarball +# + + Require all denied + + + + Require all denied + + + + Require all denied + + + + Require all denied + + +# This configuration prevents mod_security at phpMyAdmin directories from +# filtering SQL etc. This may break your mod_security implementation. +# +# +# +# SecRuleInheritance Off +# +# diff --git a/templates/Fedora/42/etc/my.cnf b/templates/Fedora/42/etc/my.cnf new file mode 100644 index 0000000..913b88f --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf @@ -0,0 +1,11 @@ +# +# This group is read both both by the client and the server +# use it for options that affect everything +# +[client-server] + +# +# include all files from the config directory +# +!includedir /etc/my.cnf.d + diff --git a/templates/Fedora/42/etc/my.cnf.d/auth_gssapi.cnf b/templates/Fedora/42/etc/my.cnf.d/auth_gssapi.cnf new file mode 100644 index 0000000..c7cbc78 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/auth_gssapi.cnf @@ -0,0 +1,2 @@ +[mariadb] +#plugin-load-add=auth_gssapi.so diff --git a/templates/Fedora/42/etc/my.cnf.d/client.cnf b/templates/Fedora/42/etc/my.cnf.d/client.cnf new file mode 100644 index 0000000..05442bf --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/client.cnf @@ -0,0 +1,14 @@ +# +# These two groups are read by the client library +# Use it for options that affect all clients, but not the server +# +[client] +default-character-set = utf8mb4 + +# This group is not read by mysql client library, +# If you use the same .cnf file for MySQL and MariaDB, +# use it for MariaDB-only client options +[client-mariadb] +ssl +ssl-verify-server-cert + diff --git a/templates/Fedora/42/etc/my.cnf.d/cracklib_password_check.cnf b/templates/Fedora/42/etc/my.cnf.d/cracklib_password_check.cnf new file mode 100644 index 0000000..72cbcb1 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/cracklib_password_check.cnf @@ -0,0 +1,2 @@ +[mariadb] +#plugin-load-add=cracklib_password_check.so diff --git a/templates/Fedora/42/etc/my.cnf.d/enable_encryption.preset b/templates/Fedora/42/etc/my.cnf.d/enable_encryption.preset new file mode 100644 index 0000000..722db7e --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/enable_encryption.preset @@ -0,0 +1,20 @@ +# +# !include this file into your my.cnf (or any of *.cnf files in /etc/my.cnf.d) +# and it will enable data at rest encryption. This is a simple way to +# ensure that everything that can be encrypted will be and your +# data will not leak unencrypted. +# +# DO NOT EDIT THIS FILE! On MariaDB upgrades it might be replaced with a +# newer version and your edits will be lost. Instead, add your edits +# to the .cnf file after the !include directive. +# +# NOTE that you also need to install an encryption plugin for the encryption +# to work. See https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#encryption-key-management +# +[mariadb] +aria-encrypt-tables +encrypt-binlog +encrypt-tmp-disk-tables +encrypt-tmp-files +loose-innodb-encrypt-log +loose-innodb-encrypt-tables diff --git a/templates/Fedora/42/etc/my.cnf.d/hashicorp_key_management.cnf b/templates/Fedora/42/etc/my.cnf.d/hashicorp_key_management.cnf new file mode 100644 index 0000000..275626a --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/hashicorp_key_management.cnf @@ -0,0 +1,117 @@ +# Copyright (C) 2019-2022 MariaDB Corporation +# +# This is a default configuration for the Hashicorp Vault plugin. +# You can read more about the parameters of this plugin in the +# hashicorp_key_management.txt file. +# +# NOTE THAT YOU MUST MANUALLY UNCOMMENT THE "plugin-load-add" +# LINE AND ALL THE NECESSARY PARAMETERS BELOW, SETTING THEM +# TO APPROPRIATE VALUES! +# +[mariadb] + +# +# To use Hashicorp Vault KMS, the plugin must be preloaded and +# activated on the server: +# +#plugin-load-add=hashicorp_key_management.so + +# Most of its parameters should not be changed during plugin +# operation and therefore must be preconfigured as part of +# the server configuration: + +# +# HTTP[s] URL that is used to connect to the Hashicorp Vault server. +# It must include the name of the scheme ("https://" for a secure +# connection) and, according to the API rules for storages of the +# key-value type