.

salt/modules/_modules/mysql.py

@@ -56,8 +56,7 @@ def check_credentials(username, password, host="127.0.0.1", port="3306"):
 
         salt '*' mysql.check_credentials root secret
     """
-    cmd = f"mysql --host={host} --port={port} --user={username} --password={password} --execute=;"
-    return _execute(cmd)["result"]
+    return execute(username, password, ";" , host=host, port=port)["result"]
 
 
 def set_root_password(password):
@@ -70,6 +69,65 @@ def set_root_password(password):
     
         salt '*' mysql.set_root_password secret
     """
+    ret= {}
     cmd = f"mysqladmin password {password}"
-    return _execute(cmd)
+    LOG.debug(f"Executing: {cmd}")
+    process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = process.communicate()
+    if stdout:
+        ret["out"] = stdout
+    if stderr:
+        ret["err"] = stderr
+    LOG.debug(f"Exit code: { process.returncode }")
+    if process.returncode == 0:
+        ret["result"] = True
+    else:
+        ret["result"] = False
+    return ret
+
+
+
+def execute(user, password, sql, host='127.0.0.1', port='3306'):
+    """
+    Execute an SQL statement
+    
+    :param str user: The user to connect with
+
+    :param str password: The user password
+
+    :param str host: the mysql server address 
+    
+    :param str sql: The SQL statement to be executed
+
+    :param str port: the mysql server port
+
+    CLI Example
+
+      salt '*' mysql.execute root secret "SHOW DATABASES;"
+    """
+
+    ret = {}
+    cmd = [ "mysql",
+            "--skip-column-names",
+            "--silent",
+            f"--user={user}",
+            f"--password={password}",
+            f"--host={host}",
+            f"--port={port}",
+            f"--execute={sql}"
+         ]
+            
+    LOG.debug(f"Executing: {' '.join(cmd)}")
+    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = process.communicate()
+    if stdout:
+        ret["out"] = stdout
+    if stderr:
+        ret["err"] = stderr
+    LOG.debug(f"Exit code: { process.returncode }")
+    if process.returncode == 0:
+        ret["result"] = True
+    else:
+        ret["result"] = False
+    return ret
 

salt/modules/_states/mysql.py

@@ -27,3 +27,45 @@ def root_password(name, password):
     ret["changes"].update({"root password": {"old": "######", "new": "******"}})
     ret["result"]=True
     return ret
+
+
+def user(name, host, password):
+    """
+    Set the mysql/mariadb root password
+
+        password
+        the password to user for root
+    """
+    ret = {
+            "name": name,
+            "changes": {},
+            "result": False,
+            "comment": ""
+        }
+
+    #check if user@host exists
+    result = __salt__["mysql.execute"]("root", __pillar__['mysql']['root_password'],f'SELECT User, Host FROM mysql.user WHERE User="{name}" AND Host="{host}";')
+    if not result["result"]:
+        ret["comment"] = result["err"]
+        return ret
+    if "out" in result:
+        #User exists check password
+        if __salt__["mysql.check_credentials"](name, password):
+            ret["comment"]=f"{name}@{host} is in correct state"
+            ret["result"] = True
+            return ret
+        result = __salt__["mysql.execute"]("root", __pillar__['mysql']['root_password'],f'ALTER USER "{name}"@"{host}" IDENTIFIED BY "{password}";')
+        if not result["result"]:
+            ret["comment"] = result["err"]
+            return ret
+        ret["changes"].update({"Password Updated": f"{name}@{host}"})
+        ret["result"]=True
+        return ret
+    #Create user
+    result = __salt__["mysql.execute"]("root", __pillar__['mysql']['root_password'],f'CREATE USER "{name}"@"{host}" IDENTIFIED BY "{password}";')
+    if not result["result"]:
+        ret["comment"] = result["err"]
+        return ret
+    ret["changes"].update({"Created user": f"{name}@{host}"})
+    ret["result"]=True
+    return ret

salt/pillars/mysql.sls

@@ -1,2 +1,2 @@
-mariadb:
+mysql:
   root_password: linux

salt/pillars/rmt.sls

@@ -0,0 +1,2 @@
+rmt:
+  ca_passphrase: linux

salt/pillars/top.sls

@@ -2,7 +2,8 @@ base:
   '*':
     - network
     - chrony
-    - mariadb
+    - mysql
+    - rmt
 {% if salt['pillar.file_exists']('local.sls') %}
     - local
 {% endif %}

salt/states/mariadb/init.sls

@@ -10,4 +10,4 @@ Start mariadb:
 Check Root password:
   mysql.root_password:
     - name: root
-    - password: {{ pillar['mariadb']['root_password'] }}
+    - password: {{ pillar['mysql']['root_password'] }}

