Added 'mysql' role

This role sets up mysql service. Several variables in defaults/main.yml allow for customization of mysqld options, there's also support for random root passwords using lookup function if "$secret" variable is defined in playbook or inventory.

Author: drybjed

playbooks/mysql.yml

@@ -0,0 +1,10 @@
+---
+
+- name: MySQL support
+  hosts: aiua_mysql
+  sudo: yes
+  tags: mysql
+
+  roles:
+  - { role: mysql }
+

playbooks/roles/mysql/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+
+mysql_utf8: True
+
+# If 'secret' variable is undefined, this variable will be used to set password
+mysql_root_password: 'password'
+
+mysql_backup_mailaddr: 'root'
+mysql_backup_doweekly: 6
+mysql_backup_latest: 'no'
+
+mysql_mysqld_bind_address: '127.0.0.1'
+mysql_mysqld_port: 3306
+mysql_mysqld_max_connections: 100
+
+# Use this variable to set additional mysqld options
+#mysql_mysqld_options:
+#  key_buffer: '16M'
+#  skip-name-resolve:
+
+# This is a list of networks allowed to connect to mysqld from remote hosts
+# It will be applied in firewall (ferm) and /etc/hosts.allow (tcpwrappers)
+# Also you need to set mysql_mysqld_bind_address to 0.0.0.0
+#mysql_network_allow_list:
+#  - '10.0.0.0/8'
+#  - '172.16.0.0/12'
+#  - '192.168.0.0/16'
+
+

playbooks/roles/mysql/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Restart mysql
+  service: name=mysql state=restarted
+
+- name: Reload mysql
+  service: name=mysql state=reloaded
+

playbooks/roles/mysql/meta/main.yml

@@ -0,0 +1,6 @@
+---
+
+dependencies:
+  - { role: ferm }
+  - { role: tcpwrappers }
+

playbooks/roles/mysql/tasks/main.yml

@@ -0,0 +1,111 @@
+---
+
+- name: MYSQL | Install MySQL-related packages
+  apt: pkg={{ item }} state=latest install_recommends=no
+  with_items:
+    - python-mysqldb
+    - mysql-server
+    - automysqlbackup
+  tags:
+    - mysql
+    - packages
+
+- name: MYSQL | Apply mysqld configuration
+  template: src=etc/mysql/conf.d/mysqld.cnf.j2 dest=/etc/mysql/conf.d/mysqld.cnf owner=root group=root mode=0644
+  notify:
+    - Reload mysql
+  tags:
+    - mysql
+
+- name: MYSQL | Apply client configuration
+  template: src=etc/mysql/conf.d/client.cnf.j2 dest=/etc/mysql/conf.d/client.cnf owner=root group=root mode=0644
+  notify:
+    - Reload mysql
+  tags:
+    - mysql
+
+- name: MYSQL | Start the MySQL service
+  service: name=mysql state=started
+  tags:
+    - mysql
+
+- name: MYSQL | Lookup mysql root password if $secret is defined
+  set_fact:
+    mysql_root_password: "{{ lookup('password', secret + '/credentials/' + ansible_fqdn + '/mysql/root/password length=15') }}"
+  when: secret is defined
+  tags:
+    - mysql
+    - secret
+
+- name: MYSQL | Update mysql root password for all root accounts
+  mysql_user: name=root host={{ item }} password={{ mysql_root_password }}
+  with_items:
+    - '{{ ansible_hostname }}'
+    - 127.0.0.1
+    - ::1
+    - localhost
+  tags:
+    - mysql
+    - secret
+
+- name: MYSQL | Copy .my.cnf file with root password credentials
+  template: src=root/my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0600
+  tags:
+    - mysql
+    - secret
+
+- name: MYSQL | Delete anonymous users
+  mysql_user: user="" host={{ item }} state=absent
+  with_items:
+    - '{{ ansible_hostname }}'
+    - 'localhost'
+  tags:
+    - mysql
+
+- name: MYSQL | Remove the test database
+  mysql_db: db=test state=absent
+  tags:
+    - mysql
+
+- name: MYSQL | Setup automysqlbackup configuration
+  template: src=etc/default/automysqlbackup.j2 dest=/etc/default/automysqlbackup owner=root group=root mode=0644
+  tags:
+    - mysql
+
+- name: MYSQL | Enable network access in firewall
+  template: src=etc/ferm/ferm.d/mysql.conf.j2 dest=/etc/ferm/ferm.d/mysql.conf owner=root group=root mode=0644
+  when: mysql_network_allow_list is defined and mysql_network_allow_list is not none
+  notify:
+    - Restart ferm
+  tags:
+    - mysql
+    - firewall
+
+- name: MYSQL | Disable network access in firewall
+  file: path=/etc/ferm/ferm.d/mysql.conf state=absent
+  when: mysql_network_allow_list is not defined
+  notify:
+    - Restart ferm
+  tags:
+    - mysql
+    - firewall
+
+- name: MYSQL | Enable network access in tcpwrappers
+  template: src=etc/hosts.allow.d/50_mysql.j2 dest=/etc/hosts.allow.d/50_mysql owner=root group=root mode=0644
+  when: mysql_network_allow_list is defined and mysql_network_allow_list is not none
+  notify:
+    - Assemble hosts.allow.d
+  tags:
+    - mysql
+    - tcpwrappers
+
+- name: MYSQL | Disable network access in tcpwrappers
+  file: path=/etc/hosts.allow.d/50_mysql state=absent
+  when: mysql_network_allow_list is not defined
+  notify:
+    - Assemble hosts.allow.d
+  tags:
+    - mysql
+    - tcpwrappers
+
+