in Hashicorp Vault, after the server address, the +# path must begin with the "/v1/" string (as prefix), for example: +# "https://127.0.0.1:8200/v1/my_secrets" +# +#hashicorp-key-management-vault-url="" + +# +# Authentication token that passed to the Hashicorp Vault +# in the request header: +# +#hashicorp-key-management-token="" + +# +# Optional path to the Certificate Authority (CA) bundle +# (is a file that contains root and intermediate certificates): +# +#hashicorp-key-management-vault-ca="" + +# +# Set the duration (in seconds) for the Hashicorp Vault server +# connection timeout. The allowed range is from 1 to 86400 seconds. +# The user can also specify a zero value, which means the default +# timeout value set by the libcurl library (currently 300 seconds): +# +#hashicorp-key-management-timeout=15 + +# +# Number of server request retries in case of timeout: +# +#hashicorp-key-management-retries=3 + +# +# Enable key caching (storing key values received from +# the Hashicorp Vault server in the local memory): +# +#hashicorp-key-management-caching-enabled="on" + +# +# This parameter instructs the plugin to use the key values +# or version numbers taken from the cache in the event of a +# timeout when accessing the vault server. By default this +# option is disabled. +# +# Please note that key values or version numbers will be read +# from the cache when the timeout expires only after the number +# of attempts to read them from the storage server that specified +# by the hashicorp-key-management-retries parameter has been +# exhausted: +# +#hashicorp-key-management-use-cache-on-timeout="off" + +# +# The time (in milliseconds) after which the value of the key +# stored in the cache becomes invalid and an attempt to read this +# data causes a new request send to the vault server. By default, +# cache entries become invalid after 60,000 milliseconds (after +# one minute). +# +# If the value of this parameter is zero, then the keys will always +# be considered invalid, but they still can be used if the vault +# server is unavailable and the corresponding cache operating mode +# (--[loose-]hashicorp-key-management-use-cache-on-timeout="on") +# is enabled. +# +#hashicorp-key-management-cache-timeout=0 + +# +# The time (in milliseconds) after which the information about +# latest version number of the key (which stored in the cache) +# becomes invalid and an attempt to read this information causes +# a new request send to the vault server. +# +# If the value of this parameter is zero, then information abount +# latest key version numbers always considered invalid, unless +# there is no communication with the vault server and use of the +# cache is allowed when the server is unavailable. +# +# By default, this parameter is zero, that is, the latest version +# numbers for the keys stored in the cache are considered always +# invalid, except when the vault server is unavailable and use +# of the cache is allowed on server failures. +# +#hashicorp-key-management-cache-version-timeout=0 + +# +# This parameter enables ("on", this is the default value) or disables +# ("off") checking the kv storage version during plugin initialization. +# The plugin requires storage to be version 2 or older in order for it +# to work properly. +# +#hashicorp-key-management-check-kv-version=on diff --git a/templates/Fedora/42/etc/my.cnf.d/mariadb-server.cnf b/templates/Fedora/42/etc/my.cnf.d/mariadb-server.cnf new file mode 100644 index 0000000..3ae4a70 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/mariadb-server.cnf @@ -0,0 +1,59 @@ +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see +# +# See the examples of server my.cnf files in /usr/share/mysql/ +# + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +# Settings user and group are ignored when systemd is used. +# If you need to run mysqld under a different user or group, +# customize your systemd unit file for mysqld/mariadb according to the +# instructions in http://fedoraproject.org/wiki/Systemd +[mysqld] +datadir=/var/lib/mysql +socket=/var/lib/mysql/mysql.sock +log-error=/var/log/mariadb/mariadb.log +pid-file=/run/mariadb/mariadb.pid +character-set-server = utf8mb4 +ssl-cert=/etc/my.cnf.d/certificates/pubcert.epm +ssl-key=/etc/my.cnf.d/certificates/privkey.epm +tls-version=TLSv1.2,TLSv1.3 + + +# +# * Galera-related settings +# +[galera] +# Mandatory settings +#wsrep_on=ON +#wsrep_provider= +#wsrep_cluster_address= +#binlog_format=row +#default_storage_engine=InnoDB +#innodb_autoinc_lock_mode=2 +# +# Allow server to accept connections on all interfaces. +# +#bind-address=0.0.0.0 +# +# Optional setting +#wsrep_slave_threads=1 +#innodb_flush_log_at_trx_commit=0 + +# this is only for embedded server +[embedded] + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] + +# This group is only read by MariaDB-10.11 servers. +# If you use the same .cnf file for MariaDB of different versions, +# use this group for options that older servers don't understand +[mariadb-10.11] + diff --git a/templates/Fedora/42/etc/my.cnf.d/mysql-clients.cnf b/templates/Fedora/42/etc/my.cnf.d/mysql-clients.cnf new file mode 100644 index 0000000..3df9b7b --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/mysql-clients.cnf @@ -0,0 +1,23 @@ +# +# These groups are read by MariaDB command-line tools +# Use it for options that affect only one utility +# + +[mysql] + +[mysql_upgrade] + +[mysqladmin] + +[mysqlbinlog] + +[mysqlcheck] + +[mysqldump] + +[mysqlimport] + +[mysqlshow] + +[mysqlslap] + diff --git a/templates/Fedora/42/etc/my.cnf.d/provider_bzip2.cnf b/templates/Fedora/42/etc/my.cnf.d/provider_bzip2.cnf new file mode 100644 index 0000000..9b855e8 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/provider_bzip2.cnf @@ -0,0 +1,3 @@ +[server] +plugin_load_add=provider_bzip2 +provider_bzip2=force_plus_permanent diff --git a/templates/Fedora/42/etc/my.cnf.d/provider_lz4.cnf b/templates/Fedora/42/etc/my.cnf.d/provider_lz4.cnf new file mode 100644 index 0000000..0b8a3ec --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/provider_lz4.cnf @@ -0,0 +1,3 @@ +[server] +plugin_load_add=provider_lz4 +provider_lz4=force_plus_permanent diff --git a/templates/Fedora/42/etc/my.cnf.d/provider_lzma.cnf b/templates/Fedora/42/etc/my.cnf.d/provider_lzma.cnf new file mode 100644 index 0000000..3a05a35 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/provider_lzma.cnf @@ -0,0 +1,3 @@ +[server] +plugin_load_add=provider_lzma +provider_lzma=force_plus_permanent diff --git a/templates/Fedora/42/etc/my.cnf.d/provider_lzo.cnf b/templates/Fedora/42/etc/my.cnf.d/provider_lzo.cnf new file mode 100644 index 0000000..6580198 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/provider_lzo.cnf @@ -0,0 +1,3 @@ +[server] +plugin_load_add=provider_lzo +provider_lzo=force_plus_permanent diff --git a/templates/Fedora/42/etc/my.cnf.d/provider_snappy.cnf b/templates/Fedora/42/etc/my.cnf.d/provider_snappy.cnf new file mode 100644 index 0000000..da78207 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/provider_snappy.cnf @@ -0,0 +1,3 @@ +[server] +plugin_load_add=provider_snappy +provider_snappy=force_plus_permanent diff --git a/templates/Fedora/42/etc/my.cnf.d/spider.cnf b/templates/Fedora/42/etc/my.cnf.d/spider.cnf new file mode 100644 index 0000000..ebc9968 --- /dev/null +++ b/templates/Fedora/42/etc/my.cnf.d/spider.cnf @@ -0,0 +1,7 @@ +[mariadb] +# +# Uncomment line to enable +# +#plugin-load-add = ha_spider + +# Read more at https://mariadb.com/kb/en/spider/ diff --git a/templates/Fedora/42/etc/phpMyAdmin/config.inc.php b/templates/Fedora/42/etc/phpMyAdmin/config.inc.php new file mode 100644 index 0000000..b973a14 --- /dev/null +++ b/templates/Fedora/42/etc/phpMyAdmin/config.inc.php @@ -0,0 +1,153 @@ +. + */ + +declare(strict_types=1); + +/** + * This is needed for cookie based authentication to encrypt password in + * cookie. Needs to be 32 chars long. + */ +$cfg['blowfish_secret'] = '22ba7cd24c092bec00a83751012d0082'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ + +/** + * Servers configuration + */ +$i = 0; + +/** + * First server + */ +$i++; +/* Authentication type */ +$cfg['Servers'][$i]['auth_type'] = 'cookie'; +/* Server parameters */ +$cfg['Servers'][$i]['host'] = 'localhost'; +$cfg['Servers'][$i]['compress'] = false; +$cfg['Servers'][$i]['AllowNoPassword'] = false; + +/** + * phpMyAdmin