You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
167 lines
4.9 KiB
YAML
167 lines
4.9 KiB
YAML
---
|
|
|
|
### tags:
|
|
|
|
- name: Update
|
|
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
|
|
|
|
- name: MariaDB | install # noqa package-latest
|
|
package:
|
|
name: "{{ item }}"
|
|
state: latest
|
|
with_items:
|
|
- mariadb-server
|
|
- python3-pymysql
|
|
- prometheus-mysqld-exporter
|
|
|
|
- name: "Set vars"
|
|
set_fact:
|
|
cert_private_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-key.pem'
|
|
cert_public_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-crt.pem'
|
|
ca_cert: '/etc/mysql/conf.d/ca-certificate.pem'
|
|
|
|
- name: "Include role for self-signed CA"
|
|
include_role:
|
|
name: selfsigned_ca
|
|
|
|
- name: "Create certs with selfsigned CA"
|
|
include_role:
|
|
name: selfsigned_ca
|
|
tasks_from: _create_cert
|
|
vars:
|
|
selfsigned_ca_cert_private_key: '{{ cert_private_key }}'
|
|
selfsigned_ca_cert_private_key_group: mysql
|
|
selfsigned_ca_cert_public_key: '{{ cert_public_key }}'
|
|
selfsigned_ca_cacert: '{{ ca_cert }}'
|
|
selfsigned_ca_cert_subject:
|
|
CN: '{{ inventory_hostname }}.{{ domain }}'
|
|
selfsigned_ca_cert_altnames:
|
|
- 'DNS:{{ inventory_hostname }}.{{ domain }}'
|
|
- 'DNS:{{ inventory_hostname }}'
|
|
selfsigned_ca_trigger_handler: restart mysql
|
|
|
|
- name: Fix binding..
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/mysql/mariadb.conf.d/50-server.cnf
|
|
regexp: '^bind-address'
|
|
line: 'bind-address={{ stage_private_server_ip }}'
|
|
notify: restart mysql
|
|
|
|
# DEV-422: SSL stuff does not work as expected
|
|
#- name: "Create my.cnf containing ssl stuff"
|
|
# template:
|
|
# src: 50-ssl.cnf
|
|
# dest: /etc/mysql/conf.d/
|
|
# mode: '0644'
|
|
# owner: root
|
|
# group: root
|
|
# notify: restart mysql
|
|
|
|
# DEV-422
|
|
- name: "Ensure configured SSL config is removed"
|
|
file:
|
|
state: absent
|
|
path: /etc/mysql/conf.d/50-ssl.cnf
|
|
notify: restart mysql
|
|
|
|
- name: Ensure service is started
|
|
service:
|
|
name: mariadb
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Check if root password is set
|
|
shell: >
|
|
mysqladmin -u root status
|
|
changed_when: false
|
|
failed_when: false
|
|
register: root_pwd_check
|
|
|
|
- name: Set MariaDB root password for the first time
|
|
community.mysql.mysql_user:
|
|
name: root
|
|
password: "{{ mysql_root_password }}"
|
|
host_all: yes
|
|
login_unix_socket: /var/run/mysqld/mysqld.sock
|
|
state: present
|
|
when: root_pwd_check.rc == 0
|
|
|
|
- name: Ensure MySQL databases are present.
|
|
community.mysql.mysql_db:
|
|
name: "{{ item.name }}"
|
|
collation: "{{ item.collation | default('utf8_general_ci') }}"
|
|
encoding: "{{ item.encoding | default('utf8') }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
|
|
login_password: "{{ mysql_root_password }}"
|
|
with_items: "{{ mysql_databases }}"
|
|
|
|
- name: Ensure MySQL users are present.
|
|
community.mysql.mysql_user:
|
|
name: "{{ item.name }}"
|
|
password: "{{ item.password }}"
|
|
priv: "{{ item.priv | default('*.*:USAGE') }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
append_privs: "{{ item.append_privs | default('no') }}"
|
|
encrypted: "{{ item.encrypted | default('no') }}"
|
|
config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
|
|
login_password: "{{ mysql_root_password }}"
|
|
host: "{{ item.host }}"
|
|
with_items: "{{ mysql_users }}"
|
|
|
|
- name: Ensure prometheus user for prometheus-mysqld-exporter exists
|
|
community.mysql.mysql_user:
|
|
name: "prometheus"
|
|
priv: "*.*:PROCESS,REPLICATION CLIENT,SELECT"
|
|
config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
|
|
login_password: "{{ mysql_root_password }}"
|
|
register: mysql_exporter_user_creds
|
|
notify: prometheus-mysqld-exporter restart
|
|
|
|
- name: Ensure is prometheus-mysqld-exporter configured
|
|
lineinfile:
|
|
regex: "^DATA_SOURCE_NAME="
|
|
line: 'DATA_SOURCE_NAME="prometheus@unix(/run/mysqld/mysqld.sock)/"'
|
|
path: /etc/default/prometheus-mysqld-exporter
|
|
register: mysql_exporter_data_source
|
|
notify: prometheus-mysqld-exporter restart
|
|
|
|
- name: Setup prometheus-mysqld-exporter interface bind
|
|
lineinfile:
|
|
path: /etc/default/prometheus-mysqld-exporter
|
|
regex: "^ARGS="
|
|
line: "ARGS=\"--web.listen-address='{{ stage_private_server_ip }}:{{ monitor_port_maria }}'\""
|
|
register: mysql_exporter_args
|
|
notify: prometheus-mysqld-exporter restart
|
|
|
|
- name: "Ensure prometheus-mysqld-exporter is running"
|
|
service:
|
|
name: prometheus-mysqld-exporter
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: 'Ensures <{{ backup_directory }}> directory exists'
|
|
file:
|
|
state: directory
|
|
path: '{{ backup_directory }}'
|
|
mode: 0755
|
|
|
|
- name: "Copy testdb.sql to ensure test DB"
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: '/tmp/{{ item }}'
|
|
mode: '0444'
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- testdb.sql
|
|
|
|
- name: "Ensure test DB"
|
|
community.mysql.mysql_db:
|
|
login_user: '{{ mysql_root_username }}'
|
|
login_password: "{{ mysql_root_password }}"
|
|
config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
|
|
name: dummytestdb
|
|
state: import
|
|
target: /tmp/testdb.sql
|