From bdffb8877c19fe73def4dcd79317d82e5b26c934 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 6 Feb 2025 19:08:47 +0100
Subject: [PATCH] Some code cleanup.
---
defaults/main.yml | 6 +-
tasks/configure_root_access.yml | 53 ++++++++-----
tasks/disable-mariadb-service.yml | 8 +-
tasks/main.yml | 23 +++---
tasks/manage-mysql-service.yml | 19 +++--
tasks/manage_my_db.yml | 35 ++++++---
tasks/mysql-backup.yml | 33 +++++---
tasks/mysql-conf.yml | 125 +++++++++++++++++++-----------
tasks/mysql-letsencrypt.yml | 77 ++++++++++++------
tasks/packages.yml | 3 +-
10 files changed, 253 insertions(+), 129 deletions(-)
diff --git a/defaults/main.yml b/defaults/main.yml
index 416dfa3..c5d4b7d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,7 @@
---
mysql_enabled: true
mysql_installs_mariadb: true
+mysql_service_name: "{% if mysql_installs_mariadb %}mariadb{% else %}mysql{% endif %}"
mysql_pkg_state: present
mysql_conf_dir: /etc/mysql/conf.d
mysql_service_conf_dir: "{% if mysql_installs_mariadb %}/etc/mysql/mariadb.conf.d{% else %}/etc/mysql/mysql.conf.d{% endif %}"
@@ -10,8 +11,9 @@ mysql_log_dir: /var/log/mysql
# If you move it, the apparmor configuration must be updated accordingly on Debian/Ubuntu hosts
mysql_binlog_dir: '{{ mysql_data_dir }}'
-mysql_use_ssl: True
-mysql_letsencrypt_certificates: True
+mysql_use_ssl: true
+mysql_use_letsencrypt_certificates: '{% if letsencrypt_acme_install %}true{% else %}false{% endif %}'
+mysql_letsencrypt_certificates: '{{ mysql_use_letsencrypt_certificates | bool }}'
# python-mysqldb is needed by ansible to manage users and databases
mysql_packages_list:
diff --git a/tasks/configure_root_access.yml b/tasks/configure_root_access.yml
index 360c50c..740778b 100644
--- a/tasks/configure_root_access.yml
+++ b/tasks/configure_root_access.yml
@@ -1,40 +1,57 @@
---
# 'localhost' needs to be the last item for idempotency, the mysql_user docs
-- name: Secure the mysql root user with a password
- mysql_user: name=root host={{ item }} password={{ mysql_root_password }} login_unix_socket={{ mysql_socket }}
+- name: configure_root_access | Secure the mysql root user with a password
+ acommunity.mysql.mysql_user:
+ name: root
+ host: "{{ item }}"
+ password: "{{ mysql_root_password }}"
+ login_unix_socket: "{{ mysql_socket }}"
when: mysql_root_password is defined
with_items:
- '{{ ansible_hostname }}'
- 127.0.0.1
- ::1
- localhost
- ignore_errors: True
- tags: [ 'mysql', 'mysql_root' ]
+ ignore_errors: true
+ tags: ['mysql', 'mysql_root']
-- name: Secure the mysql root user when no password has been defined
- mysql_user: name=root host={{ item }} password="" login_unix_socket={{ mysql_socket }}
+- name: configure_root_access | Secure the mysql root user when no password has been defined
+ community.mysql.mysql_user:
+ name: root
+ host: "{{ item }}"
+ password: ""
+ login_unix_socket: "{{ mysql_socket }}"
when: mysql_root_password is not defined
with_items:
- '{{ ansible_hostname }}'
- 127.0.0.1
- ::1
- localhost
- ignore_errors: True
- tags: [ 'mysql', 'mysql_root' ]
+ ignore_errors: true
+ tags: ['mysql', 'mysql_root']
-- name: Install the .my.cnf file with root password credentials
- template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
+- name: configure_root_access | Install the .my.cnf file with root password credentials
+ ansible.builtin.template:
+ src: dot_my.cnf.j2
+ dest: /root/.my.cnf
+ owner: root
+ group: root
+ mode: "0400"
when: mysql_root_password is defined
- tags: [ 'mysql', 'mysql_root' ]
+ tags: ['mysql', 'mysql_root']
-- name: delete anonymous MySQL server user for the server hostname
- mysql_user: user="" host="{{ ansible_hostname }}" state="absent" login_unix_socket={{ mysql_socket }}
- tags: [ 'mysql', 'mysql_root' ]
+- name: configure_root_access | Delete anonymous MySQL server user for the server hostname
+ community.mysql.mysql_user:
+ user: ""
+ host: "{{ ansible_hostname }}"
+ state: "absent"
+ login_unix_socket: "{{ mysql_socket }}"
+ tags: ['mysql', 'mysql_root']
-- name: delete anonymous MySQL server user for localhost
- mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }}
+- name: configure_root_access | Delete anonymous MySQL server user for localhost
+ community.mysql.mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }}
tags: mysql
-- name: remove the MySQL test database
- mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }}
+- name: configure_root_access | Remove the MySQL test database
+ community.mysql.mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }}
tags: mysql
diff --git a/tasks/disable-mariadb-service.yml b/tasks/disable-mariadb-service.yml
index 1e878be..6f84dfc 100644
--- a/tasks/disable-mariadb-service.yml
+++ b/tasks/disable-mariadb-service.yml
@@ -1,7 +1,9 @@
---
-- name: Stop and disable the mysql server if we do not want it running
- service: name=mysql state=stopped enabled=no
+- name: disable-mariadb-service | Stop and disable the mysql server if we do not want it running
+ ansible.builtin.service:
+ name: mysql
+ state: stopped
+ enabled: false
when: not mysql_enabled
tags:
- mysql
-
diff --git a/tasks/main.yml b/tasks/main.yml
index be17d3a..b0ecc5d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,15 +1,20 @@
---
-- import_tasks: packages.yml
-- import_tasks: mysql-conf.yml
+- name: Install the mysql/mariadb packages
+ ansible.builtin.import_tasks: packages.yml
+- name: Configure mysql/mariadb
+ ansible.builtin.import_tasks: mysql-conf.yml
when: mysql_enabled | bool
-- import_tasks: manage-mysql-service.yml
-- import_tasks: configure_root_access.yml
+- name: Manage the mysql/mariadb service
+ ansible.builtin.import_tasks: manage-mysql-service.yml
+- name: Configure the root user
+ ansible.builtin.import_tasks: configure_root_access.yml
when: mysql_enabled | bool
-- import_tasks: manage_my_db.yml
+- name: Eventually manage databases
+ ansible.builtin.import_tasks: manage_my_db.yml
when: mysql_enabled | bool
-- import_tasks: mysql-backup.yml
+- name: Configure a basic backup service
+ ansible.builtin.import_tasks: mysql-backup.yml
when: mysql_enabled | bool
-- import_tasks: mysql-letsencrypt.yml
+- name: Configure for letsencrypt
+ ansible.builtin.import_tasks: mysql-letsencrypt.yml
when: mysql_letsencrypt_certificates | bool
-
-
diff --git a/tasks/manage-mysql-service.yml b/tasks/manage-mysql-service.yml
index 730d399..261027d 100644
--- a/tasks/manage-mysql-service.yml
+++ b/tasks/manage-mysql-service.yml
@@ -1,11 +1,16 @@
---
-- name: Ensure that the mysql server is enabled and running
- service: name=mysql state=started enabled=yes
+- name: manage-mysql-service | Ensure that the mysql server is enabled and running
+ ansible.builtin.service:
+ name: "{{ mysql_service_name }}"
+ state: started
+ enabled: true
when: mysql_enabled
- tags: [ 'mysql', 'mariadb' ]
+ tags: ['mysql', 'mariadb']
-- name: Stop and disable the mysql server if we do not want it running
- service: name=mysql state=stopped enabled=no
+- name: manage-mysql-service | Stop and disable the mysql server if we do not want it running
+ ansible.builtin.service:
+ name: "{{ mysql_service_name }}"
+ state: stopped
+ enabled: false
when: not mysql_enabled
- tags: [ 'mysql', 'mariadb' ]
-
+ tags: ['mysql', 'mariadb']
diff --git a/tasks/manage_my_db.yml b/tasks/manage_my_db.yml
index 851c6cc..da354c7 100644
--- a/tasks/manage_my_db.yml
+++ b/tasks/manage_my_db.yml
@@ -1,24 +1,41 @@
---
-- name: Add databases to mysql, if any
- mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present login_unix_socket={{ mysql_socket }}
+- name: manage_my_db | Add databases to mysql, if any
+ community.mysql.mysql_db:
+ name: "{{ item.name }}"
+ collation: "{{ item.collation }}"
+ encoding: "{{ item.encoding }}"
+ state: present