configuration storage settings. + */ + +/* User used to manipulate with storage */ +// $cfg['Servers'][$i]['controlhost'] = ''; +// $cfg['Servers'][$i]['controlport'] = ''; +// $cfg['Servers'][$i]['controluser'] = 'pma'; +// $cfg['Servers'][$i]['controlpass'] = 'pmapass'; + +/* Storage database and tables */ +// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; +// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark'; +// $cfg['Servers'][$i]['relation'] = 'pma__relation'; +// $cfg['Servers'][$i]['table_info'] = 'pma__table_info'; +// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords'; +// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages'; +// $cfg['Servers'][$i]['column_info'] = 'pma__column_info'; +// $cfg['Servers'][$i]['history'] = 'pma__history'; +// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs'; +// $cfg['Servers'][$i]['tracking'] = 'pma__tracking'; +// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig'; +// $cfg['Servers'][$i]['recent'] = 'pma__recent'; +// $cfg['Servers'][$i]['favorite'] = 'pma__favorite'; +// $cfg['Servers'][$i]['users'] = 'pma__users'; +// $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups'; +// $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding'; +// $cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches'; +// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns'; +// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings'; +// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; + +/** + * End of servers configuration + */ + +/** + * Directories for saving/loading files from server + */ +$cfg['UploadDir'] = '/var/lib/phpMyAdmin/upload'; +$cfg['SaveDir'] = '/var/lib/phpMyAdmin/save'; + +/** + * Whether to display icons or text or both icons and text in table row + * action segment. Value can be either of 'icons', 'text' or 'both'. + * default = 'both' + */ +//$cfg['RowActionType'] = 'icons'; + +/** + * Defines whether a user should be displayed a "show all (records)" + * button in browse mode or not. + * default = false + */ +//$cfg['ShowAll'] = true; + +/** + * Number of rows displayed when browsing a result set. If the result + * set contains more rows, "Previous" and "Next". + * Possible values: 25, 50, 100, 250, 500 + * default = 25 + */ +//$cfg['MaxRows'] = 50; + +/** + * Disallow editing of binary fields + * valid values are: + * false allow editing + * 'blob' allow editing except for BLOB fields + * 'noblob' disallow editing except for BLOB fields + * 'all' disallow editing + * default = 'blob' + */ +//$cfg['ProtectBinary'] = false; + +/** + * Default language to use, if not browser-defined or user-defined + * (you find all languages in the locale folder) + * uncomment the desired line: + * default = 'en' + */ +//$cfg['DefaultLang'] = 'en'; +//$cfg['DefaultLang'] = 'de'; + +/** + * How many columns should be used for table display of a database? + * (a value larger than 1 results in some information being hidden) + * default = 1 + */ +//$cfg['PropertiesNumColumns'] = 2; + +/** + * Set to true if you want DB-based query history.If false, this utilizes + * JS-routines to display query history (lost by window close) + * + * This requires configuration storage enabled, see above. + * default = false + */ +//$cfg['QueryHistoryDB'] = true; + +/** + * When using DB-based query history, how many entries should be kept? + * default = 25 + */ +//$cfg['QueryHistoryMax'] = 100; + +/** + * Whether or not to query the user before sending the error report to + * the phpMyAdmin team when a JavaScript error occurs + * + * Available options + * ('ask' | 'always' | 'never') + * default = 'ask' + */ +//$cfg['SendErrorReports'] = 'always'; + +/** + * You can find more configuration options in the documentation + * in the doc/ folder or at . + */ diff --git a/templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.service b/templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.service new file mode 100644 index 0000000..3f63078 --- /dev/null +++ b/templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.service @@ -0,0 +1,11 @@ +[Unit] +Description=Copy TLS Certificates for Mariadb + +[Service] +Type=oneshot +ExecStartPre=mkdir -p /etc/my.cnf.d/certificates +ExecStart=/bin/bash -lc 'cp /etc/httpd/md/domains/{{ mariadb_vhost }}/*.pem /etc/my.cnf.d/certificates/' +ExecStartPost=chown -R mysql:mysql /etc/my.cnf.d/certificates + +[Install] +WantedBy=mariadb.service diff --git a/templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.timer b/templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.timer new file mode 100644 index 0000000..8e5ad7b --- /dev/null +++ b/templates/Fedora/42/usr/lib/systemd/system/mariadb-copytls.