diff options
| -rw-r--r-- | files/etc/pam.d/mysql.mysql_server | 2 | ||||
| -rw-r--r-- | files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server | 21 | ||||
| -rw-r--r-- | files/usr/local/etc/poudriere.d/make.conf.pkg_repository | 2 | ||||
| -rw-r--r-- | files/usr/local/etc/poudriere.d/pkglist.pkg_repository | 3 | ||||
| -rw-r--r-- | hostclasses | 1 | ||||
| -rw-r--r-- | scripts/hostclass/mysql_server | 65 | ||||
| -rw-r--r-- | scripts/hostclass/pkg_repository | 4 | ||||
| m--------- | site | 0 | ||||
| -rw-r--r-- | vars/hostclass/mysql_server | 3 | ||||
| -rw-r--r-- | vars/hostclass/postgres1 | 4 | ||||
| -rw-r--r-- | vars/hostname/mysql1 | 3 | ||||
| -rw-r--r-- | vars/os/freebsd | 1 |
12 files changed, 102 insertions, 7 deletions
diff --git a/files/etc/pam.d/mysql.mysql_server b/files/etc/pam.d/mysql.mysql_server new file mode 100644 index 0000000..6c9014c --- /dev/null +++ b/files/etc/pam.d/mysql.mysql_server @@ -0,0 +1,2 @@ +auth required /usr/local/lib/security/pam_krb5.so try_first_pass no_ccache ignore_k5login keytab=${mysql_keytab} +account required pam_permit.so diff --git a/files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server b/files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server new file mode 100644 index 0000000..93a6975 --- /dev/null +++ b/files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server @@ -0,0 +1,21 @@ +[mysqld] +user = ${mysql_user} +bind-address = 0.0.0.0 +basedir = /usr/local +net_retry_count = 16384 +log_error = ${mysql_log_dir}/mysqld.err +datadir = ${mysql_home}/data +innodb_log_group_home_dir = ${mysql_home}/log +log_bin = ${mysql_home}/log/mysql-bin +relay_log = ${mysql_home}/log/relay-log +innodb_doublewrite = 0 +innodb_flush_method = O_DSYNC +plugin_load_add = auth_gssapi +# The new sandboxed auth_pam does not seem to work. +plugin_load_add = auth_pam_v1 +gssapi_keytab_path = ${mysql_keytab} +pam_use_cleartext_plugin +ssl_ca = ${site_cacert_path} +ssl_cert = ${mysql_tls_cert} +ssl_key = ${mysql_tls_key} +require_secure_transport diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index dafd290..5d16ed4 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -15,6 +15,7 @@ databases_akonadi_SET=MYSQL databases_luadbi_SET=PGSQL databases_postgresql${postgresql_version}-client_SET=PAM LDAP databases_postgresql${postgresql_version}-server_SET=PAM LDAP +databases_mariadb${mariadb_version}-server_UNSET=AWS_KEY_MGMT HASHIPCORP_VAULT CONNECT_EXTRA WSREP devel_apr1_SET=LDAP devel_gitolite_SET=GITUSER devel_kio-extras_UNSET=AFC @@ -31,7 +32,6 @@ editors_vim_SET=CTAGS_EXUBERANT XTERM_SAVE editors_vim_UNSET=CTAGS_BASE emulators_wine_SET=CUPS finance_gnucash_UNSET=AQBANKING -graphics_digikam_SET=AUTOTAGS FACEDETECT graphics_vips_UNSET=MATIO irc_znc_SET=CYRUS lang_lua53_SET=LIBEDIT_DL diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index b32fc95..3a52177 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -14,6 +14,8 @@ audio/virtual_oss converters/php${php_version}-iconv converters/php${php_version}-mbstring databases/luadbi +databases/mariadb$(echo "${mariadb_version}" | tr -d '.')-client +databases/mariadb$(echo "${mariadb_version}" | tr -d '.')-server databases/p5-DBD-Pg databases/p5-DBI databases/php${php_version}-pdo_pgsql @@ -162,6 +164,7 @@ textproc/php${php_version}-xmlwriter textproc/py-docutils textproc/py-markdown textproc/py-pygments +www/authelia www/chromium www/element-web www/fcgiwrap diff --git a/hostclasses b/hostclasses index ff8eb40..0db032b 100644 --- a/hostclasses +++ b/hostclasses @@ -26,3 +26,4 @@ nfs_server ^nfs[0-9] turn_server ^turn[0-9] icinga_server ^icinga[0-9] matrix_server ^matrix[0-9] +mysql_server ^mysql[0-9] diff --git a/scripts/hostclass/mysql_server b/scripts/hostclass/mysql_server new file mode 100644 index 0000000..115b591 --- /dev/null +++ b/scripts/hostclass/mysql_server @@ -0,0 +1,65 @@ +#!/bin/sh + +mysql_user=mysql +mysql_home=/var/db/mysql +mysql_tls_cert="${mysql_home}/mysql.crt" +mysql_tls_key="${mysql_home}/mysql.key" +mysql_keytab="${keytab_dir}/mariadb.keytab" +mysql_conf_dir=/usr/local/etc/mysql +mysql_log_dir=/var/log/mysql + +# Install packages. +pkg install -y "mariadb$(echo "$mariadb_version" | tr -d .)