Role that installs and configures mysql.

README.md

@@ -1,38 +1,25 @@
-Role Name
+mysql
 =========
 
-A brief description of the role goes here.
-
-Requirements
-------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+Role that installs MySQL on Debian/Ubuntu
 
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+Too many to be mentioned here. See defaults/main.yml
 
 Dependencies
 ------------
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
-----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
+My letsencrypt-acme-sh-client role is required to let letsencrypt manage certificates
 
 License
 -------
 
-BSD
+EUPL 1.2+
 
 Author Information
 ------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
+

defaults/main.yml

@@ -1,2 +1,61 @@
 ---
-# defaults file for ansible-role-template
+mysql_enabled: True
+mysql_pkg_state: present
+mysql_conf_dir: /etc/mysql/conf.d
+mysql_service_conf_dir: /etc/mysql/mysql.conf.d
+mysql_socket: /run/mysqld/mysqld.sock
+mysql_data_dir: /var/lib/mysql
+mysql_log_dir: /var/log/mysql
+# If you move it, the apparmor configuration must be updated accordingly on Debian/Ubuntu hosts
+mysql_binlog_dir: '{{ mysql_data_dir }}'
+
+mysql_use_ssl: True
+mysql_letsencrypt_certificates: True
+
+# python-mysqldb is needed by ansible to manage users and databases
+mysql_packages_list:
+  - mysql-server
+  - mysql-client
+  - mytop
+  - python-mysqldb
+  - python-pymysql
+  - python-mysql.connector
+
+mysql_db_name: db_name
+mysql_db_user: db_user
+mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault"
+
+mysql_binary_logging: True
+mysql_binlog_expire_logs_days: '10'
+mysql_binlog_max_binlog_size: '100M'
+mysql_server_id: 1
+# Alternatives: utf8
+mysql_default_encoding: utf8mb4
+# Alternatives: utf8_unicode_ci utf8_bin
+mysql_default_collation: utf8mb4_unicode_ci
+mysql_db_host: localhost
+mysql_db_port: 3306
+mysql_db_max_connections: 100
+mysqld_db_read_buffer_size: 128K
+mysql_db_read_rnd_buffer_size: 256K
+mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend'
+mysql_db_innodb_buffer_pool_size: 256M
+mysql_db_innodb_additional_mem_pool_size: 5M
+# Set .._log_file_size to 25 % of buffer pool size
+mysql_db_innodb_log_file_size: 64M
+mysql_db_innodb_log_buffer_size: 9M
+mysql_safe_open_files_limit: 1024
+mysql_max_allowed_packet: 16M
+mysql_skip_name_resolve: True
+
+mysql_listen_on_ext_int: False
+#mysql_db_data:
+#  - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32', 'yyy.yyy.yyy.yyy' ] }
+
+mysql_backup_use_nagios: False
+mysql_backup_logdir: '{{ mysql_log_dir }}'
+mysql_backup_destdir: /var/lib/mysql-backup
+mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log'
+mysql_backup_retain_copies: 3
+mysql_backup_exclude_list: "performance_schema"
+

files/letsencrypt-mysql-hook.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+H_NAME=$( hostname -f )
+LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
+LE_LOG_DIR=/var/log/letsencrypt
+LE_LOG_FILE="${LE_LOG_DIR}/mysql.log"
+MYSQL_CERTDIR=/var/lib/mysql
+
+DATE=$( date )
+
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> $LE_LOG_FILE
+
+if [ -f "/etc/default/acme_sh_request_env" ] ; then
+    # shellcheck source=/etc/default/acme_sh_request_env
+    source "/etc/default/acme_sh_request_env"
+else
+    echo "No letsencrypt default file" >> $LE_LOG_FILE
+fi
+
+echo "Copying the cert files" >> $LE_LOG_FILE
+if [ ! -f ${MYSQL_CERTDIR}/ca.pem ] ; then
+        /bin/cp -f "${LE_CERTS_DIR}/fullchain" ${MYSQL_CERTDIR}/ca.pem
+        chown mysql:mysql ${MYSQL_CERTDIR}/ca.pem
+fi
+
+/bin/cp -f  "${LE_CERTS_DIR}/privkey" ${MYSQL_CERTDIR}/client-key.pem
+chmod 400 ${MYSQL_CERTDIR}/client-key.pem
+chown mysql:mysql ${MYSQL_CERTDIR}/client-key.pem
+
+/bin/cp -f  "${LE_CERTS_DIR}/cert" ${MYSQL_CERTDIR}/client-cert.pem
+chmod 440 ${MYSQL_CERTDIR}/client-cert.pem
+chown mysql:mysql ${MYSQL_CERTDIR}/client-cert.pem
+
+echo "Reload the mysql service" >> $LE_LOG_FILE
+if [ -x /bin/systemctl ] ; then
+    systemctl reload mysql >> $LE_LOG_FILE 2>&1
+else
+    service mysql reload >> $LE_LOG_FILE 2>&1
+fi
+
+echo "Done." >> $LE_LOG_FILE
+
+exit 0