playbooks/roles/mysql/templates/etc/default/automysqlbackup.j2

@@ -0,0 +1,96 @@
+# {{ ansible_managed }}
+
+# By default, the Debian version of automysqlbackup will use:
+# mysqldump --defaults-file=/etc/mysql/debian.cnf
+# but you might want to overwrite with a specific user & pass.
+# To do this, simply edit bellow.
+
+# Username to access the MySQL server e.g. dbuser
+#USERNAME=`grep user /etc/mysql/debian.cnf | tail -n 1 | cut -d"=" -f2 | awk '{print $1}'`
+
+# Username to access the MySQL server e.g. password
+#PASSWORD=`grep password /etc/mysql/debian.cnf | tail -n 1 | cut -d"=" -f2 | awk '{print $1}'`
+
+# Host name (or IP address) of MySQL server e.g localhost
+DBHOST=localhost
+
+# List of DBNAMES for Daily/Weekly Backup e.g. "DB1 DB2 DB3"
+# Note that it's absolutely normal that the db named "mysql" is not in this
+# list, as it's added later by the script. See the MDBNAMES directives below
+# in this file (advanced options).
+# This is ONLY a convenient default, if you don't like it, don't complain
+# and write your own.
+# The following is a quick hack that will find the names of the databases by
+# reading the mysql folder content. Feel free to replace by something else.
+# DBNAMES=`find /var/lib/mysql -mindepth 1 -maxdepth 1 -type d | cut -d'/' -f5 | grep -v ^mysql\$ | tr \\\r\\\n ,\ `
+# This one does a list of dbs using a MySQL statement.
+DBNAMES=`mysql --defaults-file=/etc/mysql/debian.cnf --execute="SHOW DATABASES" | awk '{print $1}' | grep -v ^Database$ | grep -v ^mysql$ | grep -v ^performance_schema$ | grep -v ^information_schema$ | tr \\\r\\\n ,\ `
+
+# Backup directory location e.g /backups
+# Folders inside this one will be created (daily, weekly, etc.), and the
+# subfolders will be database names. Note that backups will be owned by
+# root, with Unix rights 0600.
+BACKUPDIR="/var/lib/automysqlbackup"
+
+# Mail setup
+# What would you like to be mailed to you?
+# - log   : send only log file
+# - files : send log file and sql files as attachments (see docs)
+# - stdout : will simply output the log to the screen if run manually.
+# - quiet : Only send logs if an error occurs to the MAILADDR.
+MAILCONTENT="quiet"
+
+# Set the maximum allowed email size in k. (4000 = approx 5MB email [see
+# docs])
+MAXATTSIZE="4000"
+
+# Email Address to send mail to? (user@domain.com)
+MAILADDR="{{ mysql_backup_mailaddr }}"
+
+# ============================================================
+# === ADVANCED OPTIONS ( Read the doc's below for details )===
+#=============================================================
+
