Some code cleanup.
This commit is contained in:
parent
eafc251109
commit
bdffb8877c
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
mysql_enabled: true
|
||||
mysql_installs_mariadb: true
|
||||
mysql_service_name: "{% if mysql_installs_mariadb %}mariadb{% else %}mysql{% endif %}"
|
||||
mysql_pkg_state: present
|
||||
mysql_conf_dir: /etc/mysql/conf.d
|
||||
mysql_service_conf_dir: "{% if mysql_installs_mariadb %}/etc/mysql/mariadb.conf.d{% else %}/etc/mysql/mysql.conf.d{% endif %}"
|
||||
|
@ -10,8 +11,9 @@ mysql_log_dir: /var/log/mysql
|
|||
# If you move it, the apparmor configuration must be updated accordingly on Debian/Ubuntu hosts
|
||||
mysql_binlog_dir: '{{ mysql_data_dir }}'
|
||||
|
||||
mysql_use_ssl: True
|
||||
mysql_letsencrypt_certificates: True
|
||||
mysql_use_ssl: true
|
||||
mysql_use_letsencrypt_certificates: '{% if letsencrypt_acme_install %}true{% else %}false{% endif %}'
|
||||
mysql_letsencrypt_certificates: '{{ mysql_use_letsencrypt_certificates | bool }}'
|
||||
|
||||
# python-mysqldb is needed by ansible to manage users and databases
|
||||
mysql_packages_list:
|
||||
|
|
|
@ -1,40 +1,57 @@
|
|||
---
|
||||
# 'localhost' needs to be the last item for idempotency, the mysql_user docs
|
||||
- name: Secure the mysql root user with a password
|
||||
mysql_user: name=root host={{ item }} password={{ mysql_root_password }} login_unix_socket={{ mysql_socket }}
|
||||
- name: configure_root_access | Secure the mysql root user with a password
|
||||
acommunity.mysql.mysql_user:
|
||||
name: root
|
||||
host: "{{ item }}"
|
||||
password: "{{ mysql_root_password }}"
|
||||
login_unix_socket: "{{ mysql_socket }}"
|
||||
when: mysql_root_password is defined
|
||||
with_items:
|
||||
- '{{ ansible_hostname }}'
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
- localhost
|
||||
ignore_errors: True
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
ignore_errors: true
|
||||
tags: ['mysql', 'mysql_root']
|
||||
|
||||
- name: Secure the mysql root user when no password has been defined
|
||||
mysql_user: name=root host={{ item }} password="" login_unix_socket={{ mysql_socket }}
|
||||
- name: configure_root_access | Secure the mysql root user when no password has been defined
|
||||
community.mysql.mysql_user:
|
||||
name: root
|
||||
host: "{{ item }}"
|
||||
password: ""
|
||||
login_unix_socket: "{{ mysql_socket }}"
|
||||
when: mysql_root_password is not defined
|
||||
with_items:
|
||||
- '{{ ansible_hostname }}'
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
- localhost
|
||||
ignore_errors: True
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
ignore_errors: true
|
||||
tags: ['mysql', 'mysql_root']
|
||||
|
||||
- name: Install the .my.cnf file with root password credentials
|
||||
template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
|
||||
- name: configure_root_access | Install the .my.cnf file with root password credentials
|
||||
ansible.builtin.template:
|
||||
src: dot_my.cnf.j2
|
||||
dest: /root/.my.cnf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0400"
|
||||
when: mysql_root_password is defined
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
tags: ['mysql', 'mysql_root']
|
||||
|
||||
- name: delete anonymous MySQL server user for the server hostname
|
||||
mysql_user: user="" host="{{ ansible_hostname }}" state="absent" login_unix_socket={{ mysql_socket }}
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
- name: configure_root_access | Delete anonymous MySQL server user for the server hostname
|
||||
community.mysql.mysql_user:
|
||||
user: ""
|
||||
host: "{{ ansible_hostname }}"
|
||||
state: "absent"
|
||||
login_unix_socket: "{{ mysql_socket }}"
|
||||
tags: ['mysql', 'mysql_root']
|
||||
|
||||
- name: delete anonymous MySQL server user for localhost
|
||||
mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }}
|
||||
- name: configure_root_access | Delete anonymous MySQL server user for localhost
|
||||
community.mysql.mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }}
|
||||
tags: mysql
|
||||
|
||||
- name: remove the MySQL test database
|
||||
mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }}
|
||||
- name: configure_root_access | Remove the MySQL test database
|
||||
community.mysql.mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }}
|
||||
tags: mysql
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
---
|
||||
- name: Stop and disable the mysql server if we do not want it running
|
||||
service: name=mysql state=stopped enabled=no
