diff --git a/README.md b/README.md index 41dddb0..4ccdd1f 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,9 @@ linux/arm64 * `DB_USERNAME`: MySQL user (default `anonaddy`) * `DB_PASSWORD`: MySQL password * `DB_TIMEOUT`: Time in seconds after which we stop trying to reach the MySQL server (useful for clusters, default `60`) +* `DB_SSL_CA`: filename of CA file available in ./env folder of your installation. You can use your own or generate one as explained below +* `DB_SSL_CERT`: filename of server certificate file available in ./env folder of your installation. You can use your own or generate one as explained below +* `DB_SSL_KEY`: filename of server private key file available in ./env folder of your installation. You can use your own or generate one as explained below > [!NOTE] > `DB_USERNAME_FILE` and `DB_PASSWORD_FILE` can be used to fill in the value @@ -282,6 +285,38 @@ docker compose exec --user anonaddy addy gpg --full-gen-key Keys will be stored in `/data/.gnupg` folder. +### Generate SSL certificate for communication with MariaDB + +If you don't have an existing SSL certificates, you can generate a new with the +following commands (assuming you already have openssl installed): + +```console +cd ./env # Make sure, you are in the env directory of your instance +sh -c " + openssl genrsa -out ca-key.pem 4096 && + openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem -subj '/CN=addy_db_CA' && + openssl genrsa -out server-key.pem 2048 && + openssl req -new -key server-key.pem -out server-req.pem -subj '/CN=db' && + openssl x509 -req -days 365 -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem && + chmod 600 ./*.pem +" +``` +You can also use docker alternative if you do not have openssl and do not want to install: + +```console +docker run --rm -v /your/path/to/env:/certs alpine sh -c " + apk add --no-cache openssl && + openssl genrsa -out /certs/ca-key.pem 4096 && + openssl req -new -x509 -days 3650 -key /certs/ca-key.pem -out /certs/ca-cert.pem -subj '/CN=addy_db_CA' && + openssl genrsa -out /certs/server-key.pem 2048 && + openssl req -new -key /certs/server-key.pem -out /certs/server-req.pem -subj '/CN=db' && + openssl x509 -req -days 365 -in /certs/server-req.pem -CA /certs/ca-cert.pem -CAkey /certs/ca-key.pem -CAcreateserial -out /certs/server-cert.pem && + chmod 600 /certs/*.pem +" +``` + +Change /CN=db to any hostname you have used in compose file in case modified. Keys will be stored in `./env` folder. + ### Define additional env vars You can define additional environment variables that will be used by the app diff --git a/examples/compose/compose.yml b/examples/compose/compose.yml index 09e6d32..9edf897 100644 --- a/examples/compose/compose.yml +++ b/examples/compose/compose.yml @@ -8,8 +8,12 @@ services: - "mysqld" - "--character-set-server=utf8mb4" - "--collation-server=utf8mb4_unicode_ci" + - "--ssl-ca=/etc/mysql/certs/${DB_SSL_CA}" + - "--ssl-cert=/etc/mysql/certs/${DB_SSL_CERT}" + - "--ssl-key=/etc/mysql/certs/${DB_SSL_KEY}" volumes: - "./db:/var/lib/mysql" + - "./env:/etc/mysql/certs:ro" environment: - "MARIADB_RANDOM_ROOT_PASSWORD=yes" - "MYSQL_DATABASE" @@ -37,6 +41,7 @@ services: protocol: tcp volumes: - "./data:/data" + - "./env:/env/certs" env_file: - "./addy.env" environment: diff --git a/rootfs/etc/cont-init.d/00-env b/rootfs/etc/cont-init.d/00-env index 4f8848d..0292498 100755 --- a/rootfs/etc/cont-init.d/00-env +++ b/rootfs/etc/cont-init.d/00-env @@ -50,6 +50,7 @@ DB_DATABASE=${DB_DATABASE:-anonaddy} #DB_USERNAME=${DB_USERNAME:-anonaddy} #DB_PASSWORD=${DB_PASSWORD:-asupersecretpassword} DB_TIMEOUT=${DB_TIMEOUT:-60} +DB_SSL_CA=${DB_SSL_CA:-ca-cert.pem} REDIS_HOST=${REDIS_HOST:-null} #REDIS_PASSWORD=${REDIS_PASSWORD:-null} @@ -116,3 +117,7 @@ file_env 'ANONADDY_SIGNING_KEY_FINGERPRINT' file_env 'POSTFIX_RELAYHOST_USERNAME' 'null' file_env 'POSTFIX_RELAYHOST_PASSWORD' 'null' file_env 'RSPAMD_WEB_PASSWORD' 'null' + +echo ssl-ca=/env/certs/$DB_SSL_CA >> /etc/my.cnf.d/skip-ssl.cnf +# MariaDB configs writable to others are not being considered +chmod 644 /etc/my.cnf.d/*.cnf \ No newline at end of file