diff --git a/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf b/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf index 82d4c5a..18ab50a 100644 --- a/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf +++ b/templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf @@ -20,16 +20,8 @@ log-error=/var/log/mariadb/mariadb.log pid-file=/run/mariadb/mariadb.pid character-set-server = utf8mb4 ssl-ca=/etc/pki/tls/certs/ca-bundle.crt -{% for certificate in certificates.files %} -{% if certificate.path is regex('/pubcert.pem$') %} -ssl-cert={{ certificate.path }} -{% endif %} -{% endfor %} -{% for certificate in certificates.files %} -{% if certificate.path is regex('/privkey.pem$') %} -ssl-key={{ certificate.path }} -{% endif %} -{% endfor %} +ssl-cert=/etc/my.cnf.d/certificates/pubcert.epm +ssl-key=/etc/my.cnf.d/certificates/privkey.epm tls-version=TLSv1.2,TLSv1.3 diff --git a/templates/Fedora/34/usr/lib/system/mariadb-copytls.service b/templates/Fedora/34/usr/lib/system/mariadb-copytls.service new file mode 100644 index 0000000..2c02394 --- /dev/null +++ b/templates/Fedora/34/usr/lib/system/mariadb-copytls.service @@ -0,0 +1,11 @@ +[Unit] +Description=Copy TLS Certificates for Mariadb + +[Service] +Type=oneshot +ExecStartPre=mkdir -p /etc/my.cnf.d/certificates +ExecStart=cp /etc/httpd/md/domains/*/*.pem /etc/my.cnf.d/certificates/ +ExecStartPost=chown -R mysql:mysql /etc/my.cnf.d/certificates + +[Install] +WantedBy=mariadb.service diff --git a/templates/Fedora/34/usr/lib/system/mariadb-copytls.timer b/templates/Fedora/34/usr/lib/system/mariadb-copytls.timer new file mode 100644 index 0000000..8e5ad7b --- /dev/null +++ b/templates/Fedora/34/usr/lib/system/mariadb-copytls.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Copy TLS Certificates for Mariadb + +[Timer] +OnUnitActiveSec=5min + +[Install] +WantedBy=mariadb.service diff --git a/templates/Fedora/34/usr/lib/system/mariadb.service b/templates/Fedora/34/usr/lib/system/mariadb.service new file mode 100644 index 0000000..d61fd82 --- /dev/null +++ b/templates/Fedora/34/usr/lib/system/mariadb.service @@ -0,0 +1,64 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, the +# best way is to: +# +# root> systemctl edit mariadb.service +# +# Then add additonal directives under a section (probably [Service]). +# +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F +# +# For example, if you want to increase MariaDB's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, use the contents below: +# +# [Service] +# LimitNOFILE=10000 +# + +[Unit] +Description=MariaDB 10.5 database server +Documentation=man:mariadbd(8) +Documentation=https://mariadb.com/kb/en/library/systemd/ +After=network.target + +[Install] +WantedBy=multi-user.target +Alias=mysql.service +Alias=mysqld.service + +[Service] +Type=notify +User=mysql +Group=mysql + +ExecStartPre=/usr/libexec/mariadb-check-socket +# '%n' expands to 'Full unit name'; man systemd.unit +ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n +# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=/usr/libexec/mariadbd --basedir=/usr $MYSQLD_OPTS $_WSREP_NEW_CLUSTER +ExecStartPost=/usr/libexec/mariadb-check-upgrade + +# Setting this to true can break replication and the Type=notify settings +# See also bind-address MariaDB option. +PrivateNetwork=false + +KillSignal=SIGTERM + +# Don't want to see an automated SIGKILL ever +SendSIGKILL=no + +# Restart crashed server only, on-failure would also restart, for example, when +# my.cnf contains unknown option +Restart=on-abort +RestartSec=5s + +UMask=007 + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +# Place temp files in a secure directory, not /tmp +PrivateTmp=true diff --git a/templates/Fedora/34/usr/lib/system/mariadb@.service b/templates/Fedora/34/usr/lib/system/mariadb@.service new file mode 100644 index 0000000..10ca8fd --- /dev/null +++ b/templates/Fedora/34/usr/lib/system/mariadb@.service @@ -0,0 +1,85 @@ +# Multi instance version of MariaDB. For if you run mutiple verions at once. +# Also used for mariadb@bootstrap to bootstrap Galera. +# +# To use multi instance variant, use [mariadbd.INSTANCENAME] as sections in +# /etc/@my.cnf to change per instance settings. A minimumal necessary +# configuration items to change to avoid conflicts between instances is: +# +# [mariadbd.instancename] +# # TCP port to make available for clients +# port=3306 +# # Socket to make available for clients +# socket=/tmp/mariadb-instancename.sock +# # Where MariaDB should store all its data +# datadir=/usr/local/mariadb-instancename/data +# +# and start the service via: +# +# root> systemctl start mariadb@{instancename}.server +# +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, for +# all instances, the best way is: +# +# root> systemctl edit mariadb@.service +# +# Then add additonal directives under a section (probably [Service]). +# +# If you only want to change a specific instance: +# +# root> systemctl edit mariadb@{instancename}.server +# +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F +# +# For example, if you want to increase MariaDB's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, use the contents below: +# +# [Service] +# LimitNOFILE=10000 + +[Unit] +Description=MariaDB 10.5 database server +Documentation=man:mariadbd(8) +Documentation=https://mariadb.com/kb/en/library/systemd/ +After=network.target + +[Install] +WantedBy=multi-user.target +Alias=mysql.service +Alias=mysqld.service + +[Service] +Type=notify +User=mysql +Group=mysql + +ExecStartPre=/usr/libexec/mariadb-check-socket --defaults-group-suffix=.%I +ExecStartPre=/usr/libexec/mariadb-prepare-db-dir --defaults-group-suffix=.%I %n +# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=/usr/libexec/mariadbd --defaults-group-suffix=.%I --basedir=/usr $MYSQLD_OPTS $_WSREP_NEW_CLUSTER +ExecStartPost=/usr/libexec/mariadb-check-upgrade --defaults-group-suffix=.%I + +# Setting this to true can break replication and the Type=notify settings +# See also bind-address MariaDB option. +PrivateNetwork=false + +KillSignal=SIGTERM + +# Don't want to see an automated SIGKILL ever +SendSIGKILL=no + +# Restart crashed server only, on-failure would also restart, for example, when +# my.cnf contains unknown option +Restart=on-abort +RestartSec=5s + +UMask=007 + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +# Place temp files in a secure directory, not /tmp +PrivateTmp=true diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml index e6f3a30..403d699 100644 --- a/vars/Fedora-34-default.yml +++ b/vars/Fedora-34-default.yml @@ -62,3 +62,23 @@ template_list: mode: '0644' owner: 'root' src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/phpMyAdmin.conf' + - dest: '/usr/lib/system/mariadb.service' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb.service' + - dest: '/usr/lib/system/mariadb@.service' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb@.service' + - dest: '/usr/lib/system/mariadb-copytls.timer' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb-copytls.timer' + - dest: '/usr/lib/system/mariadb-copytls.service' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb-copytls.service'