files/mysql-backup.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+#echo "`date` mysql DUMP temporarly excluded (by Tom)"
+#exit 1
+
+RETVAL=0
+
+MY_BACKUP_USE_NAGIOS="False"
+MY_BACKUP_DIR=/var/lib/mysql-backup
+MY_DATA_DIR=/var/lib/mysql
+N_DAYS_TO_SPARE=7
+# Exclude list
+EXCLUDE_LIST='performance_schema'
+
+if [ -f /etc/default/mysql_backup ] ; then
+    . /etc/default/mysql_backup
+fi
+
+if [ ! -f /root/.my.cnf ] ; then
+    exit 1
+fi
+
+umask 0077
+# Year month day - hour minute second
+SAVE_TIME=$( date +%Y%m%d-%H%M%S )
+TIMESTAMP=
+TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp
+
+if [ ! -d $MY_BACKUP_DIR ] ; then
+    mkdir -p $MY_BACKUP_DIR
+fi
+if [ ! -d $MY_BACKUP_LOG_DIR ] ; then
+    mkdir -p $MY_BACKUP_LOG_DIR
+fi
+if [ ! -d $MY_BACKUP_DIR/history ] ; then
+    mkdir -p $MY_BACKUP_DIR/history
+fi
+chmod 700 $MY_BACKUP_DIR
+LOCKFILE=$MY_DATA_DIR/.mysqldump.lock
+NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status
+
+if [ ! -f $LOCKFILE ] ; then
+    touch $LOCKFILE
+    if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
+        > $NAGIOS_LOG
+    fi
+    for db in $( mysql -Bse "show databases;" | egrep -v $EXCLUDE_LIST ) ; do
+        if [ "$db" == "information_schema" ]; then
+            mysqldump --single-transaction -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
+            DUMP_RESULT=$?
+        else
+            mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
+            DUMP_RESULT=$?
+        fi
+        chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME}
+        if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
+            if [ $DUMP_RESULT -ne 0 ] ; then
+                echo "$db:FAILED" >> $NAGIOS_LOG
+                RETVAL=$DUMP_RESULT
+            else
+                echo "$db:OK" >> $NAGIOS_LOG                
+            fi
+    	fi
+        pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1
+        rm -f $db.sql
+        ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql
+        popd >/dev/null 2>&1
+    done
+    # Do a "flush-hosts" after the backup
+    mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log
+    TIMESTAMP=$( date +%s )
+    echo "$TIMESTAMP" > $TIMESTAMP_LOG
+    rm -f $LOCKFILE
+else
+    echo "Old backup still running" > /var/log/mysql-backup.log
+    RETVAL=2
+    if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
+        echo "old backup still running:WARNING" >> $NAGIOS_LOG
+    fi
+fi
+
+# Remove the old backups
+find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \;
+
+exit $RETVAL

handlers/main.yml

@@ -1,2 +1,6 @@
 ---
-# handlers file for ansible-role-template
+- name: Restart mysql
+  service: name=mysql state=restarted
+
+- name: Reload mysql
+  service: name=mysql state=reloaded

meta/main.yml

@@ -1,61 +1,23 @@
 galaxy_info:
-  author: your name
-  description: your description
+  author: Andrea Dell'Amico
+  description: Systems Architect
   company: ISTI-CNR
 
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
   issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
 
