- Updated README, TODO list.

- Wait for server to come online. - Depend on the common role. - Create an admin account with forced SSL (WIP). - Log to syslog (WIP). - Update meta information.

- Updated README, TODO list.
11f14db3 · nimrod · 324f9a89 · 11f14db3 · 11f14db3 · 11f14db3
Commit 11f14db3 authored 9 years ago by nimrod
--- a/README.rst
+++ b/README.rst
-Role Name
-=========
+ansible-mysql
+#############

-A brief description of the role goes here.
+An Ansible role to install and configure a MySQL server. The role creates an
+admin account, force SSL usage, configures UFW and daily backup.

 Requirements
 ------------

-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+Debian Wheezy or later (Ubuntu Precise or later should probably work, but it's
+untested).

 Role Variables
 --------------
+::

-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+    mysql_admin_password: #The password for the admin account.

 Dependencies
 ------------

-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+`Common role <https://www.shore.co.il/cgit/ansible-common/>`_

 Example Playbook
 ----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+::

    - hosts: servers
      roles:
-         - { role: username.rolename, x: 42 }
+      - role: mysql
+        mysql_admin_password: qwerty123
+
+Example requirements.yml
+------------------------
+::
+
+    - src: https://www.shore.co.il/cgit/ansible-common
+      scm: git
+      path: roles/
+      name: common
+
+    - src: https://www.shore.co.il/cgit/ansible-mysql
+      scm: git
+      path: roles/
+      name: mysql

 License
 -------

-BSD
+This software is licnesed under the MIT licese (see the ``LICENSE.txt`` file).

 Author Information
 ------------------

-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
+<https://www.shore.co.il/>`_. Patches are welcome via `git send-email
+<http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
+at: https://www.shore.co.il/cgit/.

 TODO
 ----

--- a/defaults/main.yml
+++ b/defaults/main.yml
 ---
 # defaults file for ansible-mysql

-mysql_root_password:
+mysql_admin_password:
--- a/handlers/main.yml
+++ b/handlers/main.yml
 ---
 # handlers file for ansible-mysql
+
+- name: Restart MySQL
+  service:
+    name: mysql
+    state: restarted
--- a/meta/main.yml
+++ b/meta/main.yml
 ---
 galaxy_info:
-  author: your name
-  description:
-  company: your company (optional)
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
-  # Some suggested licenses:
-  # - BSD (default)
-  # - MIT
-  # - GPLv2
-  # - GPLv3
-  # - Apache
-  # - CC-BY
-  license: license (GPLv2, CC-BY, etc)
-  min_ansible_version: 1.2
-  #
-  # Below are all platforms currently available. Just uncomment
-  # the ones that apply to your role. If you don't see your
-  # platform on this list, let us know and we'll get it added!
-  #
-  #platforms:
-  #
-  # Below are all categories currently available. Just as with
-  # the platforms above, uncomment those that apply to your role.
-  #
-  #categories:
-dependencies: []
-  # List your role dependencies here, one per line.
-  # Be sure to remove the '[]' above if you add dependencies
-  # to this list.
+  author: Nimrod Adar
+  description: MySQL role. For more information read the README file.
+  company: Shore technologies
+  license: MIT
+  min_ansible_version: 1.9
+  platforms:
+  - name: Debian
+    versions:
+    - jessie
+    - wheezy
+  - name: Ubuntu
+    versions:
+    - precise
+    - trusty
+  categories:
+    - database
+dependencies:
+- role: common
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # tasks file for ansible-mysql

- name: Preseed (always changes)
-  when: mysql_root_password is defined
-  debconf:
-    name: mysql-server-5.5
-    question: '{{ item }}'
-    vtype: password
-    value: '{{ mysql_root_password }}'
-  with_items:
-    - mysql-server/root_password
-    - mysql-server/root_password_again
-  register: mysql_debconf
-
 - name: apt install
  apt:
    name: '{{ item }}'
@@ -20,14 +8,68 @@
    update_cache: yes
    cache_valid_time: 3600
  with_items:
-    - mysql-server-5.5
-    - mysql-client-5.5
+    - mysql-server
+    - mysql-client
    - python-mysqldb
    - cron

- name: Reconfigure (if needed)
-  when: mysql_debconf.changed
-  command: /usr/sbin/dpkg-reconfigure --frontend noninteractive mysql-server-5.5
+- name: Allow MySQL access to the TLS cert and key
+  user:
+    append: yes
+    groups: ssl-cert
+    name: mysql
+  notify:
+    - Restart MySQL
+
+- name: Configure
+  with_dict:
+    'ssl-ca': /etc/ssl/certs/ca-certificates.crt
+    'ssl-cert': '{{ tls_cert_path }}'
+    'ssl-key': '{{ tls_key_path }}'
+    'bind-address': '0.0.0.0'
+  ini_file:
+    dest: /etc/mysql/my.cnf
+    owner: root
+    group: root
+    mode: '0644'
+    section: mysqld
+    option: '{{ item.key }}'
+    value: '{{ item.value }}'
+  notify:
+  - Restart MySQL
+
+- name: Log to syslog
+  lineinfile:
+    dest: /etc/mysql/my.cnf
+    owner: root
+    group: root
+    mode: '0644'
+    line: 'syslog'
+    insertafter: '[mysqld_safe]'
+  notify:
+  - Restart MySQL
+
+- name: Add admin account
+  mysql_user:
+    name: admin
+    host: '%'
+    password: '{{ mysql_admin_password }}'
+    priv: '*.*:ALL,GRANT'
+    state: present
+
+- name: Require SSL for admin account
+  mysql_user:
+    name: admin
+    host: '%'
+    append_privs: True
+    priv: '*.*:REQUIRESSL'
+    state: present
+
+- name: Allow MySQL in firewall
+  ufw:
+    rule: allow
+    port: 3306
+    proto: tcp

 - name: Add daily backup job
  copy:
@@ -36,3 +78,11 @@
    owner: root
    group: root
    mode: '0755'
+
+- meta: flush_handlers
+
+- name: Wait for service to come online
+  wait_for:
+    host: '{{ ansible_default_ipv4["address"] }}'
+    port: 3306
+    state: started