Enable /phpMyAdmin if SSL, Use UTF8 char set, Try to auto use TLS in mariadb

templates/Fedora/34/etc/httpd/conf.d/phpMyAdmin.conf

@@ -0,0 +1,46 @@
+# phpMyAdmin - Web based MySQL browser written in php
+# 
+# Allows only localhost by default
+#
+# But allowing phpMyAdmin to anyone other than localhost should be considered
+# dangerous unless properly secured by SSL
+
+Alias /phpMyAdmin /usr/share/phpMyAdmin
+Alias /phpmyadmin /usr/share/phpMyAdmin
+
+<Directory /usr/share/phpMyAdmin/>
+   AddDefaultCharset UTF-8
+   Require ssl
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/>
+   Require local
+</Directory>
+
+# These directories do not require access over HTTP - taken from the original
+# phpMyAdmin upstream tarball
+#
+<Directory /usr/share/phpMyAdmin/libraries/>
+    Require all denied
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/templates/>
+    Require all denied
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/lib/>
+    Require all denied
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/frames/>
+    Require all denied
+</Directory>
+
+# This configuration prevents mod_security at phpMyAdmin directories from
+# filtering SQL etc.  This may break your mod_security implementation.
+#
+#<IfModule mod_security.c>
+#    <Directory /usr/share/phpMyAdmin/>
+#        SecRuleInheritance Off
+#    </Directory>
+#</IfModule>

templates/Fedora/34/etc/my.cnf

@@ -0,0 +1,11 @@
+#
+# This group is read both both by the client and the server
+# use it for options that affect everything
+#
+[client-server]
+
+#
+# include all files from the config directory
+#
+!includedir /etc/my.cnf.d
+

templates/Fedora/34/etc/my.cnf.d/auth_gssapi.cnf

@@ -0,0 +1,2 @@
+[mariadb]
+#plugin-load-add=auth_gssapi.so

templates/Fedora/34/etc/my.cnf.d/client.cnf

@@ -0,0 +1,12 @@
+#
+# These two groups are read by the client library
+# Use it for options that affect all clients, but not the server
+#
+[client]
+default-character-set = utf8mb4
+
+# This group is not read by mysql client library,
+# If you use the same .cnf file for MySQL and MariaDB,
+# use it for MariaDB-only client options
+[client-mariadb]
+

templates/Fedora/34/etc/my.cnf.d/cracklib_password_check.cnf

@@ -0,0 +1,2 @@
+[mariadb]
+#plugin-load-add=cracklib_password_check.so

templates/Fedora/34/etc/my.cnf.d/enable_encryption.preset

@@ -0,0 +1,20 @@
+#
+# !include this file into your my.cnf (or any of *.cnf files in /etc/my.cnf.d)
+# and it will enable data at rest encryption. This is a simple way to
+# ensure that everything that can be encrypted will be and your
+# data will not leak unencrypted.
+#
+# DO NOT EDIT THIS FILE! On MariaDB upgrades it might be replaced with a
+# newer version and your edits will be lost. Instead, add your edits
+# to the .cnf file after the !include directive.
+#
+# NOTE that you also need to install an encryption plugin for the encryption
+# to work. See https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#encryption-key-management
+#
+[mariadb]
+aria-encrypt-tables
+encrypt-binlog
+encrypt-tmp-disk-tables
+encrypt-tmp-files
+loose-innodb-encrypt-log
+loose-innodb-encrypt-tables

templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf

@@ -0,0 +1,59 @@
+#
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+#
+# See the examples of server my.cnf files in /usr/share/mysql/
+#
+
+# this is read by the standalone daemon and embedded servers
+[server]
+
+# this is only for the mysqld standalone daemon
+# Settings user and group are ignored when systemd is used.
+# If you need to run mysqld under a different user or group,
+# customize your systemd unit file for mysqld/mariadb according to the
+# instructions in http://fedoraproject.org/wiki/Systemd
+[mysqld]
+datadir=/var/lib/mysql
+socket=/var/lib/mysql/mysql.sock
+log-error=/var/log/mariadb/mariadb.log
+pid-file=/run/mariadb/mariadb.pid
+character-set-server = utf8mb4
+ssl-ca=/etc/pki/tls/certs/ca-bundle.crt
+ssl-cert=/etc/httpd/md/domains/*/pubcert.pem
+ssl-key=/etc/httpd/md/domains/*/privkey.pem
+
+
+#
+# * Galera-related settings
+#
+[galera]
+# Mandatory settings
+#wsrep_on=ON
+#wsrep_provider=
+#wsrep_cluster_address=
+#binlog_format=row
+#default_storage_engine=InnoDB
+#innodb_autoinc_lock_mode=2
+#
+# Allow server to accept connections on all interfaces.
+#
+#bind-address=0.0.0.0
+#
+# Optional setting
+#wsrep_slave_threads=1
+#innodb_flush_log_at_trx_commit=0
+
+# this is only for embedded server
+[embedded]
+
+# This group is only read by MariaDB servers, not by MySQL.
+# If you use the same .cnf file for MySQL and MariaDB,
+# you can put MariaDB-only options here
+[mariadb]
+
+# This group is only read by MariaDB-10.5 servers.
+# If you use the same .cnf file for MariaDB of different versions,
+# use this group for options that older servers don't understand
+[mariadb-10.5]
+

templates/Fedora/34/etc/my.cnf.d/mysql-clients.cnf

@@ -0,0 +1,23 @@
+#
+# These groups are read by MariaDB command-line tools
+# Use it for options that affect only one utility
+#
+
+[mysql]
+
+[mysql_upgrade]
+
+[mysqladmin]
+
+[mysqlbinlog]
+
+[mysqlcheck]
+
+[mysqldump]
+
+[mysqlimport]
+
+[mysqlshow]
+
+[mysqlslap]
+

templates/Fedora/34/etc/my.cnf.d/spider.cnf

@@ -0,0 +1,7 @@
+[mariadb]
+#
+# Uncomment line to enable
+#
+#plugin-load-add = ha_spider
+
+# Read more at https://mariadb.com/kb/en/spider/

