You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54 lines
2.5 KiB
54 lines
2.5 KiB
import chalk from 'chalk'
|
|
|
|
const log = console.log
|
|
|
|
import { exec } from 'node:child_process'
|
|
import util from 'util'
|
|
|
|
const command = util.promisify(exec)
|
|
|
|
await command('curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup')
|
|
await command('bash mariadb_repo_setup --mariadb-server-version=10.6')
|
|
|
|
await command('apt update')
|
|
await command('apt install mariadb-server')
|
|
await command('mariadb-secure-installation')
|
|
|
|
await command('mkdir -p /etc/mysql/ssl')
|
|
const hostname = await command('hostname')
|
|
|
|
log(chalk.green('Generating CA'))
|
|
await command('openssl genrsa 4096 > /etc/mysql/ssl/ca-key.pem')
|
|
await command('openssl req -new -x509 -nodes -days 365000 -key /etc/mysql/ssl/ca-key.pem -out /etc/mysql/ssl/ca-cert.pem -subj "/CN=' + hostname + '-mysql-ca"')
|
|
|
|
log(chalk.green('Generating Server Certificate'))
|
|
await command('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem -subj "/CN=' + hostname + '-mysql-server"')
|
|
await command('openssl rsa -in /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-key.pem');
|
|
await command('openssl x509 -req -in /etc/mysql/ssl/server-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/server-cert.pem')
|
|
|
|
log(chalk.green('Generating Client Certificate'))
|
|
await command('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem -subj "/CN=' + hostname + '-mysql-server"')
|
|
await command('openssl rsa -in /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-key.pem')
|
|
await command('openssl x509 -req -in /etc/mysql/ssl/client-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/client-cert.pem')
|
|
|
|
await command('openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem')
|
|
|
|
await command('cat >> /etc/mysql/my.cnf << EOF' +
|
|
[mysqld]
|
|
bind-address = 0.0.0.0
|
|
|
|
ssl-ca=/etc/mysql/ssl/ca-cert.pem
|
|
ssl-cert=/etc/mysql/ssl/server-cert.pem
|
|
ssl-key=/etc/mysql/ssl/server-key.pem
|
|
|
|
[client]
|
|
ssl-ca=/etc/mysql/ssl/ca-cert.pem
|
|
ssl-cert=/etc/mysql/ssl/client-cert.pem
|
|
ssl-key=/etc/mysql/ssl/client-key.pem')
|
|
|
|
await command('chown -R mysql:mysql /etc/mysql/ssl')
|
|
await command('chmod 644 /etc/mysql/ssl/*cert*')
|
|
await command('chmod 644 /etc/mysql/ssl/*key*')
|
|
|
|
await command('systemctl restart mariadb')
|
|
await command('ufw allow mysql') |