+ login_unix_socket: "{{ mysql_socket }}"
with_items: '{{ mysql_db_data | default([]) }}'
when: item.name is defined
- tags: [ 'mysql', 'mysql_db' ]
+ tags: ['mysql', 'mysql_db']
-- name: Add a user for the databases
- mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv="{{ item.0.name }}.*:{{ item.0.user_grant }}" state=present login_unix_socket={{ mysql_socket }}
+- name: manage_my_db | Add a user for the databases
+ community.mysql.mysql_user:
+ name: "{{ item.0.user }}"
+ password: "{{ item.0.pwd }}"
+ host: "{{ item.1 }}"
+ priv: "{{ item.0.name }}.*:{{ item.0.user_grant }}"
+ state: present
+ login_unix_socket: "{{ mysql_socket }}"
+ no_log: true
with_subelements:
- '{{ mysql_db_data | default([]) }}'
- allowed_hosts
when: item.0.name is defined
- tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
+ tags: ['mysql', 'mysql_db', 'mysql_user']
-- name: Additional user privileges, if defined
- mysql_user: name={{ item.0.user }} append_privs=yes priv="{{ item.0.name }}.*:{{ item.0.additional_privs }}" state=present login_unix_socket={{ mysql_socket }}
+- name: manage_my_db | Additional user privileges, if defined
+ community.mysql.mysql_user:
+ name: "{{ item.0.user }}"
+ append_privs: true
+ priv: "{{ item.0.name }}.*:{{ item.0.additional_privs }}"
+ state: present
+ login_unix_socket: "{{ mysql_socket }}"
with_subelements:
- '{{ mysql_db_data | default([]) }}'
- allowed_hosts
when:
- item.0.name is defined
- item.0.additional_privs is defined
- tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
+ tags: ['mysql', 'mysql_db', 'mysql_user']
diff --git a/tasks/mysql-backup.yml b/tasks/mysql-backup.yml
index 036891b..b236a0d 100644
--- a/tasks/mysql-backup.yml
+++ b/tasks/mysql-backup.yml
@@ -1,12 +1,27 @@
---
-- name: Install a script that performs mysql dumps
- copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750
- tags: [ 'mysql', 'mysql_backup' ]
+- name: mysql-backup | Install a script that performs mysql dumps
+ ansible.builtin.copy:
+ src: mysql-backup.sh
+ dest: /usr/local/sbin/mysql-backup
+ owner: root
+ group: root
+ mode: "0750"
+ tags: ['mysql', 'mysql_backup']
-- name: Install the mysql backup defaults
- template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440
- tags: [ 'mysql', 'mysql_backup' ]
+- name: mysql-backup | Install the mysql backup defaults
+ ansible.builtin.template:
+ src: mysql_backup-default.j2
+ dest: /etc/default/mysql_backup
+ owner: root
+ group: root
+ mode: "0440"
+ tags: ['mysql', 'mysql_backup']
-- name: Cron job that executes mysql nightly backups
- template: src=mysql-backup.cron.j2 dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755
- tags: [ 'mysql', 'mysql_backup' ]
+- name: mysql-backup | Cron job that executes mysql nightly backups
+ ansible.builtin.template:
+ src: mysql-backup.cron.j2
+ dest: /etc/cron.daily/mysql-backup
+ owner: root
+ group: root
+ mode: "0755"
+ tags: ['mysql', 'mysql_backup']
diff --git a/tasks/mysql-conf.yml b/tasks/mysql-conf.yml
index 6e85f57..68f8897 100644
--- a/tasks/mysql-conf.yml
+++ b/tasks/mysql-conf.yml
@@ -1,49 +1,80 @@
---
-- name: Manage the MySQL configuration files
- block:
- - name: Check if the new mysql data directory exists
- stat: path={{ mysql_data_dir }}
- register: my_data_dir
-
- - name: Stop the mysql service while reconfiguring the data directory
- service: name=mysql state=stopped
- when: my_data_dir.stat.isdir is not defined
-
- - name: Create the data directory
- file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700
-
- - name: Copy data to the new directory
- synchronize: src=/var/lib/mysql/ dest={{ mysql_data_dir }}
- delegate_to: "{{ inventory_hostname }}"
- when: my_data_dir.stat.isdir is not defined
-
- - name: Create the log directory
- file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750
-
- - name: Install the main configuration files.