templates/Fedora/34/etc/phpMyAdmin/config.inc.php

@@ -0,0 +1,153 @@
+<?php
+/**
+ * phpMyAdmin sample configuration, you can use it as base for
+ * manual configuration. For easier setup you can use setup/
+ *
+ * All directives are explained in documentation in the doc/ folder
+ * or at <https://docs.phpmyadmin.net/>.
+ */
+
+declare(strict_types=1);
+
+/**
+ * This is needed for cookie based authentication to encrypt password in
+ * cookie. Needs to be 32 chars long.
+ */
+$cfg['blowfish_secret'] = '22ba7cd24c092bec00a83751012d0082'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
+
+/**
+ * Servers configuration
+ */
+$i = 0;
+
+/**
+ * First server
+ */
+$i++;
+/* Authentication type */
+$cfg['Servers'][$i]['auth_type'] = 'cookie';
+/* Server parameters */
+$cfg['Servers'][$i]['host'] = 'localhost';
+$cfg['Servers'][$i]['compress'] = false;
+$cfg['Servers'][$i]['AllowNoPassword'] = false;
+
+/**
+ * phpMyAdmin configuration storage settings.
+ */
+
+/* User used to manipulate with storage */
+// $cfg['Servers'][$i]['controlhost'] = '';
+// $cfg['Servers'][$i]['controlport'] = '';
+// $cfg['Servers'][$i]['controluser'] = 'pma';
+// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
+
+/* Storage database and tables */
+// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
+// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
+// $cfg['Servers'][$i]['relation'] = 'pma__relation';
+// $cfg['Servers'][$i]['table_info'] = 'pma__table_info';
+// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
+// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
+// $cfg['Servers'][$i]['column_info'] = 'pma__column_info';
+// $cfg['Servers'][$i]['history'] = 'pma__history';
+// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
+// $cfg['Servers'][$i]['tracking'] = 'pma__tracking';
+// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
+// $cfg['Servers'][$i]['recent'] = 'pma__recent';
+// $cfg['Servers'][$i]['favorite'] = 'pma__favorite';
+// $cfg['Servers'][$i]['users'] = 'pma__users';
+// $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
+// $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
+// $cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
+// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
+// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
+// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
+
+/**
+ * End of servers configuration
+ */
+
+/**
+ * Directories for saving/loading files from server
+ */
+$cfg['UploadDir'] = '/var/lib/phpMyAdmin/upload';
+$cfg['SaveDir'] = '/var/lib/phpMyAdmin/save';
+
+/**
+ * Whether to display icons or text or both icons and text in table row
+ * action segment. Value can be either of 'icons', 'text' or 'both'.
+ * default = 'both'
+ */
+//$cfg['RowActionType'] = 'icons';
+
+/**
+ * Defines whether a user should be displayed a "show all (records)"
+ * button in browse mode or not.
+ * default = false
+ */
+//$cfg['ShowAll'] = true;
+
+/**
+ * Number of rows displayed when browsing a result set. If the result
+ * set contains more rows, "Previous" and "Next".
+ * Possible values: 25, 50, 100, 250, 500
+ * default = 25
+ */
+//$cfg['MaxRows'] = 50;
+
+/**
+ * Disallow editing of binary fields
+ * valid values are:
+ *   false    allow editing
+ *   'blob'   allow editing except for BLOB fields
+ *   'noblob' disallow editing except for BLOB fields
+ *   'all'    disallow editing
+ * default = 'blob'
+ */
+//$cfg['ProtectBinary'] = false;
+
+/**
+ * Default language to use, if not browser-defined or user-defined
+ * (you find all languages in the locale folder)
+ * uncomment the desired line:
+ * default = 'en'
+ */
+//$cfg['DefaultLang'] = 'en';
+//$cfg['DefaultLang'] = 'de';
+
+/**
+ * How many columns should be used for table display of a database?
+ * (a value larger than 1 results in some information being hidden)
+ * default = 1
+ */
+//$cfg['PropertiesNumColumns'] = 2;
+
+/**
+ * Set to true if you want DB-based query history.If false, this utilizes
+ * JS-routines to display query history (lost by window close)
+ *
+ * This requires configuration storage enabled, see above.
+ * default = false
+ */
+//$cfg['QueryHistoryDB'] = true;
+
+/**
+ * When using DB-based query history, how many entries should be kept?
+ * default = 25
+ */
+//$cfg['QueryHistoryMax'] = 100;
+
+/**
+ * Whether or not to query the user before sending the error report to
+ * the phpMyAdmin team when a JavaScript error occurs
+ *
+ * Available options
+ * ('ask' | 'always' | 'never')
+ * default = 'ask'
+ */
+//$cfg['SendErrorReports'] = 'always';
+
+/**
+ * You can find more configuration options in the documentation
+ * in the doc/ folder or at <https://docs.phpmyadmin.net/>.
+ */

vars/Fedora-34-default.yml

@@ -11,3 +11,54 @@ firewall_list:
   - permanent: 'yes'
     service: 'mysql'
     state: 'enabled'
+template_list:
+  - dest: '/etc/my.cnf.d/client.cnf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/client.cnf'
+  - dest: '/etc/my.cnf.d/mariadb-server.cnf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/mariadb-server.cnf'
+  - dest: '/etc/my.cnf.d/mysql-clients.cnf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/mysql-clients.cnf'
+  - dest: '/etc/my.cnf.d/spider.cnf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/spider.cnf'
+  - dest: '/etc/my.cnf.d/enable_encryption.preset'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/enable_encryption.preset'
+  - dest: '/etc/my.cnf.d/cracklib_password_check.cnf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/cracklib_password_check.cnf'
+  - dest: '/etc/my.cnf.d/auth_gssapi.cnf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf.d/auth_gssapi.cnf'
+  - dest: '/etc/phpMyAdmin/config.inc.php'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/phpMyAdmin/config.inc.php'
+  - dest: '/etc/my.cnf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/my.cnf'
+  - dest: '/templates/Fedora/34/etc/httpd/conf.d/phpMyAdmin.conf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/templates/Fedora/34/etc/httpd/conf.d/phpMyAdmin.conf'