-
Notifications
You must be signed in to change notification settings - Fork 344
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This role sets up mysql service. Several variables in defaults/main.yml allow for customization of mysqld options, there's also support for random root passwords using lookup function if "$secret" variable is defined in playbook or inventory.
- Loading branch information
Showing
12 changed files
with
317 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
--- | ||
|
||
- name: MySQL support | ||
hosts: aiua_mysql | ||
sudo: yes | ||
tags: mysql | ||
|
||
roles: | ||
- { role: mysql } | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
|
||
mysql_utf8: True | ||
|
||
# If 'secret' variable is undefined, this variable will be used to set password | ||
mysql_root_password: 'password' | ||
|
||
mysql_backup_mailaddr: 'root' | ||
mysql_backup_doweekly: 6 | ||
mysql_backup_latest: 'no' | ||
|
||
mysql_mysqld_bind_address: '127.0.0.1' | ||
mysql_mysqld_port: 3306 | ||
mysql_mysqld_max_connections: 100 | ||
|
||
# Use this variable to set additional mysqld options | ||
#mysql_mysqld_options: | ||
# key_buffer: '16M' | ||
# skip-name-resolve: | ||
|
||
# This is a list of networks allowed to connect to mysqld from remote hosts | ||
# It will be applied in firewall (ferm) and /etc/hosts.allow (tcpwrappers) | ||
# Also you need to set mysql_mysqld_bind_address to 0.0.0.0 | ||
#mysql_network_allow_list: | ||
# - '10.0.0.0/8' | ||
# - '172.16.0.0/12' | ||
# - '192.168.0.0/16' | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
--- | ||
|
||
- name: Restart mysql | ||
service: name=mysql state=restarted | ||
|
||
- name: Reload mysql | ||
service: name=mysql state=reloaded | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
|
||
dependencies: | ||
- { role: ferm } | ||
- { role: tcpwrappers } | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
--- | ||
|
||
- name: MYSQL | Install MySQL-related packages | ||
apt: pkg={{ item }} state=latest install_recommends=no | ||
with_items: | ||
- python-mysqldb | ||
- mysql-server | ||
- automysqlbackup | ||
tags: | ||
- mysql | ||
- packages | ||
|
||
- name: MYSQL | Apply mysqld configuration | ||
template: src=etc/mysql/conf.d/mysqld.cnf.j2 dest=/etc/mysql/conf.d/mysqld.cnf owner=root group=root mode=0644 | ||
notify: | ||
- Reload mysql | ||
tags: | ||
- mysql | ||
|
||
- name: MYSQL | Apply client configuration | ||
template: src=etc/mysql/conf.d/client.cnf.j2 dest=/etc/mysql/conf.d/client.cnf owner=root group=root mode=0644 | ||
notify: | ||
- Reload mysql | ||
tags: | ||
- mysql | ||
|
||
- name: MYSQL | Start the MySQL service | ||
service: name=mysql state=started | ||
tags: | ||
- mysql | ||
|
||
- name: MYSQL | Lookup mysql root password if $secret is defined | ||
set_fact: | ||
mysql_root_password: "{{ lookup('password', secret + '/credentials/' + ansible_fqdn + '/mysql/root/password length=15') }}" | ||
when: secret is defined | ||
tags: | ||
- mysql | ||
- secret | ||
|
||
- name: MYSQL | Update mysql root password for all root accounts | ||
mysql_user: name=root host={{ item }} password={{ mysql_root_password }} | ||
with_items: | ||
- '{{ ansible_hostname }}' | ||
- 127.0.0.1 | ||
- ::1 | ||
- localhost | ||
tags: | ||
- mysql | ||
- secret | ||
|
||
- name: MYSQL | Copy .my.cnf file with root password credentials | ||
template: src=root/my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0600 | ||
tags: | ||
- mysql | ||
- secret | ||
|
||
- name: MYSQL | Delete anonymous users | ||
mysql_user: user="" host={{ item }} state=absent | ||
with_items: | ||
- '{{ ansible_hostname }}' | ||
- 'localhost' | ||
tags: | ||
- mysql | ||
|
||
- name: MYSQL | Remove the test database | ||
mysql_db: db=test state=absent | ||
tags: | ||
- mysql | ||
|