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Copy TLS Certificates for Mariadb + +[Timer] +OnUnitActiveSec=5min + +[Install] +WantedBy=mariadb.service diff --git a/templates/Fedora/42/usr/lib/systemd/system/mariadb.service b/templates/Fedora/42/usr/lib/systemd/system/mariadb.service new file mode 100644 index 0000000..e1236bb --- /dev/null +++ b/templates/Fedora/42/usr/lib/systemd/system/mariadb.service @@ -0,0 +1,64 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, the +# best way is to: +# +# root> systemctl edit mariadb.service +# +# Then add additonal directives under a section (probably [Service]). +# +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F +# +# For example, if you want to increase MariaDB's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, use the contents below: +# +# [Service] +# LimitNOFILE=10000 +# + +[Unit] +Description=MariaDB 10.11 database server +Documentation=man:mariadbd(8) +Documentation=https://mariadb.com/kb/en/library/systemd/ +After=network.target + +[Install] +WantedBy=multi-user.target +Alias=mysql.service +Alias=mysqld.service + +[Service] +Type=notify +User=mysql +Group=mysql + +ExecStartPre=/usr/libexec/mariadb-check-socket +# '%n' expands to 'Full unit name'; man systemd.unit +ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n +# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=/usr/libexec/mariadbd --basedir=/usr $MYSQLD_OPTS $_WSREP_NEW_CLUSTER +ExecStartPost=/usr/libexec/mariadb-check-upgrade + +# Setting this to true can break replication and the Type=notify settings +# See also bind-address MariaDB option. +PrivateNetwork=false + +KillSignal=SIGTERM + +# Don't want to see an automated SIGKILL ever +SendSIGKILL=no + +# Restart crashed server only, on-failure would also restart, for example, when +# my.cnf contains unknown option +Restart=on-abort +RestartSec=5s + +UMask=007 + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +# Place temp files in a secure directory, not /tmp +PrivateTmp=true diff --git a/templates/Fedora/42/usr/lib/systemd/system/mariadb@.service b/templates/Fedora/42/usr/lib/systemd/system/mariadb@.service new file mode 100644 index 0000000..ef60ec1 --- /dev/null +++ b/templates/Fedora/42/usr/lib/systemd/system/mariadb@.service @@ -0,0 +1,85 @@ +# Multi instance version of MariaDB. For if you run mutiple verions at once. +# Also used for mariadb@bootstrap to bootstrap Galera. +# +# To use multi instance variant, use [mariadbd.INSTANCENAME] as sections in +# /etc/@my.cnf to change per instance settings. A minimumal necessary +# configuration items to change to avoid conflicts between instances is: +# +# [mariadbd.instancename] +# # TCP port to make available for clients +# port=3306 +# # Socket to make available for clients +# socket=/tmp/mariadb-instancename.sock +# # Where MariaDB should store all its data +# datadir=/usr/local/mariadb-instancename/data +# +# and start the service via: +# +# root> systemctl start mariadb@{instancename}.server +# +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, for +# all instances, the best way is: +# +# root> systemctl edit mariadb@.service +# +# Then add additonal directives under a section (probably [Service]). +# +# If you only want to change a specific instance: +# +# root> systemctl edit mariadb@{instancename}.server +# +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F +# +# For example, if you want to increase MariaDB's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, use the contents below: +# +# [Service] +# LimitNOFILE=10000 + +[Unit] +Description=MariaDB 10.11 database server +Documentation=man:mariadbd(8) +Documentation=https://mariadb.com/kb/en/library/systemd/ +After=network.target + +[Install] +WantedBy=multi-user.target +Alias=mysql.service +Alias=mysqld.service + +[Service] +Type=notify +User=mysql +Group=mysql + +ExecStartPre=/usr/libexec/mariadb-check-socket --defaults-group-suffix=.