- Added pre-commit hook to lint backup shell script.

- Backup is now done by the OS user nobody and MySQL user backup.
- Backup script now outputs start, finish and error to stdout.
- Removed dependency on ca-store Ansible role.
- The MySQL user is added to the ssl group only if the group exists.
- Backup provisioninig is now optional depending on if the mysql_backup_password
  variables is defined.
- Moved most configuration to templates inside conf.d.
- Remote admin account is now optional depending on if the mysql_admin_password
  is defined.
- The mysql-server packges is reconfigured to reset root password if it's
  needed.

.pre-commit-config.yaml

@@ -10,3 +10,8 @@
     sha: 94b506c144d4e22ebc1deef637a818db13bcaca5
     hooks:
     -   id: ansible-pre-commit
+-   repo: https://www.shore.co.il/git/shell-pre-commit/
+    sha: 604fe77b53d3514d5ad0f66764c7783850bb6e98
+    hooks:
+    -   id: shell-lint
+        files: files/backup.sh

README.rst

@@ -52,3 +52,9 @@ Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
 <https://www.shore.co.il/>`_. Patches are welcome via `git send-email
 <http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
 at: https://www.shore.co.il/git/.
+
+TODO
+----
+
+- Backup script.
+- Testing.

defaults/main.yml

@@ -2,3 +2,7 @@
 # defaults file for ansible-role-mysql
 
 mysql_admin_password:
+mysql_tls_key: /etc/ssl/private/ssl-cert-snakeoil.key
+mysql_tls_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
+mysql_mail_alias: root
+mysql_serverid: '{{ ansible_default_ipv4["address"]|ipaddr("int") }}'

files/backup.sh

-#!/bin/sh -e
-# Back up all databases, each to a seperate file.
+#!/bin/sh
+set -eu
 
-backup() {
-    mysqldump --defaults-file=/etc/mysql/debian.cnf \
-        --single-transaction \
-        --force \
-        --result-file=/var/backups/mysql_$1.sql $1
-}
+echo "MySQL backup: Starting at $(date -u)."
 
-# TODO: Find a way to remove table formatting from this command.
-#alias show='mysqlshow --defaults-file=/etc/mysql/debian.cnf'
-alias show="mysql --defaults-file=/etc/mysql/debian.cnf -e 'show databases;'"
+# Grep filter to remove heading and internal MySQL databases.
+filter='Database\|information_schema\|performance_schema\|mysql'
 
-# The reason for dropping the first 4 lines is that the first line is the
-# heading and 3 following lines are databases internal to MySQL and thus their
-# backup is not needed.
-for database in $(show | tail -n+5)
-do
-    backup $database
-done
+if databases="$(mysql --defaults-file=/etc/mysql/mysqldump.cnf \
+                      --execute 'show databases;' | grep -vx $filter)"
+then
+    mysqldump --defaults-file=/etc/mysql/mysqldump.cnf
+              --databases $databases || \
+    echo "MySQL backup: Failed to backup."
+else
+    echo "MySQL backup: No databases to backup."
+fi
+
+echo "MySQL backup: Finished at $(date -u)."

meta/main.yml

@@ -14,7 +14,4 @@ galaxy_info:
     versions:
     - precise
     - trusty
-dependencies:
-    - src: https://www.shore.co.il/git/ansible-role-ca-store
-      scm: git
-      name: ca-store
+dependencies: []

molecule.yml

@@ -13,10 +13,10 @@ vagrant:
   - name: virtualbox
     type: virtualbox
   platforms:
-  - name: openbsd
-    box: kaorimatz/openbsd-5.9-amd64
+  - name: debian
+    box: debian/jessie64
   instances:
-  - name: ansible-role-example
+  - name: ansible-role-mysql
     options:
         append_platform_to_hostname: yes
   raw_config_args:

tasks/backup.yml

+---
+- name: APT install cron
+  apt:
+      name: cron
+      state: present
+      update_cache: yes
+      cache_valid_time: 3600
+
+- name: Add backup account
+  mysql_user:
+    login_password: '{{ mysql_root_password|default(omit) }}'
+    name: backup
+    host: '%'
+    password: '{{ mysql_backup_password }}'
+    priv: '*.*:SELECT,FILE,RELOAD,REPLICATION CLIENT'
+    state: present
+
+- name: Create backup directory
+  file:
+      path: /var/backups/mysql
+      owner: nobody
+      group: nogroup
+      mode: 0o0700
+      state: directory
+
+- name: Copy backup configuration
+  template:
+      src: mysqldump.cnf
+      dest: /etc/mysql/mysqldump.cnf
+      owner: nobody
+      group: nogroup
+      mode: 0o0400
+
+- name: Copy backup job
+  copy:
+    src: backup.sh
+    dest: /usr/local/sbin/mysql-backup
+    owner: root
+    group: root
+    mode: 0o0755
+
+- name: Add daily backup job
+  cron:
+      user: nobody
+      name: MySQL backup
+      job: '/usr/local/sbin/mysql-backup | logger'
+      special_time: daily
+      state: present

tasks/main.yml

@@ -2,91 +2,87 @@
 # tasks file for ansible-role-mysql
 - assert:
     that:
-        - ansible_os_family == 'OpenBSD'
-        - ansible_distribution_release == '5.9'
+        - ansible_os_family == 'Debian'
+        - ansible_distribution_release in ['wheezy', 'jessie', 'stretch', 'precise', 'trusty', 'xenial']
 
-- name: apt install
+- name: Get groups
+  getent:
+      database: group
+
+- name: Preseed root password
+  when: mysql_root_password is defined
+  with_items:
+      - root_password
+      - root_password_again
+  debconf:
+      name: '{{ mysql_server_package }}'
+      question: 'mysql-server/{{ item }}'
+      vtype: password
+      value: '{{ mysql_root_password }}'
+  changed_when: False # Can't verify previous password therefore there's always
+                      # a change, explicitly disable that.
+
+- name: APT install
+  with_items:
+      - mysql-server
+      - mysql-client
+      - python-mysqldb
   apt:
     name: '{{ item }}'
     state: present
     update_cache: yes
     cache_valid_time: 3600
-  with_items:
-    - mysql-server
-    - mysql-client
-    - python-mysqldb
-    - cron
+
+- name: Reconfigure package in case root password was changed
+  changed_when: False
+  command: 'dpkg-reconfigure --frontend noninteractive {{ mysql_server_package }}'
 
 - name: Allow MySQL access to the TLS cert and key
+  when: "'ssl-cert' in getent_group"
   user:
     append: yes
     groups: ssl-cert
     name: mysql
   notify:
-    - Restart MySQL
-
-- name: Configure
-  with_dict:
-    'ssl-ca': /etc/ssl/certs/ca-certificates.crt
-    'ssl-cert': '{{ tls_cert_path }}'
-    'ssl-key': '{{ tls_key_path }}'
-    'bind-address': '0.0.0.0'
-  ini_file:
-    dest: /etc/mysql/my.cnf
-    owner: root
-    group: root
-    mode: '0644'
-    section: mysqld
-    option: '{{ item.key }}'
-    value: '{{ item.value }}'
-  notify:
-  - Restart MySQL
+      - Restart MySQL
 
-- name: Log to syslog
+- name: Alias mail
+  when: mysql_mail_alias is defined
   lineinfile:
-    dest: /etc/mysql/my.cnf
-    owner: root
-    group: root
-    mode: '0644'
-    line: 'syslog'
-    insertafter: '[mysqld_safe]'
-  notify:
-  - Restart MySQL
+      dest: /etc/aliases
+      create: True
+      line: 'mysql: {{ mysql_mail_alias }}'
+      regexp: 'mysql:'
+      state: present
 
 - name: Add admin account
+  when: mysql_admin_password is defined
   mysql_user:
     name: admin
     host: '%'
     password: '{{ mysql_admin_password }}'
-    priv: '*.*:ALL,GRANT'
+    priv: '*.*:ALL,GRANT,REQUIRESSL'
+    login_password: '{{ mysql_root_password|default(omit) }}'
     state: present
 
-- name: Require SSL for admin account
-  mysql_user:
-    name: admin
-    host: '%'
-    append_privs: True
-    priv: '*.*:REQUIRESSL'
-    state: present
-
-- name: Allow MySQL in firewall
-  ufw:
-    rule: allow
-    port: 3306
-    proto: tcp
-
-- name: Add daily backup job
-  copy:
-    src: backup.sh
-    dest: /etc/cron.daily/mysql
-    owner: root
-    group: root
-    mode: '0755'
+- name: Copy configuration templates
+  with_fileglob:
+      - templates/mysql/conf.d/*.cnf
+      - '{{ playbook_dir }}/templates/mysql/conf.d/*.cnf'
+  template:
+      src: '{{ item }}'
+      dest: /etc/mysql/conf.d
+      owner: root
+      group: root
+      mode: 0o0644
+  notify:
+      - Restart MySQL
 
 - meta: flush_handlers
 
 - name: Wait for service to come online
   wait_for:
-    host: '{{ ansible_default_ipv4["address"] }}'
     port: 3306
-    state: started
+
+- include: backup.yml
+  when: mysql_backup_password is defined

templates/mysql/conf.d/bind.cnf

+[mysqld]
+bind-address = 0.0.0.0

templates/mysql/conf.d/binlog-ignore.cnf

+[mysqld]
+binlog-ignore-db = information_schema, performance_schema, mysql
+replicate-ignore-db = information_schema, performance_schema, mysql

templates/mysql/conf.d/serverid.cnf

+[mysqld]
+server-id = {{ mysql_serverid }}

templates/mysql/conf.d/ssl.cnf

+[mysqld]
+ssl-ca = /etc/ssl/certs/ca-certificates.crt
+{% if mysql_tls_cert is defined and mysql_tls_key is defined %}
+ssl-cert = {{ mysql_tls_cert }}
+ssl-key = {{ mysql_tls_key }}
+{% endif %}

templates/mysql/conf.d/syslog.cnf

+[mysqld_safe]
+syslog

templates/mysqldump.cnf

+[mysqldump]
+single-transaction
+master-data = 2
+force
+result-file = /var/backups/mysql/mysql.sql
+dump-date
+tz-utc
+
+[client]
+host = localhost
+user = backup
+password = {{ mysql_backup_password }}
+socket = /var/run/mysqld/mysqld.sock

tests/playbook.yml

 ---
 - hosts: all
-  gather_facts: false
+  vars:
+      mysql_root_password: qwer12345
+      mysql_backup_password: backup
+      mysql_admin_password: admin
   roles:
-    - role: ansible-role-example
+    - role: ansible-role-mysql

vars/main.yml

 ---
 # vars file for ansible-role-mysql
+mysql_version:
+    precise: 5.5
+    trusty: 5.5
+    xenial: 5.7
+    wheezy: 5.5
+    jessie: 5.5
+    stretch: 5.6
+mysql_server_package: 'mysql-server-{{ mysql_version[ansible_distribution_release] }}'