||
- name: MYSQL | Setup automysqlbackup configuration | ||
template: src=etc/default/automysqlbackup.j2 dest=/etc/default/automysqlbackup owner=root group=root mode=0644 | ||
tags: | ||
- mysql | ||
|
||
- name: MYSQL | Enable network access in firewall | ||
template: src=etc/ferm/ferm.d/mysql.conf.j2 dest=/etc/ferm/ferm.d/mysql.conf owner=root group=root mode=0644 | ||
when: mysql_network_allow_list is defined and mysql_network_allow_list is not none | ||
notify: | ||
- Restart ferm | ||
tags: | ||
- mysql | ||
- firewall | ||
|
||
- name: MYSQL | Disable network access in firewall | ||
file: path=/etc/ferm/ferm.d/mysql.conf state=absent | ||
when: mysql_network_allow_list is not defined | ||
notify: | ||
- Restart ferm | ||
tags: | ||
- mysql | ||
- firewall | ||
|
||
- name: MYSQL | Enable network access in tcpwrappers | ||
template: src=etc/hosts.allow.d/50_mysql.j2 dest=/etc/hosts.allow.d/50_mysql owner=root group=root mode=0644 | ||
when: mysql_network_allow_list is defined and mysql_network_allow_list is not none | ||
notify: | ||
- Assemble hosts.allow.d | ||
tags: | ||
- mysql | ||
- tcpwrappers | ||
|
||
- name: MYSQL | Disable network access in tcpwrappers | ||
file: path=/etc/hosts.allow.d/50_mysql state=absent | ||
when: mysql_network_allow_list is not defined | ||
notify: | ||
- Assemble hosts.allow.d | ||
tags: | ||
- mysql | ||
- tcpwrappers | ||
|
||
|
96 changes: 96 additions & 0 deletions
96
playbooks/roles/mysql/templates/etc/default/automysqlbackup.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
# {{ ansible_managed }} | ||
|
||
# By default, the Debian version of automysqlbackup will use: | ||
# mysqldump --defaults-file=/etc/mysql/debian.cnf | ||
# but you might want to overwrite with a specific user & pass. | ||
# To do this, simply edit bellow. | ||
|
||
# Username to access the MySQL server e.g. dbuser | ||
#USERNAME=`grep user /etc/mysql/debian.cnf | tail -n 1 | cut -d"=" -f2 | awk '{print $1}'` | ||
|
||
# Username to access the MySQL server e.g. password | ||
#PASSWORD=`grep password /etc/mysql/debian.cnf | tail -n 1 | cut -d"=" -f2 | awk '{print $1}'` | ||
|
||
# Host name (or IP address) of MySQL server e.g localhost | ||
DBHOST=localhost | ||
|
||
# List of DBNAMES for Daily/Weekly Backup e.g. "DB1 DB2 DB3" | ||
# Note that it's absolutely normal that the db named "mysql" is not in this | ||
# list, as it's added later by the script. See the MDBNAMES directives below | ||
# in this file (advanced options). | ||
# This is ONLY a convenient default, if you don't like it, don't complain | ||
# and write your own. | ||
# The following is a quick hack that will find the names of the databases by | ||
# reading the mysql folder content. Feel free to replace by something else. | ||
# DBNAMES=`find /var/lib/mysql -mindepth 1 -maxdepth 1 -type d | cut -d'/' -f5 | grep -v ^mysql\$ | tr \\\r\\\n ,\ ` | ||
# This one does a list of dbs using a MySQL statement. | ||
DBNAMES=`mysql --defaults-file=/etc/mysql/debian.cnf --execute="SHOW DATABASES" | awk '{print $1}' | grep -v ^Database$ | grep -v ^mysql$ | grep -v ^performance_schema$ | grep -v ^information_schema$ | tr \\\r\\\n ,\ ` | ||
|
||
# Backup directory location e.g /backups | ||
# Folders inside this one will be created (daily, weekly, etc.), and the | ||
# subfolders will be database names. Note that backups will be owned by | ||
# root, with Unix rights 0600. | ||
BACKUPDIR="/var/lib/automysqlbackup" | ||
|
||
# Mail setup | ||
# What would you like to be mailed to you? | ||
# - log : send only log file | ||
# - files : send log file and sql files as attachments (see docs) | ||
# - stdout : will simply output the log to the screen if run manually. | ||
# - quiet : Only send logs if an error occurs to the MAILADDR. | ||
MAILCONTENT="quiet" | ||
