diff --git a/README.md b/README.md index 225dd44..9d25278 100644 --- a/README.md +++ b/README.md @@ -1,38 +1,25 @@ -Role Name +mysql ========= -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Role that installs MySQL on Debian/Ubuntu Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +Too many to be mentioned here. See defaults/main.yml Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +My letsencrypt-acme-sh-client role is required to let letsencrypt manage certificates License ------- -BSD +EUPL 1.2+ Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Andrea Dell'Amico + diff --git a/defaults/main.yml b/defaults/main.yml index 95d3c70..d2a56c1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,61 @@ --- -# defaults file for ansible-role-template \ No newline at end of file +mysql_enabled: True +mysql_pkg_state: present +mysql_conf_dir: /etc/mysql/conf.d +mysql_service_conf_dir: /etc/mysql/mysql.conf.d +mysql_socket: /run/mysqld/mysqld.sock +mysql_data_dir: /var/lib/mysql +mysql_log_dir: /var/log/mysql +# If you move it, the apparmor configuration must be updated accordingly on Debian/Ubuntu hosts +mysql_binlog_dir: '{{ mysql_data_dir }}' + +mysql_use_ssl: True +mysql_letsencrypt_certificates: True + +# python-mysqldb is needed by ansible to manage users and databases +mysql_packages_list: + - mysql-server + - mysql-client + - mytop + - python-mysqldb + - python-pymysql + - python-mysql.connector + +mysql_db_name: db_name +mysql_db_user: db_user +mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault" + +mysql_binary_logging: True +mysql_binlog_expire_logs_days: '10' +mysql_binlog_max_binlog_size: '100M' +mysql_server_id: 1 +# Alternatives: utf8 +mysql_default_encoding: utf8mb4 +# Alternatives: utf8_unicode_ci utf8_bin +mysql_default_collation: utf8mb4_unicode_ci +mysql_db_host: localhost +mysql_db_port: 3306 +mysql_db_max_connections: 100 +mysqld_db_read_buffer_size: 128K +mysql_db_read_rnd_buffer_size: 256K +mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend' +mysql_db_innodb_buffer_pool_size: 256M +mysql_db_innodb_additional_mem_pool_size: 5M +# Set .._log_file_size to 25 % of buffer pool size +mysql_db_innodb_log_file_size: 64M +mysql_db_innodb_log_buffer_size: 9M +mysql_safe_open_files_limit: 1024 +mysql_max_allowed_packet: 16M +mysql_skip_name_resolve: True + +mysql_listen_on_ext_int: False +#mysql_db_data: +# - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32', 'yyy.yyy.yyy.yyy' ] } + +mysql_backup_use_nagios: False +mysql_backup_logdir: '{{ mysql_log_dir }}' +mysql_backup_destdir: /var/lib/mysql-backup +mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log' +mysql_backup_retain_copies: 3 +mysql_backup_exclude_list: "performance_schema" + diff --git a/files/letsencrypt-mysql-hook.sh b/files/letsencrypt-mysql-hook.sh new file mode 100644 index 0000000..aaa74c5 --- /dev/null +++ b/files/letsencrypt-mysql-hook.