diff --git a/salt/modules/_modules/mysql.py b/salt/modules/_modules/mysql.py index 678b63b..9205eaa 100644 --- a/salt/modules/_modules/mysql.py +++ b/salt/modules/_modules/mysql.py @@ -56,8 +56,7 @@ def check_credentials(username, password, host="127.0.0.1", port="3306"): salt '*' mysql.check_credentials root secret """ - cmd = f"mysql --host={host} --port={port} --user={username} --password={password} --execute=;" - return _execute(cmd)["result"] + return execute(username, password, ";" , host=host, port=port)["result"] def set_root_password(password): @@ -70,6 +69,65 @@ def set_root_password(password): salt '*' mysql.set_root_password secret """ + ret= {} cmd = f"mysqladmin password {password}" - return _execute(cmd) + LOG.debug(f"Executing: {cmd}") + process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = process.communicate() + if stdout: + ret["out"] = stdout + if stderr: + ret["err"] = stderr + LOG.debug(f"Exit code: { process.returncode }") + if process.returncode == 0: + ret["result"] = True + else: + ret["result"] = False + return ret + + + +def execute(user, password, sql, host='127.0.0.1', port='3306'): + """ + Execute an SQL statement + + :param str user: The user to connect with + + :param str password: The user password + + :param str host: the mysql server address + + :param str sql: The SQL statement to be executed + + :param str port: the mysql server port + + CLI Example + + salt '*' mysql.execute root secret "SHOW DATABASES;" + """ + + ret = {} + cmd = [ "mysql", + "--skip-column-names", + "--silent", + f"--user={user}", + f"--password={password}", + f"--host={host}", + f"--port={port}", + f"--execute={sql}" + ] + + LOG.debug(f"Executing: {' '.join(cmd)}") + process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = process.communicate() + if stdout: + ret["out"] = stdout + if stderr: + ret["err"] = stderr + LOG.debug(f"Exit code: { process.returncode }") + if process.returncode == 0: + ret["result"] = True + else: + ret["result"] = False + return ret diff --git a/salt/modules/_states/mysql.py b/salt/modules/_states/mysql.py index 848e43f..5d63df8 100644 --- a/salt/modules/_states/mysql.py +++ b/salt/modules/_states/mysql.py @@ -27,3 +27,45 @@ def root_password(name, password): ret["changes"].update({"root password": {"old": "######", "new": "******"}}) ret["result"]=True return ret + + +def user(name, host, password): + """ + Set the mysql/mariadb root password + + password + the password to user for root + """ + ret = { + "name": name, + "changes": {}, + "result": False, + "comment": "" + } + + #check if user@host exists + result = __salt__["mysql.execute"]("root", __pillar__['mysql']['root_password'],f'SELECT User, Host FROM mysql.user WHERE User="{name}" AND Host="{host}";') + if not result["result"]: + ret["comment"] = result["err"] + return ret + if "out" in result: + #User exists check password + if __salt__["mysql.check_credentials"](name, password): + ret["comment"]=f"{name}@{host} is in correct state" + ret["result"] = True + return ret + result = __salt__["mysql.execute"]("root", __pillar__['mysql']['root_password'],f'ALTER USER "{name}"@"{host}" IDENTIFIED BY "{password}";') + if not result["result"]: + ret["comment"] = result["err"] + return ret + ret["changes"].update({"Password Updated": f"{name}@{host}"}) + ret["result"]=True + return ret + #Create user + result = __salt__["mysql.execute"]("root", __pillar__['mysql']['root_password'],f'CREATE USER "{name}"@"{host}" IDENTIFIED BY "{password}";') + if not result["result"]: + ret["comment"] = result["err"] + return ret + ret["changes"].update({"Created user": f"{name}@{host}"}) + ret["result"]=True + return ret diff --git a/salt/pillars/mariadb.sls b/salt/pillars/mysql.sls similarity index 71% rename from salt/pillars/mariadb.sls rename to salt/pillars/mysql.sls index f92aa4a..3fd348a 100644 --- a/salt/pillars/mariadb.sls +++ b/salt/pillars/mysql.sls @@ -1,2 +1,2 @@ -mariadb: +mysql: root_password: linux diff --git a/salt/pillars/rmt.sls b/salt/pillars/rmt.sls new file mode 100644 index 0000000..00ef999 --- /dev/null +++ b/salt/pillars/rmt.sls @@ -0,0 +1,2 @@ +rmt: + ca_passphrase: linux diff --git a/salt/pillars/top.sls b/salt/pillars/top.sls index 1b4869a..473a944 100644 --- a/salt/pillars/top.sls +++ b/salt/pillars/top.sls @@ -2,7 +2,8 @@ base: '*': - network - chrony - - mariadb + - mysql + - rmt {% if salt['pillar.file_exists']('local.sls') %} - local {% endif %} diff --git a/salt/states/mariadb/init.sls b/salt/states/mariadb/init.sls index 02b4ac8..fff3093 100644 --- a/salt/states/mariadb/init.sls +++ b/salt/states/mariadb/init.sls @@ -10,4 +10,4 @@ Start mariadb: Check Root password: mysql.root_password: - name: root - - password: {{ pillar['mariadb']['root_password'] }} + - password: {{ pillar['mysql']['root_password'] }} diff --git