From c4a7f1144583a6e4a85d6bc3b274a5b539eb15e2 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Sat, 19 Mar 2022 19:00:07 +0100
Subject: [PATCH] Update to 2022-03-19 19:00

---
 roles/lemonldap_ng/defaults/main.yml          |  3 +++
 .../templates/lemonldap-ng.ini.j2             |  4 ++--
 roles/letsencrypt/templates/domains.txt.j2    |  3 +++
 roles/mysql_server/defaults/main.yml          |  9 +++++++++
 roles/mysql_server/tasks/main.yml             | 17 ++++++++++++++++
 .../mysql_server/templates/dehydrated_hook.j2 | 20 +++++++++++++++++++
 roles/mysql_server/templates/my.cnf.j2        |  6 ++++++
 roles/phpmyadmin/templates/config.inc.php.j2  |  9 +++++++++
 8 files changed, 69 insertions(+), 2 deletions(-)
 create mode 100644 roles/mysql_server/templates/dehydrated_hook.j2

diff --git a/roles/lemonldap_ng/defaults/main.yml b/roles/lemonldap_ng/defaults/main.yml
index 6fbfe9d..5b447c1 100644
--- a/roles/lemonldap_ng/defaults/main.yml
+++ b/roles/lemonldap_ng/defaults/main.yml
@@ -66,6 +66,9 @@ llng_db_user: lemonldapng
 llng_handler_db_user: lemonldapnghandler
 # llng_db_pass: s3cr3t.
 # llng_handler_db_pass
+# Should database connections use SSL
+llng_db_ssl: False
+llng_db_ssl_ca: /etc/pki/tls/cert.pem
 
 # Number of llng-fastcgi-server or uwsgi workers. The upstream default is 7 but you might need to adjust to your load
 llng_workers: 6
diff --git a/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2 b/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
index 58b13cc..f4b53f3 100644
--- a/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
+++ b/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
@@ -24,7 +24,7 @@ localSessionStorageOptions = {                        \
 {% for type in llng_session_tables.keys() | list %}
 {{ type }}Storage        = Apache::Session::Browseable::MySQL
 {{ type }}StorageOptions = { \
-  'DataSource'     => 'DBI:mysql:database={{ llng_db_name }};host={{ llng_db_server }};mysql_enable_utf8=1', \
+  'DataSource'     => 'DBI:mysql:database={{ llng_db_name }};host={{ llng_db_server }};mysql_enable_utf8=1{% if llng_db_ssl %};mysql_ssl=1;mysql_ssl_ca_file={{ llng_db_ssl_ca }};mysql_ssl_verify_server_cert=1{% endif +%}', \
   'UserName'       => '{{ llng_handler_db_user }}', \
   'Password'       => '{{ llng_handler_db_pass }}', \
   'TableName'      => '{{ llng_session_tables[type].name }}', \
@@ -50,7 +50,7 @@ Password            = {{ llng_api_pass }}
 proxyOptions        = { timeout => 5 }
 {% elif llng_conf_backend == 'mysql' %}
 type                = CDBI
-dbiChain            = DBI:mysql:database={{ llng_db_name }};host={{ llng_db_server }}
+dbiChain            = DBI:mysql:database={{ llng_db_name }};host={{ llng_db_server }};mysql_enable_utf8=1{% if llng_db_ssl %};mysql_ssl=1;mysql_ssl_ca_file={{ llng_db_ssl_ca }};mysql_ssl_verify_server_cert=1{% endif +%}
 dbiUser             = {{ (llng_manager or llng_portal) | ternary(llng_db_user,llng_handler_db_user) }}
 dbiPassword         = {{ (llng_manager or llng_portal) | ternary(llng_db_pass,llng_handler_db_pass) }}
 {% endif %}
diff --git a/roles/letsencrypt/templates/domains.txt.j2 b/roles/letsencrypt/templates/domains.txt.j2
index dd5aadc..fec70e7 100644
--- a/roles/letsencrypt/templates/domains.txt.j2
+++ b/roles/letsencrypt/templates/domains.txt.j2
@@ -52,3 +52,6 @@
 {% if pg_letsencrypt_cert is defined and pg_letsencrypt_cert is string and pg_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
 {{ pg_letsencrypt_cert }}
 {% endif %}
+{% if mysql_letsencrypt_cert is defined and mysql_letsencrypt_cert is string and mysql_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ mysql_letsencrypt_cert }}
+{% endif %}
diff --git a/roles/mysql_server/defaults/main.yml b/roles/mysql_server/defaults/main.yml
index 4659455..c1c2a82 100644
--- a/roles/mysql_server/defaults/main.yml
+++ b/roles/mysql_server/defaults/main.yml
@@ -13,6 +13,15 @@ mysql_open_files_limit: 8192
 mysql_max_allowed_packet: 32M
 mysql_max_connections: 300
 