salt/states/rmt/certs.sls

@@ -0,0 +1,87 @@
+Create the ca cnf file:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-ca.cnf
+    - source: salt://rmt/files/rmt-ca.cnf
+    - user: root
+    - group: root
+    - mode: "0600"
+
+
+Create rmt CA key:
+  x509.private_key_managed:
+    - name: /etc/rmt/ssl/rmt-ca.key
+    - passphrase: {{ pillar['rmt']['ca_passphrase'] }}
+    - bits: 2048
+    - owner: root
+    - group: root
+    - mode: "0600"
+
+Create rmt CA certificate:
+  cmd.run:
+    - name: openssl req -config rmt-ca.cnf -key rmt-ca.key -new -x509 -days 3650 -sha256 -out rmt-ca.crt -passin pass:{{ pillar['rmt']['ca_passphrase'] }}
+    - cwd: /etc/rmt/ssl
+    - onchanges:
+      - file: Create the ca cnf file
+
+Set permission on CA Certificate:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-ca.crt
+    - replace: False
+    - user: root
+    - group: nginx
+    - mode: "0640"
+  
+Create rmt-server key:
+  x509.private_key_managed:
+    - name: /etc/rmt/ssl/rmt-server.key
+    - bits: 2048
+    - owner: root
+    - group: root
+    - mode: "0600"
+
+Create the server cnf file:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-server.cnf
+    - source: salt://rmt/files/rmt-server.cnf.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: "0600"
+
+Create the rmt-server signing request:
+  cmd.run:
+    - name: openssl req -new -key rmt-server.key -config rmt-server.cnf -out rmt-server.csr
+    - cwd: /etc/rmt/ssl
+    - onchanges:
+      - file: Create the server cnf file
+
+Set permission on rmt-server singing request:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-server.csr
+    - replace: False
+    - user: root
+    - group: root
+    - mode: "0600"
+
+Create the rmt-server certificate:
+  cmd.run:
+    - name: openssl x509 -req -in rmt-server.csr -CA rmt-ca.crt -CAkey rmt-ca.key -CAcreateserial -out rmt-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rmt']['ca_passphrase'] }}
+    - cwd: /etc/rmt/ssl
+    - onchanges:
+      - cmd: Create the rmt-server signing request
+
+Set permission on rmt-server certificate:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-server.crt
+    - replace: False
+    - user: root
+    - group: root
+    - mode: "0600"
+
+Set permission on rmt CA serial:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-ca.srl
+    - replace: False
+    - user: root
+    - group: root
+    - mode: "0600"

salt/states/rmt/files/rmt-ca.cnf

@@ -0,0 +1,41 @@
+[ca]
+default_ca                     = CA_default
+
+[CA_default]
+default_bits                   = 2048
+x509_extensions                = v3_ca
+default_days                   = 3650
+default_md                     = default
+policy                         = policy_optional
+copy_extensions                = copy
+unique_subject                 = no
+
+[policy_optional]
+countryName                    = optional
+stateOrProvinceName            = optional
+localityName                   = optional
+organizationName               = optional
+organizationalUnitName         = optional
+commonName                     = optional
+emailAddress                   = optional
+
+###############################################
+
+[req]
+default_bits                   = 2048
+distinguished_name             = req_distinguished_name
+x509_extensions                = v3_ca
+string_mask                    = utf8only
+prompt                         = no
+
+[v3_ca]
+basicConstraints               = critical, CA:true
+nsComment                      = "RMT Generated CA Certificate"
+nsCertType                     = sslCA
+keyUsage                       = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid:always,issuer
+
+###############################################
+[ req_distinguished_name ]
+CN                             = RMT Certificate Authority

salt/states/rmt/files/rmt-server.cnf.jinja

@@ -0,0 +1,33 @@
+[req]
+default_bits                   = 2048
+distinguished_name             = req_distinguished_name
+x509_extensions                = v3_server_sign
+string_mask                    = utf8only
+prompt                         = no
+req_extensions                 = v3_req
+
+[v3_server_sign]
+basicConstraints               = CA:false
+nsComment                      = "RMT Generated Server Certificate"
+nsCertType                     = server
+keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage               = serverAuth, clientAuth
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid,issuer:always
+subjectAltName                 = @alt_names
+
+[v3_req]
+basicConstraints               = CA:false
+keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
+subjectAltName                 = @alt_names
+
+[req_distinguished_name]
+CN                             = localhost
+
+[alt_names]
+DNS.0                          = localhost
+DNS.1                          = rmt.{{ pillar['network']['domain'] }}
+IP.0                           = {{ pillar['network']['ip'] }}
+{% for vlan in pillar['network']['vlan'] -%}
+IP.{{ loop.index }}                           = {{ vlan['address'] }}
+{% endfor -%}

salt/states/rmt/init.sls

@@ -0,0 +1,12 @@
+Install rmt:
+  pkg.installed:
+    - name: rmt-server
+
+include: 
+  - rmt.certs
+
+Create rmt MariaDB user:
+  mysql.user:
+    - name: rmt
+    - host: localhost
+    - password: {{ pillar['rmt']['mysql_password'] }}

salt/states/top.sls

@@ -7,3 +7,4 @@ base:
     - dnsmasq
     - nginx
     - mariadb
+    - rmt