From df7645c21e22ce63c791e7853eb6410893efbb51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn?= <me@tentakelfabrik.de>
Date: Mon, 14 Sep 2020 19:45:14 +0200
Subject: [PATCH] adding #34

---
 app/Commands/MariadbClientInstallCommand.php  | 105 ++++++++++++++++++
 app/Commands/MariadbInstallCommand.php        |  56 +++++++++-
 resources/fail2ban/jail.d/mysql-auth.conf     |   6 +
 .../nginx/templates/layouts/ssl.blade.php     |   2 +-
 4 files changed, 167 insertions(+), 2 deletions(-)
 create mode 100644 app/Commands/MariadbClientInstallCommand.php
 create mode 100644 resources/fail2ban/jail.d/mysql-auth.conf

diff --git a/app/Commands/MariadbClientInstallCommand.php b/app/Commands/MariadbClientInstallCommand.php
new file mode 100644
index 0000000..1ade1e4
--- /dev/null
+++ b/app/Commands/MariadbClientInstallCommand.php
@@ -0,0 +1,105 @@
+<?php
+
+namespace App\Commands;
+
+use Illuminate\Console\Scheduling\Schedule;
+use LaravelZero\Framework\Commands\Command;
+use Illuminate\Support\Facades\File;
+
+use App\Facades\Install;
+
+use Hackzilla\PasswordGenerator\Generator\ComputerPasswordGenerator;
+use Hackzilla\PasswordGenerator\RandomGenerator\Php7RandomGenerator;
+
+/**
+ *  Install Mariadb Client for Remote Access
+ *
+ *  @author Björn Hase, Tentakelfabrik
+ *  @license http://opensource.org/licenses/MIT The MIT License
+ *  @link https://gitea.tentakelfabrik.de/Tentakelfabrik/mcp
+ *
+ */
+class MariadbClientInstallCommand extends Command
+{
+    /**
+     * The signature of the command.
+     *
+     * @var string
+     */
+    protected $signature = 'mariadb-client:install {remote_user} {remote_host} {version=10.4}';
+
+    /**
+     * The description of the command.
+     *
+     * @var string
+     */
+    protected $description = 'Install Mariadb Client and set configuration';
+
+    /**
+     * Execute the console command.
+     *
+     * @return mixed
+     */
+    public function handle()
+    {
+        $this->info('Mariadb Client install...');
+        $version = $this->argument('version');
+
+        exec('apt update 2>&1', $output);
+
+        // @TODO apt add a Warning for no good, in a later version output will be scanned for helpfull infos
+        $this->line(implode("\n", Install::filterAptMessages($output)));
+
+        if ($version === '10.4') {
+
+            $this->info('Mariadb try install 10.04...');
+
+            // getting release
+            $release = Install::getDistributionRelease();
+
+            if (Install::getDistributionId() === 'Ubuntu' &&  ($release === '18.04' || $release === '20.04')) {
+                $this->info('Mariadb install for Ubuntu '.$release.'...');
+
+                $output = [];
+                exec('apt install -y software-properties-common 2>&1', $output);
+                exec('apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 2>&1', $output);
+                exec('add-apt-repository -y "deb [arch=amd64,arm64,ppc64el] http://mariadb.mirror.liquidtelecom.com/repo/10.4/ubuntu '.Install::getDistributionCodename().' main" 2>&1', $output);
+                exec('apt update 2>&1', $output);
+            }
+        }
+
+        exec('apt install -y mariadb-client 2>&1', $output);
+
+        // @TODO apt add a Warning for no good, in a later version output will be scanned for helpfull infos
+        $this->line(implode("\n", Install::filterAptMessages($output)));
+
+        if (Install::isReady('mariadb-client')) {
+            if (!is_dir('/etc/mysql/ssl')) {
+                system('mkdir /etc/mysql/ssl');
+            }
+
+            // getting
+            system('rsync -rv --include="ca-cert.pem" --include="client-cert.pem" --include="client-key.pem" --exclude="*" '.$this->argument('remove_user').'@'.$this->argument('remove_host').':/etc/mysql/ssl/ /etc/mysql/ssl/');
+
+            // checking if certificates are exists from remote server
+            if (!file_exist('/etc/mysql/ssl/ca-cert.pem') || !file_exist('/etc/mysql/ssl/client-cert.pem') || file_exist('/etc/mysql/ssl/client-key.pem')) {
+                $this->error('Failed! Certificates not found!');
+                exit();
+            }
+
+            system('cat >> /etc/mysql/my.cnf << EOF
+[client]
+ssl-ca=/etc/mysql/ssl/ca-cert.pem
+ssl-cert=/etc/mysql/ssl/client-cert.pem
+ssl-key=/etc/mysql/ssl/client-key.pem
+            EOF');
+
+            system('chown -R mysql:mysql /etc/mysql/ssl');
+            system('chmod 644 /etc/mysql/ssl/*cert*');
+            system('chmod 644 /etc/mysql/ssl/*key*');
+
+        } else {
+            $this->error('Failed! Please check log-file!');
+        }
+    }
+}
diff --git a/app/Commands/MariadbInstallCommand.php b/app/Commands/MariadbInstallCommand.php
index 43a1ada..f5fcd62 100644
--- a/app/Commands/MariadbInstallCommand.php
+++ b/app/Commands/MariadbInstallCommand.php
@@ -32,7 +32,7 @@ class MariadbInstallCommand extends Command
      *
      * @var string
      */
-    protected $signature = 'mariadb:install {version=10.4}';
+    protected $signature = 'mariadb:install {version=10.4} {--remote}';
 