- template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
- with_items:
- - client
- - mysql-clients
- notify: Restart mysql
-
- - name: Install the main configuration files.
- template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644
- with_items:
- - server
- notify: Restart mysql
-
- - name: Add AppArmor alias
- lineinfile: path=/etc/apparmor.d/tunables/alias line='alias /var/lib/mysql/ -> {{ mysql_data_dir }}/,' insertafter=EOF
- when: my_data_dir.stat.isdir is not defined
-
- - name: Restart AppArmor service
- service: name=apparmor state=restarted
- when: my_data_dir.stat.isdir is not defined
-
- - name: Start the mysql service with the new the data directory
- service: name=mysql state=started
- when: my_data_dir.stat.isdir is not defined
-
+- name: mysql-conf | Manage the MySQL configuration files
when: mysql_enabled | bool
- tags: [ 'mysql', 'mariadb', 'mysql_conf' ]
+ tags: ['mysql', 'mariadb', 'mysql_conf']
+ block:
+ - name: mysql-conf | Check if the new mysql data directory exists
+ ansible.builtin.stat:
+ path: "{{ mysql_data_dir }}"
+ register: my_data_dir
+
+ - name: mysql-conf | Stop the mysql service while reconfiguring the data directory
+ ansible.builtin.service:
+ name: "{{ mysql_service_name }}"
+ state: stopped
+ when: my_data_dir.stat.isdir is not defined
+
+ - name: mysql-conf | Create the data directory
+ ansible.builtin.file:
+ dest: "{{ mysql_data_dir }}"
+ state: directory
+ owner: mysql
+ group: mysql
+ mode: "0700"
+
+ - name: mysql-conf | Copy data to the new directory
+ ansible.posix.synchronize:
+ src: /var/lib/mysql/
+ dest: "{{ mysql_data_dir }}"
+ delegate_to: "{{ inventory_hostname }}"
+ when: my_data_dir.stat.isdir is not defined
+
+ - name: mysql-conf | Create the log directory
+ ansible.builtin.file:
+ dest: "{{ mysql_log_dir }}"
+ state: directory
+ owner: mysql
+ group: adm
+ mode: "1750"
+
+ - name: mysql-conf | Install the main configuration files.
+ ansible.builtin.template:
+ src: "{{ item }}.cnf.j2"
+ dest: "{{ mysql_conf_dir }}/{{ item }}.cnf"
+ owner: root
+ group: root
+ mode: "0644"
+ loop:
+ - client
+ - mysql-clients
+ notify: Restart mysql
+
+ - name: mysql-conf | Install the main configuration files.