-server" + +# Create ZFS dataset for mysql data. +create_dataset \ + -o "mountpoint=${mysql_home}" \ + -o primarycache=metadata \ + -o atime=off \ + "${state_dataset}/mysql" +create_dataset \ + -o "mountpoint=${mysql_home}/data" \ + -o recordsize=16k \ + "${state_dataset}/mysql/data" +create_dataset \ + -o "mountpoint=${mysql_home}/log" \ + "${state_dataset}/mysql/log" + +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + com.sun:auto-snapshot:monthly=true \ + "${state_dataset}/mysql/data" + +install_directory -m 0755 -o "$mysql_user" -g "$mysql_user" "$mysql_home" +install_directory -m 0770 -o "$mysql_user" -g "$mysql_user" "${mysql_home}/data" "${mysql_home}/log" + +# Create service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "mariadb/${fqdn}" + +ktadd -k "$mysql_keytab" "mariadb/${fqdn}" +chgrp "$mysql_user" "$mysql_keytab" +chmod 640 "$mysql_keytab" + +mysql_uid=$(id -u "$mysql_user") +install_directory -o "$mysql_user" -m 0700 "/var/krb5/user/${mysql_uid}" +ln -snfv "$mysql_keytab" "/var/krb5/user/${mysql_uid}/keytab" + +# Copy PAM configuration. +install_template -m 0644 /etc/pam.d/mysql + +# Copy TLS certificate for mysql. +install_certificate -m 0644 -o root -g "$mysql_user" mysql "$mysql_tls_cert" +install_certificate_key -m 0640 -o root -g "$mysql_user" mysql "$mysql_tls_key" + +# Generate mysql configuration. +install_template -m 0644 "${mysql_conf_dir}/conf.d/server.cnf" + +# Start mariadb. +sysrc -v mysql_enable=YES +service mysql-server restart + +cat <<EOF | mysql --batch +CREATE USER IF NOT EXISTS '${boxconf_username}' IDENTIFIED VIA pam; +GRANT ALL PRIVILEGES ON *.* to '${boxconf_username}' WITH GRANT OPTION; +EOF diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index 633f621..872320b 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -5,9 +5,9 @@ : ${poudriere_dataset:="${state_dataset:-zroot}"} : ${poudriere_make_jobs_number:='4'} : ${poudriere_priority_boost:='gcc* llvm* rust'} -: ${poudriere_allow_make_jobs_packages:='ImageMagick* bitwarden-cli cargo-c *chromium* cmake cmake-core digikam eclipse electron* ffmpeg firefox thunderbird gcc* gnutls gtk3* icu libreoffice* llvm* mongodb* mysql*-client mysql*-server node* openjdk* openssl pkg plasma6-plasma-workspace postgresql* plasma*-kwin qt*-webengine qt*-declarative rust webkit* wine vaultwarden'} +: ${poudriere_allow_make_jobs_packages:='ImageMagick* bitwarden-cli cargo-c *chromium* cmake cmake-core digikam eclipse electron* ffmpeg firefox thunderbird gcc* gnutls gtk3* icu libreoffice* llvm* mongodb* mariadb*-client mariadb*-server mysql*-client mysql*-server node* openjdk* openssl pkg plasma6-plasma-workspace postgresql* plasma*-kwin qt*-webengine qt*-declarative rust webkit* wine vaultwarden'} : ${poudriere_ccache_size:='50.0G'} -: ${poudriere_default_versions:=''} +: ${poudriere_default_versions:="mysql=${mariadb_version}m"} poudriere_https_cert="${nginx_conf_dir}/poudriere.crt" poudriere_https_key="${nginx_conf_dir}/poudriere.key" diff --git a/site b/site -Subproject 65d7a9ea1106997ba67abb2f3fdc7753fed9fac +Subproject 42f2d448b6bb8b7f3a4c1be36b16684247739d3 diff --git a/vars/hostclass/mysql_server b/vars/hostclass/mysql_server new file mode 100644 index 0000000..dff8cb8 --- /dev/null +++ b/vars/hostclass/mysql_server @@ -0,0 +1,3 @@ +#!/bin/sh + +allowed_tcp_ports='ssh mysql' diff --git a/vars/hostclass/postgres1 b/vars/hostclass/postgres1 deleted file mode 100644 index a38ba94..0000000 --- a/vars/hostclass/postgres1 +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -memsize=$(( 8 * 1024 * 1024 * 1024)) -cnames=postgres diff --git a/vars/hostname/mysql1 b/vars/hostname/mysql1 new file mode 100644 index 0000000..24cd32c --- /dev/null +++ b/vars/hostname/mysql1 @@ -0,0 +1,3 @@ +#!/bin/sh + +cnames=mysql diff --git a/vars/os/freebsd b/vars/os/freebsd index ff597ff..37dc712 100644 --- a/vars/os/freebsd +++ b/vars/os/freebsd @@ -14,6 +14,7 @@ memsize=$(sysctl -n hw.physmem) export ASSUME_ALWAYS_YES=yes devfs_local_ruleset_name=localrules keytab_dir=/var/db/keytabs +mariadb_version='11.4' nfscbd_port=7745 nginx_user=www nginx_conf_dir=/usr/local/etc/nginx |