     /**
      * The description of the command.
@@ -123,8 +123,62 @@ class MariadbInstallCommand extends Command
 
             $this->info('Mariadb installing...Success! \o/');
 
+            if ($this->option('remote') === true) {
+                $this->removeAccess();
+            }
+
         } else {
             $this->error('Failed! Please check log-file!');
         }
     }
+
+    /**
+     *
+     *
+     */
+    private function remoteAccess()
+    {
+        $this->info('Mariadb remote...');
+        system('mkdir -p /etc/mysql/ssl');
+
+        $this->info('Generating CA');
+        system('openssl genrsa 4096 > /etc/mysql/ssl/ca-key.pem');
+        system('openssl req -new -x509 -nodes -days 365000 -key /etc/mysql/ssl/ca-key.pem -out /etc/mysql/ssl/ca-cert.pem -subj "/CN='.$name.'-mysql-ca"');
+
+        $this->info('Generating Server Certificate');
+        system('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem -subj "/CN='.$name.'-mysql-server"');
+        system('openssl rsa -in /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-key.pem');
+        system('openssl x509 -req -in /etc/mysql/ssl/server-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/server-cert.pem');
+
+        $this->info('Generating Client Certificate');
+        system('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem -subj "/CN='.$name.'-mysql-server"');
+        system('openssl rsa -in /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-key.pem');
+        system('openssl x509 -req -in /etc/mysql/ssl/client-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/client-cert.pem');
+
+        $this->info('Validate Certificates');
+        system('openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem');
+
+        system('cat >> /etc/mysql/my.cnf << EOF
+[mysqld]
+bind-address = 0.0.0.0
+
+ssl-ca=/etc/mysql/ssl/ca-cert.pem
+ssl-cert=/etc/mysql/ssl/server-cert.pem
+ssl-key=/etc/mysql/ssl/server-key.pem
+
+[client]
+ssl-ca=/etc/mysql/ssl/ca-cert.pem
+ssl-cert=/etc/mysql/ssl/client-cert.pem
+ssl-key=/etc/mysql/ssl/client-key.pem
+        EOF');
+
+        system('chown -R mysql:mysql /etc/mysql/ssl');
+        system('chmod 644 /etc/mysql/ssl/*cert*');
+        system('chmod 644 /etc/mysql/ssl/*key*');
+
+        system('service restart mariadb');
+        system('ufw allow mysql');
+
+        $this->info('Mariadb remote...Success! \o/');
+    }
 }
diff --git a/resources/fail2ban/jail.d/mysql-auth.conf b/resources/fail2ban/jail.d/mysql-auth.conf
new file mode 100644
index 0000000..aca9847
--- /dev/null
+++ b/resources/fail2ban/jail.d/mysql-auth.conf
@@ -0,0 +1,6 @@
+[mysqld-auth]
+
+enabled = true
+filter   = mysqld-auth
+port     = 3306
+logpath  = /var/log/mysql/error.log
\ No newline at end of file
diff --git a/resources/nginx/templates/layouts/ssl.blade.php b/resources/nginx/templates/layouts/ssl.blade.php
index 570c98e..9e38c51 100644
--- a/resources/nginx/templates/layouts/ssl.blade.php
+++ b/resources/nginx/templates/layouts/ssl.blade.php
@@ -28,7 +28,7 @@ server {
     ssl_certificate /etc/letsencrypt/live/{{ $domain }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/{{ $domain }}/privkey.pem;
 
-    include /etc/nginx/snippets/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-params.conf;
     include /etc/nginx/snippets/secure-headers.conf;
 
     add_header Content-Security-Policy "