-  # Some suggested licenses:
-  # - BSD (default)
-  # - MIT
-  # - GPLv2
-  # - GPLv3
-  # - Apache
-  # - CC-BY
   license: EUPL 1.2+
 
   min_ansible_version: 2.8
 
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
-
-  # Optionally specify the branch Galaxy will use when accessing the GitHub
-  # repo for this role. During role install, if no tags are available,
-  # Galaxy will use this branch. During import Galaxy will access files on
-  # this branch. If Travis integration is configured, only notifications for this
-  # branch will be accepted. Otherwise, in all cases, the repo's default branch
-  # (usually master) will be used.
-  #github_branch:
-
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
   # To view available platforms and versions (or releases), visit:
   # https://galaxy.ansible.com/api/v1/platforms/
   #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
 
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+  galaxy_tags:
+    - mysql
 
 dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
-

tasks/configure_root_access.yml

@@ -0,0 +1,40 @@
+---
+# 'localhost' needs to be the last item for idempotency, the mysql_user docs
+- name: Secure the mysql root user with a password
+  mysql_user: name=root host={{ item }} password={{ mysql_root_password }} login_unix_socket={{ mysql_socket }}
+  when: mysql_root_password is defined
+  with_items:
+    - '{{ ansible_hostname }}'
+    - 127.0.0.1
+    - ::1
+    - localhost
+  ignore_errors: True
+  tags: [ 'mysql', 'mysql_root' ]
+
+- name: Secure the mysql root user when no password has been defined
+  mysql_user: name=root host={{ item }} password="" login_unix_socket={{ mysql_socket }}
+  when: mysql_root_password is not defined
+  with_items:
+    - '{{ ansible_hostname }}'
+    - 127.0.0.1
+    - ::1
+    - localhost
+  ignore_errors: True
+  tags: [ 'mysql', 'mysql_root' ]
+
+- name: Install the .my.cnf file with root password credentials
+  template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
+  when: mysql_root_password is defined
+  tags: [ 'mysql', 'mysql_root' ]
+
+- name: delete anonymous MySQL server user for the server hostname
+  mysql_user: user="" host="{{ ansible_hostname }}" state="absent" login_unix_socket={{ mysql_socket }}
+  tags: [ 'mysql', 'mysql_root' ]
+
+- name: delete anonymous MySQL server user for localhost
+  mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }}
+  tags: mysql
+
+- name: remove the MySQL test database
+  mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }}
+  tags: mysql

tasks/disable-mariadb-service.yml

@@ -0,0 +1,7 @@
+---
+- name: Stop and disable the mysql server if we do not want it running
+  service: name=mysql state=stopped enabled=no
+  when: not mysql_enabled
+  tags:
+    - mysql
+

tasks/main.yml

@@ -1,2 +1,15 @@
 ---
-# tasks file for ansible-role-template
+- import_tasks: packages.yml
+- import_tasks: mysql-conf.yml
+  when: mysql_enabled | bool
+- import_tasks: manage-mysql-service.yml
+- import_tasks: configure_root_access.yml
+  when: mysql_enabled | bool
+- import_tasks: manage_my_db.yml
+  when: mysql_enabled | bool
+- import_tasks: mysql-backup.yml
+  when: mysql_enabled | bool
+- import_tasks: mysql-letsencrypt.yml
+  when: mysql_letsencrypt_certificates | bool
+  
+

tasks/manage-mysql-service.yml

@@ -0,0 +1,11 @@
+---
+- name: Ensure that the mysql server is enabled and running
+  service: name=mysql state=started enabled=yes
+  when: mysql_enabled
+  tags: [ 'mysql', 'mariadb' ]
+
+- name: Stop and disable the mysql server if we do not want it running
+  service: name=mysql state=stopped enabled=no
+  when: not mysql_enabled
+  tags: [ 'mysql', 'mariadb' ]
+

tasks/manage_my_db.yml

@@ -0,0 +1,24 @@
+---
+- name: Add databases to mysql, if any
+  mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present login_unix_socket={{ mysql_socket }}
+  with_items: '{{ mysql_db_data | default([]) }}'
+  when: item.name is defined
+  tags: [ 'mysql', 'mysql_db' ]
+
+- name: Add a user for the databases
+  mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv="{{ item.0.name }}.*:{{ item.0.user_grant }}" state=present login_unix_socket={{ mysql_socket }}
+  with_subelements:
+    - '{{ mysql_db_data | default([]) }}'
+    - allowed_hosts
+  when: item.0.name is defined
+  tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
+
+- name: Additional user privileges, if defined
+  mysql_user: name={{ item.0.user }} append_privs=yes priv="{{ item.0.name }}.*:{{ item.0.additional_privs }}" state=present login_unix_socket={{ mysql_socket }}
+  with_subelements:
+    - '{{ mysql_db_data | default([]) }}'
+    - allowed_hosts
+  when:
+    - item.0.name is defined
+    - item.0.additional_privs is defined
+  tags: [ 'mysql', 'mysql_db', 'mysql_user' ]