+# If mysql_letsencrypt_cert is defined, it'll turn SSL on and configure cert to use
+# mysql_letsencrypt_cert: mysql.example.org
+
+# ELse, it's possible to configure SSL manually
+mysql_ssl: "{{ (mysql_letsencrypt_cert is defined) | ternary(True, False) }}"
+mysql_ssl_cert: /etc/my.ssl/server.crt
+mysql_ssl_key: /etc/my.ssl/server.key
+mysql_ssl_ca: /etc/pki/tls/cert.pem
+
 # Engine can be either mariadb or mysql
 mysql_engine: mariadb
 
diff --git a/roles/mysql_server/tasks/main.yml b/roles/mysql_server/tasks/main.yml
index b6837f7..647354f 100644
--- a/roles/mysql_server/tasks/main.yml
+++ b/roles/mysql_server/tasks/main.yml
@@ -21,6 +21,23 @@
   package: name={{ mysql_server_packages }}
   tags: mysql
 
+- name: Create ssl directory
+  file: path=/etc/my.ssl state=directory owner=root group=mysql mode=750
+  tags: mysql
+
+- name: Create default self-signed cert
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/my.ssl/server.crt
+    - cert_key_path: /etc/my.ssl/server.key
+    - cert_key_group: mysql
+    - cert_key_mode: '640'
+  tags: mysql
+
+- name: Deploy dehydrated hook
+  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/mysql mode=755
+  tags: mysql
+
 - name: Deploy backup scripts
   template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mysql mode=755
   loop:
diff --git a/roles/mysql_server/templates/dehydrated_hook.j2 b/roles/mysql_server/templates/dehydrated_hook.j2
new file mode 100644
index 0000000..3b7c574
--- /dev/null
+++ b/roles/mysql_server/templates/dehydrated_hook.j2
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+{% if mysql_letsencrypt_cert is defined %}
+
+if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ mysql_letsencrypt_cert }}/fullchain.pem /etc/my.ssl/server.crt
+  cp /var/lib/dehydrated/certificates/certs/{{ mysql_letsencrypt_cert }}/privkey.pem /etc/my.ssl/server.key
+  chown root:mysql /etc/my.ssl/server.key
+  chown root:root /etc/my.ssl/server.crt
+  chmod 640 /etc/my.ssl/server.key
+  chmod 644 /etc/my.ssl/server.crt
+  mysql -e 'FLUSH SSL;'
+fi
+
+{% else %}
+
+# No Let's Encrypt cert configured, nothing to do
+exit 0
+
+{% endif %}
diff --git a/roles/mysql_server/templates/my.cnf.j2 b/roles/mysql_server/templates/my.cnf.j2
index 98e0393..abf759c 100644
--- a/roles/mysql_server/templates/my.cnf.j2
+++ b/roles/mysql_server/templates/my.cnf.j2
@@ -35,6 +35,12 @@ max_allowed_packet={{ mysql_max_allowed_packet | default('16M') }}
 open_files_limit={{ mysql_open_files_limit | default('8192') }}
 max_connections={{ mysql_max_connections | default('300') }}
 
+{% if mysql_ssl %}
+ssl_cert={{ mysql_ssl_cert }}
+ssl_key={{ mysql_ssl_key }}
+ssl_ca={{ mysql_ssl_ca }}
+{% endif %}
+
 [mysqld_safe]
 {% if mysql_engine == 'mysql' %}
 log-error=/var/log/mysql/mysqld.log
diff --git a/roles/phpmyadmin/templates/config.inc.php.j2 b/roles/phpmyadmin/templates/config.inc.php.j2
index 678cb09..5e72b4b 100644
--- a/roles/phpmyadmin/templates/config.inc.php.j2
+++ b/roles/phpmyadmin/templates/config.inc.php.j2
@@ -22,6 +22,15 @@ $cfg['Servers'][$i]['port'] = '{{ server.port }}';
 {% endif %}
 $cfg['Servers'][$i]['compress'] = false;
 $cfg['Servers'][$i]['AllowNoPassword'] = false;
+{% if server.ssl | default(False) %}
+$cfg['Servers'][$i]['ssl'] = true;
+{% if server.ssl_ca | default('/etc/pki/tls/cert.pem') != False %}
+$cfg['Servers'][$i]['ssl_ca'] = '{{ server.ssl_ca | default('/etc/pki/tls/cert.pem') }}';
+{% endif %}
+{% if server.ssl_verify | default(True) == False %}
+$cfg['Servers'][$i]['ssl_verify'] = false;
+{% endif %}
+{% endif %}
 
 {% endfor %}