adding

lets-encrypt.js

@@ -1,5 +1,3 @@
 sudo apt install letsencrypt
 sudo systemctl status certbot.timer
-sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d domain-name.com
+sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d domain-name.com
-
-sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d system-test.die-logistik24.de

mariadb-create.js

@@ -10,6 +10,7 @@ const log = console.log
 
 program
     .option('-u, --user <name>', 'User')
+    .option('--ssl', 'ssl')
 
 program.parse(process.argv)
 
@@ -81,6 +82,11 @@ await connection.query('CREATE DATABASE ' + database.name + ' DEFAULT CHARACTER
 await connection.query("CREATE USER " + database.user + "@'localhost' IDENTIFIED BY '" + database.password + "'")
 await connection.query("CREATE USER " + database.user + "@'%' IDENTIFIED BY '" + database.password + "'")
 await connection.query("GRANT ALL PRIVILEGES ON " + database.name + ".* TO " + database.user + "@localhost")
+
+if (options.ssl) {
+    await connection.query("GRANT ALL PRIVILEGES ON " + database.name + ".* TO " + database.user + " require SSL")
+}
+
 await connection.query("FLUSH PRIVILEGES")
 
 connection.destroy()

mariadb.js

@@ -1,10 +1,54 @@
-//curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
+import chalk from 'chalk'
-//sudo bash mariadb_repo_setup --mariadb-server-version=10.6
 
-//apt update
+const log = console.log
-//apt install mariadb-server
 
-//mariadb-secure-installation
+import { exec } from 'node:child_process'
+import util from 'util'
 
-//systemctl start mariadb
+const command = util.promisify(exec)
-//systemctl enable mariadb
+
+await command('curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup')
+await command('bash mariadb_repo_setup --mariadb-server-version=10.6')
+
+await command('apt update')
+await command('apt install mariadb-server')
+await command('mariadb-secure-installation')
+
+await command('mkdir -p /etc/mysql/ssl')
+const hostname = await command('hostname')
+
+log(chalk.green('Generating CA'))
+await command('openssl genrsa 4096 > /etc/mysql/ssl/ca-key.pem')
+await command('openssl req -new -x509 -nodes -days 365000 -key /etc/mysql/ssl/ca-key.pem -out /etc/mysql/ssl/ca-cert.pem -subj "/CN=' + hostname + '-mysql-ca"')
+
+log(chalk.green('Generating Server Certificate'))
+await command('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem -subj "/CN=' + hostname + '-mysql-server"')
+await command('openssl rsa -in /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-key.pem');
+await command('openssl x509 -req -in /etc/mysql/ssl/server-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/server-cert.pem')
+
+log(chalk.green('Generating Client Certificate'))
+await command('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem -subj "/CN=' + hostname + '-mysql-server"')
+await command('openssl rsa -in /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-key.pem')
+await command('openssl x509 -req -in /etc/mysql/ssl/client-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/client-cert.pem')
+
+await command('openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem')
+
+await command('cat >> /etc/mysql/my.cnf << EOF
+[mysqld]
+bind-address = 0.0.0.0
+
+ssl-ca=/etc/mysql/ssl/ca-cert.pem
+ssl-cert=/etc/mysql/ssl/server-cert.pem
+ssl-key=/etc/mysql/ssl/server-key.pem
+
+[client]
+ssl-ca=/etc/mysql/ssl/ca-cert.pem
+ssl-cert=/etc/mysql/ssl/client-cert.pem
+ssl-key=/etc/mysql/ssl/client-key.pem')
+
+await command('chown -R mysql:mysql /etc/mysql/ssl')
+await command('chmod 644 /etc/mysql/ssl/*cert*')
+await command('chmod 644 /etc/mysql/ssl/*key*')
+
+await command('systemctl restart mariadb')
+await command('ufw allow mysql')