|
||||
- name: disable-mariadb-service | Stop and disable the mysql server if we do not want it running
|
||||
ansible.builtin.service:
|
||||
name: mysql
|
||||
state: stopped
|
||||
enabled: false
|
||||
when: not mysql_enabled
|
||||
tags:
|
||||
- mysql
|
||||
|
||||
|
|
|
@ -1,15 +1,20 @@
|
|||
---
|
||||
- import_tasks: packages.yml
|
||||
- import_tasks: mysql-conf.yml
|
||||
- name: Install the mysql/mariadb packages
|
||||
ansible.builtin.import_tasks: packages.yml
|
||||
- name: Configure mysql/mariadb
|
||||
ansible.builtin.import_tasks: mysql-conf.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: manage-mysql-service.yml
|
||||
- import_tasks: configure_root_access.yml
|
||||
- name: Manage the mysql/mariadb service
|
||||
ansible.builtin.import_tasks: manage-mysql-service.yml
|
||||
- name: Configure the root user
|
||||
ansible.builtin.import_tasks: configure_root_access.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: manage_my_db.yml
|
||||
- name: Eventually manage databases
|
||||
ansible.builtin.import_tasks: manage_my_db.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: mysql-backup.yml
|
||||
- name: Configure a basic backup service
|
||||
ansible.builtin.import_tasks: mysql-backup.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: mysql-letsencrypt.yml
|
||||
- name: Configure for letsencrypt
|
||||
ansible.builtin.import_tasks: mysql-letsencrypt.yml
|
||||
when: mysql_letsencrypt_certificates | bool
|
||||
|
||||
|
||||
|
|
|
@ -1,11 +1,16 @@
|
|||
---
|
||||
- name: Ensure that the mysql server is enabled and running
|
||||
service: name=mysql state=started enabled=yes
|
||||
- name: manage-mysql-service | Ensure that the mysql server is enabled and running
|
||||
ansible.builtin.service:
|
||||
name: "{{ mysql_service_name }}"
|
||||
state: started
|
||||
enabled: true
|
||||
when: mysql_enabled
|
||||
tags: [ 'mysql', 'mariadb' ]
|
||||
tags: ['mysql', 'mariadb']
|
||||
|
||||
- name: Stop and disable the mysql server if we do not want it running
|
||||
service: name=mysql state=stopped enabled=no
|
||||
- name: manage-mysql-service | Stop and disable the mysql server if we do not want it running
|
||||
ansible.builtin.service:
|
||||
name: "{{ mysql_service_name }}"
|
||||
state: stopped
|
||||
enabled: false
|
||||
when: not mysql_enabled
|
||||
tags: [ 'mysql', 'mariadb' ]
|
||||
|
||||
tags: ['mysql', 'mariadb']
|
||||
|
|
|
@ -1,24 +1,41 @@
|
|||
---
|
||||
- name: Add databases to mysql, if any
|
||||
mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present login_unix_socket={{ mysql_socket }}
|
||||
- name: manage_my_db | Add databases to mysql, if any
|
||||
community.mysql.mysql_db:
|
||||
name: "{{ item.name }}"
|
||||
collation: "{{ item.collation }}"
|
||||
encoding: "{{ item.encoding }}"
|
||||
state: present
|
||||
login_unix_socket: "{{ mysql_socket }}"
|
||||
with_items: '{{ mysql_db_data | default([]) }}'
|
||||
when: item.name is defined
|
||||
tags: [ 'mysql', 'mysql_db' ]
|
||||
tags: ['mysql', 'mysql_db']
|
||||
|
||||
- name: Add a user for the databases
|
||||
mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv="{{ item.0.name }}.*:{{ item.0.user_grant }}" state=present login_unix_socket={{ mysql_socket }}
|
||||
- name: manage_my_db | Add a user for the databases
|
||||
community.mysql.mysql_user:
|
||||
name: "{{ item.0.user }}"
|
||||
password: "{{ item.0.pwd }}"
|
||||
host: "{{ item.1 }}"
|
||||
priv: "{{ item.0.name }}.*:{{ item.0.user_grant }}"
|
||||
state: present
|
||||
login_unix_socket: "{{ mysql_socket }}"
|
||||
no_log: true
|
||||
with_subelements:
|
||||
- '{{ mysql_db_data | default([]) }}'
|
||||
- allowed_hosts
|
||||
when: item.0.name is defined
|
||||
tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
|
||||
tags: ['mysql', 'mysql_db', 'mysql_user']
|
||||
|
||||
- name: Additional user privileges, if defined
|
||||
mysql_user: name={{ item.0.user }} append_privs=yes priv="{{ item.0.name }}.*:{{ item.0.additional_privs }}" state=present login_unix_socket={{ mysql_socket }}
|
||||
- name: manage_my_db | Additional user privileges, if defined
|
||||
community.mysql.mysql_user:
|
||||
name: "{{ item.0.user }}"
|
||||
append_privs: true
|
||||
priv: "{{ item.0.name }}.*:{{ item.0.additional_privs }}"
|
||||
state: present
|
||||
login_unix_socket: "{{ mysql_socket }}"
|
||||
with_subelements:
|
||||
- '{{ mysql_db_data | default([]) }}'
|
||||
- allowed_hosts
|
||||
when:
|
||||
- item.0.name is defined
|
||||
- item.0.additional_privs is defined
|
||||
tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
|
||||
tags: ['mysql', 'mysql_db', 'mysql_user']
|
||||
|
|
|
@ -1,12 +1,27 @@
|
|||
---
|
||||
- name: Install a script that performs mysql dumps
|
||||
copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750
|
||||
tags: [ 'mysql', 'mysql_backup' ]
|
||||
- name: mysql-backup | Install a script that performs mysql dumps
|
||||
ansible.builtin.copy:
|
||||
src: mysql-backup.sh
|
||||
dest: /usr/local/sbin/mysql-backup
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
tags: ['mysql', 'mysql_backup']
|
||||
|
||||
- name: Install the mysql backup defaults
|
||||
template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440
|
||||
tags: [ 'mysql', 'mysql_backup' ]
|
||||
- name: mysql-backup | Install the mysql backup defaults
|
||||
ansible.builtin.template:
|
||||
src: mysql_backup-default.j2
|
||||
dest: /etc/default/mysql_backup
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0440"
|
||||
tags: ['mysql', 'mysql_backup']
|
||||
|
||||
- name: Cron job that executes mysql nightly backups
|
||||
template: src=mysql-backup.cron.j2 dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755
|
||||
tags: [ 'mysql', 'mysql_backup' ]
|
||||
- name: mysql-backup | Cron job that executes mysql nightly backups
|
||||
ansible.builtin.template:
|
||||
src: mysql-backup.cron.j2
|
||||
dest: /etc/cron.daily/mysql-backup
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
tags: ['mysql', 'mysql_backup']
|
||||
|
|
|
@ -1,49 +1,80 @@
|
|||
---
|
||||
- name: Manage the MySQL configuration files
|
||||
block:
|
||||
- name: Check if the new mysql data directory exists
|
||||
stat: path={{ mysql_data_dir }}
|
||||
register: my_data_dir
|
||||
|
||||
- name: Stop the mysql service while reconfiguring the data directory
|
||||
service: name=mysql state=stopped
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: Create the data directory
|
||||
file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700
|
||||
|
||||
- name: Copy data to the new directory
|
||||
synchronize: src=/var/lib/mysql/ dest={{ mysql_data_dir }}
|
||||
delegate_to: "{{ inventory_hostname }}"
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: Create the log directory
|
||||
file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750
|
||||
|
||||
- name: Install the main configuration files.
|
||||
template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
|
||||
with_items:
|
||||
- client
|
||||
- mysql-clients
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Install the main configuration files.
|
||||
template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644
|
||||
with_items:
|
||||
- server
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Add AppArmor alias
|
||||
lineinfile: path=/etc/apparmor.d/tunables/alias line='alias /var/lib/mysql/ -> {{ mysql_data_dir }}/,' insertafter=EOF
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: Restart AppArmor service
|
||||
service: name=apparmor state=restarted
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: Start the mysql service with the new the data directory
|
||||
service: name=mysql state=started
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: mysql-conf | Manage the MySQL configuration files
|
||||
when: mysql_enabled | bool
|
||||
tags: [ 'mysql', 'mariadb', 'mysql_conf' ]
|
||||
tags: ['mysql', 'mariadb', 'mysql_conf']
|
||||
block:
|
||||
- name: mysql-conf | Check if the new mysql data directory exists
|
||||
ansible.builtin.stat:
|
||||
path: "{{ mysql_data_dir }}"
|
||||
register: my_data_dir
|
||||
|
||||
- name: mysql-conf | Stop the mysql service while reconfiguring the data directory
|
||||
ansible.builtin.service:
|
||||
name: "{{ mysql_service_name }}"
|
||||
state: stopped
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: mysql-conf | Create the data directory
|
||||
ansible.builtin.file:
|
||||
dest: "{{ mysql_data_dir }}"
|
||||
state: directory
|
||||
owner: mysql
|
||||
group: mysql
|
||||
mode: "0700"
|
||||
|
||||
- name: mysql-conf | Copy data to the new directory
|
||||
ansible.posix.synchronize:
|
||||
src: /var/lib/mysql/
|
||||
dest: "{{ mysql_data_dir }}"
|
||||
delegate_to: "{{ inventory_hostname }}"
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: mysql-conf | Create the log directory
|
||||
ansible.builtin.file:
|
||||
dest: "{{ mysql_log_dir }}"
|
||||
state: directory
|
||||
owner: mysql
|
||||
group: adm
|
||||
mode: "1750"
|
||||
|
||||
- name: mysql-conf | Install the main configuration files.
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}.cnf.j2"
|
||||
dest: "{{ mysql_conf_dir }}/{{ item }}.cnf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
loop:
|
||||
- client
|
||||
- mysql-clients
|
||||
notify: Restart mysql
|
||||
|
||||
- name: mysql-conf | Install the main configuration files.
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}.cnf.j2"
|
||||
dest: "{{ mysql_service_conf_dir }}/mysqld.cnf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
with_items:
|
||||
- server
|
||||
notify: Restart mysql
|
||||
|
||||
- name: mysql-conf | Add AppArmor alias
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/apparmor.d/tunables/alias
|
||||
line: 'alias /var/lib/mysql/ -> {{ mysql_data_dir }}/,'
|
||||
insertafter: EOF
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: mysql-conf | Restart the AppArmor service
|
||||
ansible.builtin.service:
|
||||
name: apparmor
|
||||
state: restarted
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
||||
- name: mysql-conf | Start the mysql service with the new the data directory
|
||||
ansible.builtin.service:
|
||||
name: "{{ mysql_service_name }}"
|
||||
state: started
|
||||
when: my_data_dir.stat.isdir is not defined
|
||||
|
|
|
@ -1,30 +1,61 @@
|
|||
---
|
||||
- name: Manage the letsencrypt configuration
|
||||
- name: mysql-letsencrypt | Manage the letsencrypt configuration
|
||||
when: mysql_letsencrypt_certificates
|
||||
tags: ['mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt']
|
||||
block:
|
||||
- name: Check if the letsencrypt certificates are in place
|
||||
stat: path={{ letsencrypt_acme_certs_dir }}/privkey
|
||||
register: letsencrypt_keyfile
|
||||
- name: mysql-letsencrypt | Check if the letsencrypt certificates are in place
|
||||
ansible.builtin.stat:
|
||||
path: "{{ letsencrypt_acme_certs_dir }}/privkey"
|
||||
register: letsencrypt_keyfile
|
||||
|
||||
- name: Copy the letsencrypt certificate key into the right place
|
||||
copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
- name: mysql-letsencrypt | Copy the letsencrypt certificate key into the right place
|
||||
ansible.builtin.copy:
|
||||
src: "{{ letsencrypt_acme_certs_dir }}/privkey"
|
||||
dest: /var/lib/mysql/client-key.pem
|
||||
owner: mysql
|
||||
group: mysql
|
||||
mode: "0400"
|
||||
remote_src: true
|
||||
force: true
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Copy the letsencrypt public certificate into the right place
|
||||
copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
- name: mysql-letsencrypt | Copy the letsencrypt public certificate into the right place
|
||||
ansible.builtin.copy:
|
||||
src: "{{ letsencrypt_acme_certs_dir }}/cert"
|
||||
dest: "/var/lib/mysql/client-cert.pem"
|
||||
owner: mysql
|
||||
group: mysql
|
||||
mode: "0444"
|
||||
remote_src: true
|
||||
force: true
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Copy the letsencrypt CA certificate into the right place
|
||||
copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
- name: mysql-letsencrypt | Copy the letsencrypt CA certificate into the right place
|
||||
ansible.builtin.copy:
|
||||
src: "{{ letsencrypt_acme_certs_dir }}/fullchain"
|
||||
dest: /var/lib/mysql/ca.pem
|
||||
owner: mysql
|
||||
group: mysql
|
||||
mode: "0444"
|
||||
remote_src: true
|
||||
force: true
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
|
||||
- name: mysql-letsencrypt | Create the acme hooks directory if it does not yet exist
|
||||
ansible.builtin.file:
|
||||
dest: "{{ letsencrypt_acme_sh_services_scripts_dir }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for mysql and then reload the service
|
||||
copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555
|
||||
|
||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install | bool
|
||||
tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ]
|
||||
- name: mysql-letsencrypt | Install a script that fix the letsencrypt certificate for mysql and then reloads the service
|
||||
ansible.builtin.copy:
|
||||
src: letsencrypt-mysql-hook.sh
|
||||
dest: "{{ letsencrypt_acme_sh_services_scripts_dir }}/mysql"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "4555"
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
---
|
||||
- name: Install the mysql or maridb server packages
|
||||
- name: packages | Install the mysql or maridb server packages
|
||||
ansible.builtin.apt:
|
||||
pkg: "{{ item }}"
|
||||
cache_valid_time: 1800
|
||||
state: present
|
||||
loop: "{% if mysql_installs_mariadb %}{{ mysql_mariadb_pkgs }}{% else %}{{ mysql_packages_list }}{% endif %}"
|
||||
tags: mysql
|
||||
|
||||
|
|
Loading…
Reference in New Issue