tasks/mysql-backup.yml

@@ -0,0 +1,12 @@
+---
+- name: Install a script that performs mysql dumps
+  copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750
+  tags: [ 'mysql', 'mysql_backup' ]
+
+- name: Install the mysql backup defaults
+  template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440
+  tags: [ 'mysql', 'mysql_backup' ]
+
+- name: Cron job that executes mysql nightly backups
+  template: src=mysql-backup.cron.j2 dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755
+  tags: [ 'mysql', 'mysql_backup' ]

tasks/mysql-conf.yml

@@ -0,0 +1,24 @@
+---
+- name: Manage the MySQL configuration files
+  block:
+  - name: Create the data directory
+    file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700
+    
+  - name: Create the log directory
+    file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750
+    
+  - name: Install the main configuration files.
+    template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
+    with_items:
+      - client
+      - mysql-clients
+    notify: Restart mysql 
+
+  - name: Install the main configuration files.
+    template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644
+    with_items:
+      - server
+    notify: Restart mysql
+  
+  when: mysql_enabled | bool
+  tags: [ 'mysql', 'mariadb', 'mysql_conf' ]

tasks/mysql-letsencrypt.yml

@@ -0,0 +1,30 @@
+---
+- name: Manage the letsencrypt configuration
+  block:
+  - name: Check if the letsencrypt certificates are in place
+    stat: path={{ letsencrypt_acme_certs_dir }}/privkey
+    register: letsencrypt_keyfile
+
+  - name: Copy the letsencrypt certificate key into the right place
+    copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes
+    when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
+    notify: Restart mysql 
+
+  - name: Copy the letsencrypt public certificate into the right place
+    copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
+    when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
+    notify: Restart mysql 
+
+  - name: Copy the letsencrypt CA certificate into the right place
+    copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
+    when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
+    notify: Restart mysql 
+
+  - name: Create the acme hooks directory if it does not yet exist
+    file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
+
+  - name: Install a script that fix the letsencrypt certificate for mysql and then reload the service
+    copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555
+
+  when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install | bool
+  tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ]

tasks/packages.yml

@@ -0,0 +1,6 @@
+---
+- name: install the mysql packages
+  apt: pkg={{ item }} state={{ mysql_pkg_state }}
+  with_items: '{{ mysql_packages_list }}'
+  tags: mysql
+

templates/client.cnf.j2

@@ -0,0 +1,6 @@
+# The following options will be passed to all MariaDB clients
+[client]
+#password       = your_password
+port            = 3306
+socket          = {{ mysql_socket }}
+

templates/dot_my.cnf.j2

@@ -0,0 +1,4 @@
+[client]
+user=root
+password={{ mysql_root_password }}
+

templates/mysql-backup.cron.j2

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+LOG_FILE=/var/log/mysql-backup.log
+if [ -x /etc/cron.daily/duplicity_backup ] ; then
+    echo "duplicity backups active. Exiting" > $LOG_FILE
+    exit 0
+fi
+
+# Remote backup performed by BackupPC. If it is active, do not run via cron
+if [ -f /var/log/backuppc.log ] ; then
+    TMSTMP=$( date +%s )
+    . /var/log/backuppc.log
+    LAST_BACKUP_TIME=$( expr $TMSTMP - $BACKUP_TIMESTAMP )
+    if [ $LAST_BACKUP_TIME -lt 86400 -a $BACKUP_RESULT == 'OK' ] ; then
+        echo "BackupPC is active, doing nothing" > $LOG_FILE
+        exit 0
+    fi
+fi
+
+/usr/local/sbin/mysql-backup > $LOG_FILE 2>&1
+
+exit 0