%I +ExecStartPre=/usr/libexec/mariadb-prepare-db-dir --defaults-group-suffix=.%I %n +# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=/usr/libexec/mariadbd --defaults-group-suffix=.%I --basedir=/usr $MYSQLD_OPTS $_WSREP_NEW_CLUSTER +ExecStartPost=/usr/libexec/mariadb-check-upgrade --defaults-group-suffix=.%I + +# Setting this to true can break replication and the Type=notify settings +# See also bind-address MariaDB option. +PrivateNetwork=false + +KillSignal=SIGTERM + +# Don't want to see an automated SIGKILL ever +SendSIGKILL=no + +# Restart crashed server only, on-failure would also restart, for example, when +# my.cnf contains unknown option +Restart=on-abort +RestartSec=5s + +UMask=007 + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +# Place temp files in a secure directory, not /tmp +PrivateTmp=true diff --git a/vars/Fedora-42-default.yml b/vars/Fedora-42-default.yml new file mode 100644 index 0000000..76c03d0 --- /dev/null +++ b/vars/Fedora-42-default.yml @@ -0,0 +1,130 @@ +--- +# vars file for ensure_mariadb +package_list: + - name: 'mariadb' + state: 'present' + - name: 'mariadb-server' + state: 'present' + - name: 'phpMyAdmin' + state: 'present' +firewall_list: + - permanent: 'yes' + service: 'mysql' + state: 'enabled' +service_list: + - name: 'httpd.service' + state: 'started' + enabled: 'yes' + - name: 'httpd-reload.timer' + state: 'started' + enabled: 'yes' + - name: 'php-fpm.service' + state: 'started' + enabled: 'yes' + - name: 'mariadb-copytls.service' + state: 'started' + enabled: 'yes' + - name: 'mariadb.service' + state: 'started' + enabled: 'yes' +template_list: + - dest: '/etc/my.cnf.d/client.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/client.cnf' + - dest: '/etc/my.cnf.d/mariadb-server.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/mariadb-server.cnf' + - dest: '/etc/my.cnf.d/mysql-clients.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/mysql-clients.cnf' + - dest: '/etc/my.cnf.d/spider.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/spider.cnf' + - dest: '/etc/my.cnf.d/enable_encryption.preset' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/enable_encryption.preset' + - dest: '/etc/my.cnf.d/cracklib_password_check.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/cracklib_password_check.cnf' + - dest: '/etc/my.cnf.d/auth_gssapi.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/auth_gssapi.cnf' + - dest: '/etc/my.cnf.d/hashicorp_key_management.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/hashicorp_key_management.cnf' + - dest: '/etc/my.cnf.d/provider_bzip2.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/provider_bzip2.cnf' + - dest: '/etc/my.cnf.d/provider_lz4.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/provider_lz4.cnf' + - dest: '/etc/my.cnf.d/provider_lzma.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/provider_lzma.cnf' + - dest: '/etc/my.cnf.d/provider_lzo.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/provider_lzo.cnf' + - dest: '/etc/my.cnf.d/provider_snappy.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/provider_snappy.cnf' + - dest: '/etc/phpMyAdmin/config.inc.php' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/phpMyAdmin/config.inc.php' + - dest: '/etc/my.cnf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf' + - dest: '/etc/httpd/conf.d/phpMyAdmin.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/phpMyAdmin.conf' + - dest: '/usr/lib/systemd/system/mariadb.service' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/mariadb.service' + - dest: '/usr/lib/systemd/system/mariadb@.service' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/mariadb@.service' + - dest: '/usr/lib/systemd/system/mariadb-copytls.timer' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/mariadb-copytls.timer' + - dest: '/usr/lib/systemd/system/mariadb-copytls.service' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/mariadb-copytls.service'