diff --git a/lets-encrypt.js b/lets-encrypt.js index d778fd1..aebdef0 100644 --- a/lets-encrypt.js +++ b/lets-encrypt.js @@ -1,5 +1,3 @@ sudo apt install letsencrypt sudo systemctl status certbot.timer -sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d domain-name.com - -sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d system-test.die-logistik24.de \ No newline at end of file +sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d domain-name.com \ No newline at end of file diff --git a/mariadb-create.js b/mariadb-create.js index 2393f84..20b8fd6 100755 --- a/mariadb-create.js +++ b/mariadb-create.js @@ -10,6 +10,7 @@ const log = console.log program .option('-u, --user ', 'User') + .option('--ssl', 'ssl') program.parse(process.argv) @@ -81,6 +82,11 @@ await connection.query('CREATE DATABASE ' + database.name + ' DEFAULT CHARACTER await connection.query("CREATE USER " + database.user + "@'localhost' IDENTIFIED BY '" + database.password + "'") await connection.query("CREATE USER " + database.user + "@'%' IDENTIFIED BY '" + database.password + "'") await connection.query("GRANT ALL PRIVILEGES ON " + database.name + ".* TO " + database.user + "@localhost") + +if (options.ssl) { + await connection.query("GRANT ALL PRIVILEGES ON " + database.name + ".* TO " + database.user + " require SSL") +} + await connection.query("FLUSH PRIVILEGES") connection.destroy() diff --git a/mariadb.js b/mariadb.js index db567b0..754a4b9 100644 --- a/mariadb.js +++ b/mariadb.js @@ -1,10 +1,54 @@ -//curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup -//sudo bash mariadb_repo_setup --mariadb-server-version=10.6 +import chalk from 'chalk' -//apt update -//apt install mariadb-server +const log = console.log -//mariadb-secure-installation +import { exec } from 'node:child_process' +import util from 'util' -//systemctl start mariadb -//systemctl enable mariadb \ No newline at end of file +const command = util.promisify(exec) + +await command('curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup') +await command('bash mariadb_repo_setup --mariadb-server-version=10.6') + +await command('apt update') +await command('apt install mariadb-server') +await command('mariadb-secure-installation') + +await command('mkdir -p /etc/mysql/ssl') +const hostname = await command('hostname') + +log(chalk.green('Generating CA')) +await command('openssl genrsa 4096 > /etc/mysql/ssl/ca-key.pem') +await command('openssl req -new -x509 -nodes -days 365000 -key /etc/mysql/ssl/ca-key.pem -out /etc/mysql/ssl/ca-cert.pem -subj "/CN=' + hostname + '-mysql-ca"') + +log(chalk.green('Generating Server Certificate')) +await command('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem -subj "/CN=' + hostname + '-mysql-server"') +await command('openssl rsa -in /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-key.pem'); +await command('openssl x509 -req -in /etc/mysql/ssl/server-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/server-cert.pem') + +log(chalk.green('Generating Client Certificate')) +await command('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem -subj "/CN=' + hostname + '-mysql-server"') +await command('openssl rsa -in /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-key.pem') +await command('openssl x509 -req -in /etc/mysql/ssl/client-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/client-cert.pem') + +await command('openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem') + +await command('cat >> /etc/mysql/my.cnf << EOF +[mysqld] +bind-address = 0.0.0.0 + +ssl-ca=/etc/mysql/ssl/ca-cert.pem +ssl-cert=/etc/mysql/ssl/server-cert.pem +ssl-key=/etc/mysql/ssl/server-key.pem + +[client] +ssl-ca=/etc/mysql/ssl/ca-cert.pem +ssl-cert=/etc/mysql/ssl/client-cert.pem +ssl-key=/etc/mysql/ssl/client-key.pem') + +await command('chown -R mysql:mysql /etc/mysql/ssl') +await command('chmod 644 /etc/mysql/ssl/*cert*') +await command('chmod 644 /etc/mysql/ssl/*key*') + +await command('systemctl restart mariadb') +await command('ufw allow mysql') \ No newline at end of file