templates/mysql-clients.cnf.j2

@@ -0,0 +1,20 @@
+
+[mysql]
+
+[mysql_upgrade]
+
+[mysqladmin]
+
+[mysqlbinlog]
+
+[mysqlcheck]
+
+[mysqldump]
+quick
+max_allowed_packet = 16M
+
+[mysqlimport]
+
+[mysqlshow]
+
+[mysqlslap]

templates/mysql_backup-default.j2

@@ -0,0 +1,8 @@
+MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}'
+MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}'
+MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}'
+N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}'
+MY_BACKUP_DIR='{{ mysql_backup_destdir }}'
+MY_DATA_DIR='{{ mysql_data_dir }}'
+# Exclude list
+EXCLUDE_LIST='{{ mysql_backup_exclude_list }}'

templates/server.cnf.j2

@@ -0,0 +1,88 @@
+# Here follows entries for some specific programs
+
+# The MariaDB server
+[mysqld]
+user            = mysql
+{% if mysql_listen_on_ext_int %}
+bind-address            = 0.0.0.0
+{% else %}
+bind-address            = 127.0.0.1
+{% endif %}
+port            = {{ mysql_db_port }}
+socket          = {{ mysql_socket }}
+basedir         = /usr
+datadir         = {{ mysql_data_dir }}
+log_error       = {{ mysql_log_dir }}/error.log
+skip-external-locking
+# Point the following paths to different dedicated disks
+tmpdir          = /tmp
+lc-messages-dir = /usr/share/mysql
+
+#
+# * Fine Tuning
+#
+max_connections	= {{ mysql_db_max_connections }}
+key_buffer_size = 16M
+max_allowed_packet = {{ mysql_max_allowed_packet }}
+table_open_cache = 512
+sort_buffer_size = 8M
+net_buffer_length = 8K
+thread_stack            = 192K
+thread_cache_size       = 8
+read_buffer_size = {{ mysqld_db_read_buffer_size }}
+read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
+myisam_sort_buffer_size = 16M
+{% if mysql_skip_name_resolve %}
+skip-name-resolve
+{% endif %}
+
+{% if mysqld_sql_mode is defined %}
+sql_mode = {{ mysqld_sql_mode }}
+{% endif %}
+{% if mysqld_ft_stopword_file is defined %}
+ft_stopword_file = {{ mysqld_ft_stopword_file }}
+{% endif %}
+{% if mysqld_ft_min_word_lenght is defined %}
+ft_min_word_len = {{ mysqld_ft_min_word_lenght }}
+{% endif %}
+ft_boolean_syntax = '{{ mysql_ft_boolean_syntax | default('+ -><()~*:\"\"&|') }}'
+
+#
+# * Query Cache Configuration
+#
+query_cache_limit       = 1M
+query_cache_size        = 16M
+
+{% if mysql_binary_logging %}
+server-id={{ mysql_server_id }}
+# Enable binary logging. This is required for acting as a MASTER in a
+# replication configuration. You also need the binary log if you need
+# the ability to do point in time recovery from your latest backup.
+log-bin={{ mysql_binlog_dir }}/mysql-bin.log
+expire_logs_days        = {{ mysql_binlog_expire_logs_days }}
+max_binlog_size   = {{ mysql_binlog_max_binlog_size }}
+# binary logging format - mixed recommended
+binlog_format=mixed
+{% endif %}
+
+# Uncomment the following if you are using InnoDB tables
+innodb_data_home_dir = {{ mysql_data_dir }}
+innodb_data_file_path = {{ mysql_db_innodb_data_file_path }}
+innodb_log_group_home_dir = {{ mysql_data_dir }}
+# You can set .._buffer_pool_size up to 50 - 80 %
+# of RAM but beware of setting memory usage too high
+innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }}
+# Set .._log_file_size to 25 % of buffer pool size
+innodb_log_file_size = {{ mysql_db_innodb_log_file_size }}
+innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }}
+innodb_flush_log_at_trx_commit = 1
+innodb_lock_wait_timeout = 50
+
+{% if mysql_use_ssl %}
+ssl-ca=/var/lib/mysql/ca.pem
+ssl-cert=/var/lib/mysql/client-cert.pem
+ssl-key=/var/lib/mysql/client-key.pem
+{% endif %}
+
+[mysqld_safe]
+open-files-limit = {{ mysql_safe_open_files_limit }}