|
||
# Set the maximum allowed email size in k. (4000 = approx 5MB email [see | ||
# docs]) | ||
MAXATTSIZE="4000" | ||
|
||
# Email Address to send mail to? (user@domain.com) | ||
MAILADDR="{{ mysql_backup_mailaddr }}" | ||
|
||
# ============================================================ | ||
# === ADVANCED OPTIONS ( Read the doc's below for details )=== | ||
#============================================================= | ||
|
||
# List of DBBNAMES for Monthly Backups. | ||
MDBNAMES="mysql $DBNAMES" | ||
|
||
# List of DBNAMES to EXLUCDE if DBNAMES are set to all (must be in " quotes) | ||
DBEXCLUDE="" | ||
|
||
# Include CREATE DATABASE in backup? | ||
CREATE_DATABASE=yes | ||
|
||
# Separate backup directory and file for each DB? (yes or no) | ||
SEPDIR=yes | ||
|
||
# Which day do you want weekly backups? (1 to 7 where 1 is Monday) | ||
DOWEEKLY={{ mysql_backup_doweekly }} | ||
|
||
# Choose Compression type. (gzip or bzip2) | ||
COMP=gzip | ||
|
||
# Compress communications between backup server and MySQL server? | ||
COMMCOMP=no | ||
|
||
# Additionally keep a copy of the most recent backup in a seperate | ||
# directory. | ||
LATEST={{ mysql_backup_latest }} | ||
|
||
# The maximum size of the buffer for client/server communication. e.g. 16MB | ||
# (maximum is 1GB) | ||
MAX_ALLOWED_PACKET= | ||
|
||
# For connections to localhost. Sometimes the Unix socket file must be | ||
# specified. | ||
SOCKET= | ||
|
||
# Command to run before backups (uncomment to use) | ||
#PREBACKUP="/etc/mysql-backup-pre" | ||
|
||
# Command run after backups (uncomment to use) | ||
#POSTBACKUP="/etc/mysql-backup-post" | ||
|
||
# Backup of stored procedures and routines (comment to remove) | ||
ROUTINES=yes | ||
|
||
|
14 changes: 14 additions & 0 deletions
14
playbooks/roles/mysql/templates/etc/ferm/ferm.d/mysql.conf.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# iptables ferm firewall - mysql access | ||
# {{ ansible_managed }} | ||
|
||
table filter { | ||
chain INPUT { | ||
protocol tcp dport {{ mysql_mysqld_port }} { | ||
{% for network in mysql_network_allow_list %} | ||
saddr {{ network }} ACCEPT; | ||
{% endfor %} | ||
} | ||
} | ||
} | ||
|
||
|
6 changes: 6 additions & 0 deletions
6
playbooks/roles/mysql/templates/etc/hosts.allow.d/50_mysql.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Allow mysqld connections | ||
{% for network in mysql_network_allow_list %} | ||
mysqld: {{ network }} | ||
{% endfor %} | ||
|
||
|
9 changes: 9 additions & 0 deletions
9
playbooks/roles/mysql/templates/etc/mysql/conf.d/client.cnf.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# {{ ansible_managed }} | ||
|
||
[client] | ||
|
||
{% if mysql_utf8 is defined and mysql_utf8 == True %} | ||
default-character-set = utf8 | ||
{% endif %} | ||
|
||
|
20 changes: 20 additions & 0 deletions
20
playbooks/roles/mysql/templates/etc/mysql/conf.d/mysqld.cnf.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# {{ ansible_managed }} | ||
|
||
[mysqld] | ||
bind-address = {{ mysql_mysqld_bind_address }} | ||
port = {{ mysql_mysqld_port }} | ||
max-connections = {{ mysql_mysqld_max_connections }} | ||
|
||
{% if mysql_utf8 is defined and mysql_utf8 == True %} | ||
character-set-server = utf8 | ||
collation-server = utf8_general_ci | ||
init-connect = 'SET NAMES utf8' | ||
|
||
{% endif %} | ||
{% if mysql_mysqld_options is defined and mysql_mysqld_options is not none %} | ||
{% for key, value in mysql_mysqld_options.iteritems() %} | ||
{{ key }}{% if value is not none %} = {{ value }}{% endif %} | ||
|
||
{% endfor %} | ||
|
||
{% endif %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# {{ ansible_managed }} | ||
|
||
[client] | ||
user=root | ||
password={{ mysql_root_password }} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters