hetzner-ansible/roles/maria/tasks/main.yml

---

### tags:

- name: Update
  apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

- name: MariaDB | install # noqa package-latest
  package:
    name: "{{ item }}"
    state: latest
  with_items:
    - mariadb-server
    - python3-pymysql
    - prometheus-mysqld-exporter

- name: Stop prometheus-mysqld-exporter
  service:
    name: prometheus-mysqld-exporter
    state: stopped
    enabled: no

- name: Fix binding..
  ansible.builtin.lineinfile:
    path: /etc/mysql/mariadb.conf.d/50-server.cnf
    regexp: '^bind-address'
    line: 'bind-address={{ ansible_all_ipv4_addresses | ansible.netcommon.ipaddr(shared_service_network) | first }}'

- name: Ensure service is started
  service:
    name: mariadb
    state: restarted
    enabled: yes

- name: Check if root password is set
  shell: >
        mysqladmin -u root status
  changed_when: false
  failed_when: false
  register: root_pwd_check

- name: Set MariaDB root password for the first time
  community.mysql.mysql_user:
    name: root
    password: "{{ mysql_root_password }}"
    host_all: yes
    login_unix_socket: /var/run/mysqld/mysqld.sock
    state: present
  when: root_pwd_check.rc == 0

- name: Ensure MySQL databases are present.
  community.mysql.mysql_db:
    name: "{{ item.name }}"
    collation: "{{ item.collation | default('utf8_general_ci') }}"
    encoding: "{{ item.encoding | default('utf8') }}"
    state: "{{ item.state | default('present') }}"
    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
    login_password: "{{ mysql_root_password }}"
  with_items: "{{ mysql_databases }}"

- name: Ensure MySQL users are present.
  community.mysql.mysql_user:
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    priv: "{{ item.priv | default('*.*:USAGE') }}"
    state: "{{ item.state | default('present') }}"
    append_privs: "{{ item.append_privs | default('no') }}"
    encrypted: "{{ item.encrypted | default('no') }}"
    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
    login_password: "{{ mysql_root_password }}"
    host: "{{ item.host }}"
  with_items: "{{ mysql_users }}"

- name: Ensure prometheus user for prometheus-mysqld-exporter exists
  community.mysql.mysql_user:
    name: "prometheus"
    priv: "*.*:PROCESS,REPLICATION CLIENT,SELECT"
    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
    login_password: "{{ mysql_root_password }}"

- name: Ensure is prometheus-mysqld-exporter configured
  lineinfile:
    regex: "^DATA_SOURCE_NAME="
    line: 'DATA_SOURCE_NAME="prometheus@unix(/run/mysqld/mysqld.sock)/"'
    path: /etc/default/prometheus-mysqld-exporter
  register: mysql_exporter_data_source

- name: Setup prometheus-mysqld-exporter interface bind
  lineinfile:
    path: /etc/default/prometheus-mysqld-exporter
    regex: "^ARGS="
    line: "ARGS=\"--web.listen-address='{{ stage_private_server_ip }}:{{ monitor_port_maria }}'\""
  register: mysql_exporter_args

- name: Start prometheus-mysqld-exporter if needed
  service:
    name: prometheus-mysqld-exporter
    state: started
    enabled: yes

- name: 'Ensures <{{ backup_directory }}> directory exists'
  file:
    state: directory
    path: '{{ backup_directory }}'
    mode: 0755

- name: "Block: gpg stuff"
  block:
    - name: Create temp dir
      ansible.builtin.tempfile:
        state: directory
        suffix: gitcheckout
        path: /tmp
      register: tempdir
    
    - name: "Checkout repo for gpg communication-keys"
      ansible.builtin.git:
        repo: 'https://{{ gituser | default("gitea-admin") | urlencode }}:{{ gitea_admin_password | urlencode }}@{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys.git'
        dest: '{{ tempdir.path }}'
        version: master
    
# there is no ansible gpg module already in place
# linting violation needs to be whitelisted
    - name: "Importing stage specific automation gpg-key" # noqa command-instead-of-shell
      shell: 'gpg --import {{ tempdir.path }}/smardigo_automation_{{ stage }}.gpg.pub'