+ ansible.builtin.template:
+ src: "{{ item }}.cnf.j2"
+ dest: "{{ mysql_service_conf_dir }}/mysqld.cnf"
+ owner: root
+ group: root
+ mode: "0644"
+ with_items:
+ - server
+ notify: Restart mysql
+
+ - name: mysql-conf | Add AppArmor alias
+ ansible.builtin.lineinfile:
+ path: /etc/apparmor.d/tunables/alias
+ line: 'alias /var/lib/mysql/ -> {{ mysql_data_dir }}/,'
+ insertafter: EOF
+ when: my_data_dir.stat.isdir is not defined
+
+ - name: mysql-conf | Restart the AppArmor service
+ ansible.builtin.service:
+ name: apparmor
+ state: restarted
+ when: my_data_dir.stat.isdir is not defined
+
+ - name: mysql-conf | Start the mysql service with the new the data directory
+ ansible.builtin.service:
+ name: "{{ mysql_service_name }}"
+ state: started
+ when: my_data_dir.stat.isdir is not defined
diff --git a/tasks/mysql-letsencrypt.yml b/tasks/mysql-letsencrypt.yml
index 0cdb6b5..64c4af8 100644
--- a/tasks/mysql-letsencrypt.yml
+++ b/tasks/mysql-letsencrypt.yml
@@ -1,30 +1,61 @@
---
-- name: Manage the letsencrypt configuration
+- name: mysql-letsencrypt | Manage the letsencrypt configuration
+ when: mysql_letsencrypt_certificates
+ tags: ['mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt']
block:
- - name: Check if the letsencrypt certificates are in place
- stat: path={{ letsencrypt_acme_certs_dir }}/privkey
- register: letsencrypt_keyfile
+ - name: mysql-letsencrypt | Check if the letsencrypt certificates are in place
+ ansible.builtin.stat:
+ path: "{{ letsencrypt_acme_certs_dir }}/privkey"
+ register: letsencrypt_keyfile
- - name: Copy the letsencrypt certificate key into the right place
- copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes
- when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
- notify: Restart mysql
+ - name: mysql-letsencrypt | Copy the letsencrypt certificate key into the right place
+ ansible.builtin.copy:
+ src: "{{ letsencrypt_acme_certs_dir }}/privkey"
+ dest: /var/lib/mysql/client-key.pem
+ owner: mysql
+ group: mysql
+ mode: "0400"
+ remote_src: true
+ force: true
+ when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
+ notify: Restart mysql
- - name: Copy the letsencrypt public certificate into the right place
- copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
- when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
- notify: Restart mysql
+ - name: mysql-letsencrypt | Copy the letsencrypt public certificate into the right place
+ ansible.builtin.copy:
+ src: "{{ letsencrypt_acme_certs_dir }}/cert"
+ dest: "/var/lib/mysql/client-cert.pem"
+ owner: mysql
+ group: mysql
+ mode: "0444"
+ remote_src: true
+ force: true
+ when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
+ notify: Restart mysql
- - name: Copy the letsencrypt CA certificate into the right place
- copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
- when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
- notify: Restart mysql
+ - name: mysql-letsencrypt | Copy the letsencrypt CA certificate into the right place
+ ansible.builtin.copy:
+ src: "{{ letsencrypt_acme_certs_dir }}/fullchain"
+ dest: /var/lib/mysql/ca.pem
+ owner: mysql
+ group: mysql
+ mode: "0444"
+ remote_src: true
+ force: true
+ when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
+ notify: Restart mysql
- - name: Create the acme hooks directory if it does not yet exist
- file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
+ - name: mysql-letsencrypt | Create the acme hooks directory if it does not yet exist
+ ansible.builtin.file:
+ dest: "{{ letsencrypt_acme_sh_services_scripts_dir }}"
+ state: directory
+ owner: root
+ group: root
+ mode: "0750"
- - name: Install a script that fix the letsencrypt certificate for mysql and then reload the service
- copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555
-
- when: letsencrypt_acme_install is defined and letsencrypt_acme_install | bool
- tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ]
+ - name: mysql-letsencrypt | Install a script that fix the letsencrypt certificate for mysql and then reloads the service
+ ansible.builtin.copy:
+ src: letsencrypt-mysql-hook.sh
+ dest: "{{ letsencrypt_acme_sh_services_scripts_dir }}/mysql"
+ owner: root
+ group: root
+ mode: "4555"
diff --git a/tasks/packages.yml b/tasks/packages.yml
index c5182f6..30d3eda 100644
--- a/tasks/packages.yml
+++ b/tasks/packages.yml
@@ -1,9 +1,8 @@
---
-- name: Install the mysql or maridb server packages
+- name: packages | Install the mysql or maridb server packages
ansible.builtin.apt:
pkg: "{{ item }}"
cache_valid_time: 1800
state: present
loop: "{% if mysql_installs_mariadb %}{{ mysql_mariadb_pkgs }}{% else %}{{ mysql_packages_list }}{% endif %}"
tags: mysql
-