diff --git a/README.md b/README.md index 13b6c7c..f5056b0 100644 --- a/README.md +++ b/README.md @@ -13,3 +13,6 @@ Following roles have been defined to make creating a server configuration easy: - **bootstrap** defines a way to connect to a server which has not been configured yet - **common** defines the installation of common packages and common configurations like firewall - **hostname** configures the hostname for a given host +- **mysql** defines roles for handling mysql databases and users, uses *MariaDB* + - **application** installs the main application with automatic backup + - **database** configures a database for an external application with its own user diff --git a/roles/mysql/application/defaults/main.yml b/roles/mysql/application/defaults/main.yml new file mode 100644 index 0000000..181eee8 --- /dev/null +++ b/roles/mysql/application/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +mysql_root_password: "{{ lookup('password', '/etc/ansible-credentials/mysql/root length=80' ) }}" diff --git a/roles/mysql/application/handlers/main.yml b/roles/mysql/application/handlers/main.yml new file mode 100644 index 0000000..c629564 --- /dev/null +++ b/roles/mysql/application/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart mysql + service: + name: mysql + state: restarted diff --git a/roles/mysql/application/tasks/main.yml b/roles/mysql/application/tasks/main.yml new file mode 100644 index 0000000..9221600 --- /dev/null +++ b/roles/mysql/application/tasks/main.yml @@ -0,0 +1,81 @@ +--- + +- name: Install dependencies for mysql database + apt: + state: present + name: + - mariadb-server + - mariadb-client + +- name: Install ansible dependencies for configuring + pip: + state: present + name: + - PyMySQL + +- name: Lock root user for localhost + mysql_user: + user: "root" + password: "{{ mysql_root_password }}" + host: "localhost" + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Remove test user for public + mysql_user: + user: "" + host: "{{ ansible_fqdn }}" + state: "absent" + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Remove test user in general + mysql_user: + user: "" + state: absent + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Lock root user for ::1 + mysql_user: + user: "root" + password: "{{ mysql_root_password }}" + host: "::1" + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Lock root user for 127.0.0.1 + mysql_user: + user: "root" + password: "{{ mysql_root_password }}" + host: "127.0.0.1" + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Lock root user for localhost + mysql_user: + user: "root" + password: "{{ mysql_root_password }}" + host: "localhost" + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Disable public root user access + mysql_user: + user: "root" + host: "{{ ansible_fqdn }}" + state: absent + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Remove mysql test database + mysql_db: + db: "test" + state: absent + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Configure innodb of mysql + copy: + dest: "/etc/mysql/conf.d/innodb.cnf" + content: | + [mysqld] + innodb_large_prefix=ON + innodb_file_format=barracuda + innodb_file_per_table=ON + notify: + - restart mysql + +# TODO Configure automatic local backup diff --git a/roles/mysql/database/meta/main.yml b/roles/mysql/database/meta/main.yml new file mode 100644 index 0000000..7db1d8f --- /dev/null +++ b/roles/mysql/database/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - role: mysql/application diff --git a/roles/mysql/database/tasks/main.yml b/roles/mysql/database/tasks/main.yml new file mode 100644 index 0000000..e024cd3 --- /dev/null +++ b/roles/mysql/database/tasks/main.yml @@ -0,0 +1,18 @@ +--- + +- meta: flush_handlers + +- name: Create SQL user {{ user }} + mysql_user: + state: present + host: localhost + user: "{{ user }}" + password: "{{ pass }}" + update_password: always + priv: "{{ name }}.*:ALL" + login_unix_socket: "/var/run/mysqld/mysqld.sock" + +- name: Create SQL database {{ name }} + mysql_db: + db: "{{ name }}" + login_unix_socket: "/var/run/mysqld/mysqld.sock"