Enable Apache mod_md Lets Encrypt Certificates with MariaDB

templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf

@@ -20,16 +20,8 @@ log-error=/var/log/mariadb/mariadb.log
 pid-file=/run/mariadb/mariadb.pid
 character-set-server = utf8mb4
 ssl-ca=/etc/pki/tls/certs/ca-bundle.crt
-{% for certificate in certificates.files %}
+ssl-cert=/etc/my.cnf.d/certificates/pubcert.epm
-{% if certificate.path is regex('/pubcert.pem$') %}
+ssl-key=/etc/my.cnf.d/certificates/privkey.epm
-ssl-cert={{ certificate.path }}
-{% endif %}
-{% endfor %}
-{% for certificate in certificates.files %}
-{% if certificate.path is regex('/privkey.pem$') %}
-ssl-key={{ certificate.path }}
-{% endif %}
-{% endfor %}
 tls-version=TLSv1.2,TLSv1.3
 
 

templates/Fedora/34/usr/lib/system/mariadb-copytls.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Copy TLS Certificates for Mariadb
+
+[Service]
+Type=oneshot
+ExecStartPre=mkdir -p /etc/my.cnf.d/certificates
+ExecStart=cp /etc/httpd/md/domains/*/*.pem /etc/my.cnf.d/certificates/
+ExecStartPost=chown -R mysql:mysql /etc/my.cnf.d/certificates
+
+[Install]
+WantedBy=mariadb.service

templates/Fedora/34/usr/lib/system/mariadb-copytls.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Copy TLS Certificates for Mariadb
+
+[Timer]
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=mariadb.service

templates/Fedora/34/usr/lib/system/mariadb.service

@@ -0,0 +1,64 @@
+# It's not recommended to modify this file in-place, because it will be
+# overwritten during package upgrades.  If you want to customize, the
+# best way is to:
+#
+# root> systemctl edit mariadb.service
+#
+# Then add additonal directives under a section (probably [Service]).
+#
+# For more info about custom unit files, see systemd.unit(5) or
+# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
+#
+# For example, if you want to increase MariaDB's open-files-limit to 10000,
+# you need to increase systemd's LimitNOFILE setting, use the contents below:
+#
+#	[Service]
+#	LimitNOFILE=10000
+#
+
+[Unit]
+Description=MariaDB 10.5 database server
+Documentation=man:mariadbd(8)
+Documentation=https://mariadb.com/kb/en/library/systemd/
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
+Alias=mysql.service
+Alias=mysqld.service
+
+[Service]
+Type=notify
+User=mysql
+Group=mysql
+
+ExecStartPre=/usr/libexec/mariadb-check-socket
+# '%n' expands to 'Full unit name'; man systemd.unit
+ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n
+# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf
+# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
+# per bug #547485
+ExecStart=/usr/libexec/mariadbd --basedir=/usr $MYSQLD_OPTS $_WSREP_NEW_CLUSTER
+ExecStartPost=/usr/libexec/mariadb-check-upgrade
+
+# Setting this to true can break replication and the Type=notify settings
+# See also bind-address MariaDB option.
+PrivateNetwork=false
+
+KillSignal=SIGTERM
+
+# Don't want to see an automated SIGKILL ever
+SendSIGKILL=no
+
+# Restart crashed server only, on-failure would also restart, for example, when
+# my.cnf contains unknown option
+Restart=on-abort
+RestartSec=5s
+
+UMask=007
+
+# Give a reasonable amount of time for the server to start up/shut down
+TimeoutSec=300
+
+# Place temp files in a secure directory, not /tmp
+PrivateTmp=true

templates/Fedora/34/usr/lib/system/mariadb@.service

@@ -0,0 +1,85 @@
+# Multi instance version of MariaDB. For if you run mutiple verions at once.
+# Also used for mariadb@bootstrap to bootstrap Galera.
+#
+# To use multi instance variant, use [mariadbd.INSTANCENAME] as sections in
+# /etc/@my.cnf  to change per instance settings. A minimumal necessary
+# configuration items to change to avoid conflicts between instances is:
+#
+#       [mariadbd.instancename]
+#       # TCP port to make available for clients
+#       port=3306
+#       # Socket to make available for clients
+#       socket=/tmp/mariadb-instancename.sock
+#       # Where MariaDB should store all its data
+#       datadir=/usr/local/mariadb-instancename/data
+#
+# and start the service via:
+#
+# root> systemctl start mariadb@{instancename}.server
+#
+# It's not recommended to modify this file in-place, because it will be
+# overwritten during package upgrades.  If you want to customize, for
+# all instances, the best way is:
+#
+# root> systemctl edit mariadb@.service
+#
+# Then add additonal directives under a section (probably [Service]).
+#
+# If you only want to change a specific instance:
+#
+# root>	systemctl edit mariadb@{instancename}.server
+#
+# For more info about custom unit files, see systemd.unit(5) or
+# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
+#
+# For example, if you want to increase MariaDB's open-files-limit to 10000,
+# you need to increase systemd's LimitNOFILE setting, use the contents below:
+#
+#	[Service]
+#	LimitNOFILE=10000
+
+[Unit]
+Description=MariaDB 10.5 database server
+Documentation=man:mariadbd(8)
+Documentation=https://mariadb.com/kb/en/library/systemd/
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
+Alias=mysql.service
+Alias=mysqld.service
+
+[Service]
+Type=notify
+User=mysql
+Group=mysql
+
+ExecStartPre=/usr/libexec/mariadb-check-socket --defaults-group-suffix=.%I
+ExecStartPre=/usr/libexec/mariadb-prepare-db-dir --defaults-group-suffix=.%I %n
+# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf
+# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
+# per bug #547485
+ExecStart=/usr/libexec/mariadbd --defaults-group-suffix=.%I --basedir=/usr $MYSQLD_OPTS $_WSREP_NEW_CLUSTER
+ExecStartPost=/usr/libexec/mariadb-check-upgrade --defaults-group-suffix=.%I
+
+# Setting this to true can break replication and the Type=notify settings
+# See also bind-address MariaDB option.
+PrivateNetwork=false
+
+KillSignal=SIGTERM
+
+# Don't want to see an automated SIGKILL ever
+SendSIGKILL=no
+
+# Restart crashed server only, on-failure would also restart, for example, when
+# my.cnf contains unknown option
+Restart=on-abort
+RestartSec=5s
+
+UMask=007
+
+# Give a reasonable amount of time for the server to start up/shut down
+TimeoutSec=300
+
+# Place temp files in a secure directory, not /tmp
+PrivateTmp=true

vars/Fedora-34-default.yml

@@ -62,3 +62,23 @@ template_list:
     mode: '0644'
     owner: 'root'
     src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/phpMyAdmin.conf'
+  - dest: '/usr/lib/system/mariadb.service'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb.service'
+  - dest: '/usr/lib/system/mariadb@.service'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb@.service'
+  - dest: '/usr/lib/system/mariadb-copytls.timer'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb-copytls.timer'
+  - dest: '/usr/lib/system/mariadb-copytls.service'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/system/mariadb-copytls.service'