From 11f14db323c3e71011577e65b1d63db7cdd20bdd Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 12 Dec 2015 17:23:10 +0200
Subject: [PATCH] - Updated README, TODO list. - Wait for server to come
 online. - Depend on the common role. - Create an admin account with forced
 SSL (WIP). - Log to syslog (WIP). - Update meta information.

---
 README.rst        | 42 +++++++++++++++++-------
 defaults/main.yml |  2 +-
 handlers/main.yml |  5 +++
 meta/main.yml     | 48 ++++++++++-----------------
 tasks/main.yml    | 84 +++++++++++++++++++++++++++++++++++++----------
 5 files changed, 122 insertions(+), 59 deletions(-)

diff --git a/README.rst b/README.rst
index 5d2e761..0363abb 100644
--- a/README.rst
+++ b/README.rst
@@ -1,41 +1,61 @@
-Role Name
-=========
+ansible-mysql
+#############
 
-A brief description of the role goes here.
+An Ansible role to install and configure a MySQL server. The role creates an
+admin account, force SSL usage, configures UFW and daily backup.
 
 Requirements
 ------------
 
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+Debian Wheezy or later (Ubuntu Precise or later should probably work, but it's
+untested).
 
 Role Variables
 --------------
+::
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+    mysql_admin_password: #The password for the admin account.
 
 Dependencies
 ------------
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+`Common role <https://www.shore.co.il/cgit/ansible-common/>`_
 
 Example Playbook
 ----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+::
 
     - hosts: servers
       roles:
-         - { role: username.rolename, x: 42 }
+      - role: mysql
+        mysql_admin_password: qwerty123
+
+Example requirements.yml
+------------------------
+::
+
+    - src: https://www.shore.co.il/cgit/ansible-common
+      scm: git
+      path: roles/
+      name: common
+
+    - src: https://www.shore.co.il/cgit/ansible-mysql
+      scm: git
+      path: roles/
+      name: mysql
 
 License
 -------
 
-BSD
+This software is licnesed under the MIT licese (see the ``LICENSE.txt`` file).
 
 Author Information
 ------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
+<https://www.shore.co.il/>`_. Patches are welcome via `git send-email
+<http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
+at: https://www.shore.co.il/cgit/.
 
 TODO
 ----
diff --git a/defaults/main.yml b/defaults/main.yml
index 62a8485..405745f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,4 +1,4 @@
 ---
 # defaults file for ansible-mysql
 
-mysql_root_password:
+mysql_admin_password:
diff --git a/handlers/main.yml b/handlers/main.yml
index d38c238..e101994 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,2 +1,7 @@
 ---
 # handlers file for ansible-mysql
+
+- name: Restart MySQL
+  service:
+    name: mysql
+    state: restarted
diff --git a/meta/main.yml b/meta/main.yml
index e4a7336..96d80da 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,32 +1,20 @@
 ---
 galaxy_info:
-  author: your name
-  description:
-  company: your company (optional)
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
-  # Some suggested licenses:
-  # - BSD (default)
-  # - MIT
-  # - GPLv2
-  # - GPLv3
-  # - Apache
-  # - CC-BY
-  license: license (GPLv2, CC-BY, etc)
-  min_ansible_version: 1.2
-  #
-  # Below are all platforms currently available. Just uncomment
-  # the ones that apply to your role. If you don't see your
-  # platform on this list, let us know and we'll get it added!
-  #
-  #platforms:
-  #
-  # Below are all categories currently available. Just as with
-  # the platforms above, uncomment those that apply to your role.
-  #
-  #categories:
-dependencies: []
-  # List your role dependencies here, one per line.
-  # Be sure to remove the '[]' above if you add dependencies
-  # to this list.
+  author: Nimrod Adar
+  description: MySQL role. For more information read the README file.
+  company: Shore technologies
+  license: MIT
+  min_ansible_version: 1.9
+  platforms:
+  - name: Debian
+    versions:
+    - jessie
+    - wheezy
+  - name: Ubuntu
+    versions:
+    - precise
+    - trusty
+  categories:
+    - database
+dependencies:
+- role: common
diff --git a/tasks/main.yml b/tasks/main.yml
index bc3f061..85a3ca8 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,18 +1,6 @@
 ---
 # tasks file for ansible-mysql
 
-- name: Preseed (always changes)
-  when: mysql_root_password is defined
-  debconf:
-    name: mysql-server-5.5
-    question: '{{ item }}'
-    vtype: password
-    value: '{{ mysql_root_password }}'
-  with_items:
-    - mysql-server/root_password
-    - mysql-server/root_password_again
-  register: mysql_debconf
-
 - name: apt install
   apt:
     name: '{{ item }}'
@@ -20,14 +8,68 @@
     update_cache: yes
     cache_valid_time: 3600
   with_items:
-    - mysql-server-5.5
-    - mysql-client-5.5
+    - mysql-server
+    - mysql-client
     - python-mysqldb
     - cron
 
-- name: Reconfigure (if needed)
-  when: mysql_debconf.changed
-  command: /usr/sbin/dpkg-reconfigure --frontend noninteractive mysql-server-5.5
+- name: Allow MySQL access to the TLS cert and key
+  user:
+    append: yes
+    groups: ssl-cert
+    name: mysql
+  notify:
+    - Restart MySQL
+
+- name: Configure
+  with_dict:
+    'ssl-ca': /etc/ssl/certs/ca-certificates.crt
+    'ssl-cert': '{{ tls_cert_path }}'
+    'ssl-key': '{{ tls_key_path }}'
+    'bind-address': '0.0.0.0'
+  ini_file:
+    dest: /etc/mysql/my.cnf
+    owner: root
+    group: root
+    mode: '0644'
+    section: mysqld
+    option: '{{ item.key }}'
+    value: '{{ item.value }}'
+  notify:
+  - Restart MySQL
+
+- name: Log to syslog
+  lineinfile:
+    dest: /etc/mysql/my.cnf
+    owner: root
+    group: root
+    mode: '0644'
+    line: 'syslog'
+    insertafter: '[mysqld_safe]'
+  notify:
+  - Restart MySQL
+
+- name: Add admin account
+  mysql_user:
+    name: admin
+    host: '%'
+    password: '{{ mysql_admin_password }}'
+    priv: '*.*:ALL,GRANT'
+    state: present
+
+- name: Require SSL for admin account
+  mysql_user:
+    name: admin
+    host: '%'
+    append_privs: True
+    priv: '*.*:REQUIRESSL'
+    state: present
+
+- name: Allow MySQL in firewall
+  ufw:
+    rule: allow
+    port: 3306
+    proto: tcp
 
 - name: Add daily backup job
   copy:
@@ -36,3 +78,11 @@
     owner: root
     group: root
     mode: '0755'
+
+- meta: flush_handlers
+
+- name: Wait for service to come online
+  wait_for:
+    host: '{{ ansible_default_ipv4["address"] }}'
+    port: 3306
+    state: started
-- 
GitLab