diff --git a/app/Commands/MariadbClientInstallCommand.php b/app/Commands/MariadbClientInstallCommand.php new file mode 100644 index 0000000..1ade1e4 --- /dev/null +++ b/app/Commands/MariadbClientInstallCommand.php @@ -0,0 +1,105 @@ +info('Mariadb Client install...'); + $version = $this->argument('version'); + + exec('apt update 2>&1', $output); + + // @TODO apt add a Warning for no good, in a later version output will be scanned for helpfull infos + $this->line(implode("\n", Install::filterAptMessages($output))); + + if ($version === '10.4') { + + $this->info('Mariadb try install 10.04...'); + + // getting release + $release = Install::getDistributionRelease(); + + if (Install::getDistributionId() === 'Ubuntu' && ($release === '18.04' || $release === '20.04')) { + $this->info('Mariadb install for Ubuntu '.$release.'...'); + + $output = []; + exec('apt install -y software-properties-common 2>&1', $output); + exec('apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 2>&1', $output); + exec('add-apt-repository -y "deb [arch=amd64,arm64,ppc64el] http://mariadb.mirror.liquidtelecom.com/repo/10.4/ubuntu '.Install::getDistributionCodename().' main" 2>&1', $output); + exec('apt update 2>&1', $output); + } + } + + exec('apt install -y mariadb-client 2>&1', $output); + + // @TODO apt add a Warning for no good, in a later version output will be scanned for helpfull infos + $this->line(implode("\n", Install::filterAptMessages($output))); + + if (Install::isReady('mariadb-client')) { + if (!is_dir('/etc/mysql/ssl')) { + system('mkdir /etc/mysql/ssl'); + } + + // getting + system('rsync -rv --include="ca-cert.pem" --include="client-cert.pem" --include="client-key.pem" --exclude="*" '.$this->argument('remove_user').'@'.$this->argument('remove_host').':/etc/mysql/ssl/ /etc/mysql/ssl/'); + + // checking if certificates are exists from remote server + if (!file_exist('/etc/mysql/ssl/ca-cert.pem') || !file_exist('/etc/mysql/ssl/client-cert.pem') || file_exist('/etc/mysql/ssl/client-key.pem')) { + $this->error('Failed! Certificates not found!'); + exit(); + } + + system('cat >> /etc/mysql/my.cnf << EOF +[client] +ssl-ca=/etc/mysql/ssl/ca-cert.pem +ssl-cert=/etc/mysql/ssl/client-cert.pem +ssl-key=/etc/mysql/ssl/client-key.pem + EOF'); + + system('chown -R mysql:mysql /etc/mysql/ssl'); + system('chmod 644 /etc/mysql/ssl/*cert*'); + system('chmod 644 /etc/mysql/ssl/*key*'); + + } else { + $this->error('Failed! Please check log-file!'); + } + } +} diff --git a/app/Commands/MariadbInstallCommand.php b/app/Commands/MariadbInstallCommand.php index 43a1ada..f5fcd62 100644 --- a/app/Commands/MariadbInstallCommand.php +++ b/app/Commands/MariadbInstallCommand.php @@ -32,7 +32,7 @@ class MariadbInstallCommand extends Command * * @var string */ - protected $signature = 'mariadb:install {version=10.4}'; + protected $signature = 'mariadb:install {version=10.4} {--remote}'; /** * The description of the command. @@ -123,8 +123,62 @@ class MariadbInstallCommand extends Command $this->info('Mariadb installing...Success! \o/'); + if ($this->option('remote') === true) { + $this->removeAccess(); + } + } else { $this->error('Failed! Please check log-file!'); } } + + /** + * + * + */ + private function remoteAccess() + { + $this->info('Mariadb remote...'); + system('mkdir -p /etc/mysql/ssl'); + + $this->info('Generating CA'); + system('openssl genrsa 4096 > /etc/mysql/ssl/ca-key.pem'); + system('openssl req -new -x509 -nodes -days 365000 -key /etc/mysql/ssl/ca-key.pem -out /etc/mysql/ssl/ca-cert.pem -subj "/CN='.$name.'-mysql-ca"'); + + $this->info('Generating Server Certificate'); + system('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem -subj "/CN='.$name.'-mysql-server"'); + system('openssl rsa -in /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-key.pem'); + system('openssl x509 -req -in /etc/mysql/ssl/server-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/server-cert.pem'); + + $this->info('Generating Client Certificate'); + system('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem -subj "/CN='.$name.'-mysql-server"'); + system('openssl rsa -in /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-key.pem'); + system('openssl x509 -req -in /etc/mysql/ssl/client-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/client-cert.pem'); + + $this->info('Validate Certificates'); + system('openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem'); + + system('cat >> /etc/mysql/my.cnf << EOF +[mysqld] +bind-address = 0.0.0.0 + +ssl-ca=/etc/mysql/ssl/ca-cert.pem +ssl-cert=/etc/mysql/ssl/server-cert.pem +ssl-key=/etc/mysql/ssl/server-key.pem + +[client] +ssl-ca=/etc/mysql/ssl/ca-cert.pem +ssl-cert=/etc/mysql/ssl/client-cert.pem +ssl-key=/etc/mysql/ssl/client-key.pem + EOF'); + + system('chown -R mysql:mysql /etc/mysql/ssl'); + system('chmod 644 /etc/mysql/ssl/*cert*'); + system('chmod 644 /etc/mysql/ssl/*key*'); + + system('service restart mariadb'); + system('ufw allow mysql'); + + $this->info('Mariadb remote...Success! \o/'); + } } diff --git a/resources/fail2ban/jail.d/mysql-auth.conf b/resources/fail2ban/jail.d/mysql-auth.conf new file mode 100644 index 0000000..aca9847 --- /dev/null +++ b/resources/fail2ban/jail.d/mysql-auth.conf @@ -0,0 +1,6 @@ +[mysqld-auth] + +enabled = true +filter = mysqld-auth +port = 3306 +logpath = /var/log/mysql/error.log \ No newline at end of file diff --git a/resources/nginx/templates/layouts/ssl.blade.php b/resources/nginx/templates/layouts/ssl.blade.php index 570c98e..9e38c51 100644 --- a/resources/nginx/templates/layouts/ssl.blade.php +++ b/resources/nginx/templates/layouts/ssl.blade.php @@ -28,7 +28,7 @@ server { ssl_certificate /etc/letsencrypt/live/{{ $domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ $domain }}/privkey.pem; - include /etc/nginx/snippets/snippets/ssl-params.conf; + include /etc/nginx/snippets/ssl-params.conf; include /etc/nginx/snippets/secure-headers.conf; add_header Content-Security-Policy "