a/salt/states/rmt/certs.sls b/salt/states/rmt/certs.sls new file mode 100644 index 0000000..fbfe3b0 --- /dev/null +++ b/salt/states/rmt/certs.sls @@ -0,0 +1,87 @@ +Create the ca cnf file: + file.managed: + - name: /etc/rmt/ssl/rmt-ca.cnf + - source: salt://rmt/files/rmt-ca.cnf + - user: root + - group: root + - mode: "0600" + + +Create rmt CA key: + x509.private_key_managed: + - name: /etc/rmt/ssl/rmt-ca.key + - passphrase: {{ pillar['rmt']['ca_passphrase'] }} + - bits: 2048 + - owner: root + - group: root + - mode: "0600" + +Create rmt CA certificate: + cmd.run: + - name: openssl req -config rmt-ca.cnf -key rmt-ca.key -new -x509 -days 3650 -sha256 -out rmt-ca.crt -passin pass:{{ pillar['rmt']['ca_passphrase'] }} + - cwd: /etc/rmt/ssl + - onchanges: + - file: Create the ca cnf file + +Set permission on CA Certificate: + file.managed: + - name: /etc/rmt/ssl/rmt-ca.crt + - replace: False + - user: root + - group: nginx + - mode: "0640" + +Create rmt-server key: + x509.private_key_managed: + - name: /etc/rmt/ssl/rmt-server.key + - bits: 2048 + - owner: root + - group: root + - mode: "0600" + +Create the server cnf file: + file.managed: + - name: /etc/rmt/ssl/rmt-server.cnf + - source: salt://rmt/files/rmt-server.cnf.jinja + - template: jinja + - user: root + - group: root + - mode: "0600" + +Create the rmt-server signing request: + cmd.run: + - name: openssl req -new -key rmt-server.key -config rmt-server.cnf -out rmt-server.csr + - cwd: /etc/rmt/ssl + - onchanges: + - file: Create the server cnf file + +Set permission on rmt-server singing request: + file.managed: + - name: /etc/rmt/ssl/rmt-server.csr + - replace: False + - user: root + - group: root + - mode: "0600" + +Create the rmt-server certificate: + cmd.run: + - name: openssl x509 -req -in rmt-server.csr -CA rmt-ca.crt -CAkey rmt-ca.key -CAcreateserial -out rmt-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rmt']['ca_passphrase'] }} + - cwd: /etc/rmt/ssl + - onchanges: + - cmd: Create the rmt-server signing request + +Set permission on rmt-server certificate: + file.managed: + - name: /etc/rmt/ssl/rmt-server.crt + - replace: False + - user: root + - group: root + - mode: "0600" + +Set permission on rmt CA serial: + file.managed: + - name: /etc/rmt/ssl/rmt-ca.srl + - replace: False + - user: root + - group: root + - mode: "0600" diff --git a/salt/states/rmt/files/rmt-ca.cnf b/salt/states/rmt/files/rmt-ca.cnf new file mode 100644 index 0000000..b3ff743 --- /dev/null +++ b/salt/states/rmt/files/rmt-ca.cnf @@ -0,0 +1,41 @@ +[ca] +default_ca = CA_default + +[CA_default] +default_bits = 2048 +x509_extensions = v3_ca +default_days = 3650 +default_md = default +policy = policy_optional +copy_extensions = copy +unique_subject = no + +[policy_optional] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +############################################### + +[req] +default_bits = 2048 +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +string_mask = utf8only +prompt = no + +[v3_ca] +basicConstraints = critical, CA:true +nsComment = "RMT Generated CA Certificate" +nsCertType = sslCA +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer + +############################################### +[ req_distinguished_name ] +CN = RMT Certificate Authority diff --git a/salt/states/rmt/files/rmt-server.cnf.jinja b/salt/states/rmt/files/rmt-server.cnf.jinja new file mode 100644 index 0000000..2b17cc2 --- /dev/null +++ b/salt/states/rmt/files/rmt-server.cnf.jinja @@ -0,0 +1,33 @@ +[req] +default_bits = 2048 +distinguished_name = req_distinguished_name +x509_extensions = v3_server_sign +string_mask = utf8only +prompt = no +req_extensions = v3_req + +[v3_server_sign] +basicConstraints = CA:false +nsComment = "RMT Generated Server Certificate" +nsCertType = server +keyUsage = digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +subjectAltName = @alt_names + +[v3_req] +basicConstraints = CA:false +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectAltName = @alt_names + +[req_distinguished_name] +CN = localhost + +[alt_names] +DNS.0 = localhost +DNS.1 = rmt.{{ pillar['network']['domain'] }} +IP.0 = {{ pillar['network']['ip'] }} +{% for vlan in pillar['network']['vlan'] -%} +IP.{{ loop.index }} = {{ vlan['address'] }} +{% endfor -%} diff --git a/salt/states/rmt/init.sls b/salt/states/rmt/init.sls new file mode 100644 index 0000000..a2a7062 --- /dev/null +++ b/salt/states/rmt/init.sls @@ -0,0 +1,12 @@ +Install rmt: + pkg.installed: + - name: rmt-server + +include: + - rmt.certs + +Create rmt MariaDB user: + mysql.user: + - name: rmt + - host: localhost + - password: {{ pillar['rmt']['mysql_password'] }} diff --git a/salt/states/top.sls b/salt/states/top.sls index f2d831c..0401ada 100644 --- a/salt/states/top.sls +++ b/salt/states/top.sls @@ -7,3 +7,4 @@ base: - dnsmasq - nginx - mariadb + - rmt