+# List of DBBNAMES for Monthly Backups.
+MDBNAMES="mysql $DBNAMES"
+
+# List of DBNAMES to EXLUCDE if DBNAMES are set to all (must be in " quotes)
+DBEXCLUDE=""
+
+# Include CREATE DATABASE in backup?
+CREATE_DATABASE=yes
+
+# Separate backup directory and file for each DB? (yes or no)
+SEPDIR=yes
+
+# Which day do you want weekly backups? (1 to 7 where 1 is Monday)
+DOWEEKLY={{ mysql_backup_doweekly }}
+
+# Choose Compression type. (gzip or bzip2)
+COMP=gzip
+
+# Compress communications between backup server and MySQL server?
+COMMCOMP=no
+
+# Additionally keep a copy of the most recent backup in a seperate
+# directory.
+LATEST={{ mysql_backup_latest }}
+
+#  The maximum size of the buffer for client/server communication. e.g. 16MB
+#  (maximum is 1GB)
+MAX_ALLOWED_PACKET=
+
+#  For connections to localhost. Sometimes the Unix socket file must be
+#  specified.
+SOCKET=
+
+# Command to run before backups (uncomment to use)
+#PREBACKUP="/etc/mysql-backup-pre"
+
+# Command run after backups (uncomment to use)
+#POSTBACKUP="/etc/mysql-backup-post"
+
+# Backup of stored procedures and routines (comment to remove)
+ROUTINES=yes
+
+

playbooks/roles/mysql/templates/etc/ferm/ferm.d/mysql.conf.j2

@@ -0,0 +1,14 @@
+# iptables ferm firewall - mysql access
+# {{ ansible_managed }}
+
+table filter {
+	chain INPUT {
+		protocol tcp dport {{ mysql_mysqld_port }} {
+{% for network in mysql_network_allow_list %}
+			saddr {{ network }} ACCEPT;
+{% endfor %}
+		}
+	}
+}
+
+

playbooks/roles/mysql/templates/etc/hosts.allow.d/50_mysql.j2

@@ -0,0 +1,6 @@
+# Allow mysqld connections
+{% for network in mysql_network_allow_list %}
+mysqld: {{ network }}
+{% endfor %}
+
+

playbooks/roles/mysql/templates/etc/mysql/conf.d/client.cnf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+[client]
+
+{% if mysql_utf8 is defined and mysql_utf8 == True %}
+default-character-set		= utf8
+{% endif %}
+
+

playbooks/roles/mysql/templates/etc/mysql/conf.d/mysqld.cnf.j2

@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[mysqld]
+bind-address		= {{ mysql_mysqld_bind_address }}
+port			= {{ mysql_mysqld_port }}
+max-connections		= {{ mysql_mysqld_max_connections }}
+
+{% if mysql_utf8 is defined and mysql_utf8 == True %}
+character-set-server	= utf8
+collation-server	= utf8_general_ci
+init-connect		= 'SET NAMES utf8'
+
+{% endif %}
+{% if mysql_mysqld_options is defined and mysql_mysqld_options is not none %}
+{% for key, value in mysql_mysqld_options.iteritems() %}
+{{ key }}{% if value is not none %} = {{ value }}{% endif %}
+
+{% endfor %}
+
+{% endif %}