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +H_NAME=$( hostname -f ) +LE_CERTS_DIR=/var/lib/acme/live/$H_NAME +LE_LOG_DIR=/var/log/letsencrypt +LE_LOG_FILE="${LE_LOG_DIR}/mysql.log" +MYSQL_CERTDIR=/var/lib/mysql + +DATE=$( date ) + +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_FILE + +if [ -f "/etc/default/acme_sh_request_env" ] ; then + # shellcheck source=/etc/default/acme_sh_request_env + source "/etc/default/acme_sh_request_env" +else + echo "No letsencrypt default file" >> $LE_LOG_FILE +fi + +echo "Copying the cert files" >> $LE_LOG_FILE +if [ ! -f ${MYSQL_CERTDIR}/ca.pem ] ; then + /bin/cp -f "${LE_CERTS_DIR}/fullchain" ${MYSQL_CERTDIR}/ca.pem + chown mysql:mysql ${MYSQL_CERTDIR}/ca.pem +fi + +/bin/cp -f "${LE_CERTS_DIR}/privkey" ${MYSQL_CERTDIR}/client-key.pem +chmod 400 ${MYSQL_CERTDIR}/client-key.pem +chown mysql:mysql ${MYSQL_CERTDIR}/client-key.pem + +/bin/cp -f "${LE_CERTS_DIR}/cert" ${MYSQL_CERTDIR}/client-cert.pem +chmod 440 ${MYSQL_CERTDIR}/client-cert.pem +chown mysql:mysql ${MYSQL_CERTDIR}/client-cert.pem + +echo "Reload the mysql service" >> $LE_LOG_FILE +if [ -x /bin/systemctl ] ; then + systemctl reload mysql >> $LE_LOG_FILE 2>&1 +else + service mysql reload >> $LE_LOG_FILE 2>&1 +fi + +echo "Done." >> $LE_LOG_FILE + +exit 0 diff --git a/files/mysql-backup.sh b/files/mysql-backup.sh new file mode 100755 index 0000000..0cdce8c --- /dev/null +++ b/files/mysql-backup.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +#echo "`date` mysql DUMP temporarly excluded (by Tom)" +#exit 1 + +RETVAL=0 + +MY_BACKUP_USE_NAGIOS="False" +MY_BACKUP_DIR=/var/lib/mysql-backup +MY_DATA_DIR=/var/lib/mysql +N_DAYS_TO_SPARE=7 +# Exclude list +EXCLUDE_LIST='performance_schema' + +if [ -f /etc/default/mysql_backup ] ; then + . /etc/default/mysql_backup +fi + +if [ ! -f /root/.my.cnf ] ; then + exit 1 +fi + +umask 0077 +# Year month day - hour minute second +SAVE_TIME=$( date +%Y%m%d-%H%M%S ) +TIMESTAMP= +TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp + +if [ ! -d $MY_BACKUP_DIR ] ; then + mkdir -p $MY_BACKUP_DIR +fi +if [ ! -d $MY_BACKUP_LOG_DIR ] ; then + mkdir -p $MY_BACKUP_LOG_DIR +fi +if [ ! -d $MY_BACKUP_DIR/history ] ; then + mkdir -p $MY_BACKUP_DIR/history +fi +chmod 700 $MY_BACKUP_DIR +LOCKFILE=$MY_DATA_DIR/.mysqldump.lock +NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status + +if [ ! -f $LOCKFILE ] ; then + touch $LOCKFILE + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + > $NAGIOS_LOG + fi + for db in $( mysql -Bse "show databases;" | egrep -v $EXCLUDE_LIST ) ; do + if [ "$db" == "information_schema" ]; then + mysqldump --single-transaction -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log + DUMP_RESULT=$? + else + mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log + DUMP_RESULT=$? + fi + chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + if [ $DUMP_RESULT -ne 0 ] ; then + echo "$db:FAILED" >> $NAGIOS_LOG + RETVAL=$DUMP_RESULT + else + echo "$db:OK" >> $NAGIOS_LOG + fi + fi + pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1 + rm -f $db.sql + ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql + popd >/dev/null 2>&1 + done + # Do a "flush-hosts" after the backup + mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log + TIMESTAMP=$( date +%s ) + echo "$TIMESTAMP" > $TIMESTAMP_LOG + rm -f $LOCKFILE +else + echo "Old backup still running" > /var/log/mysql-backup.log + RETVAL=2 + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + echo "old backup still running:WARNING" >> $NAGIOS_LOG + fi +fi + +# Remove the old backups +find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \; + +exit $RETVAL diff --git a/handlers/main.yml b/handlers/main.yml index 27474e0..88318ef 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,6 @@ --- -# handlers file for ansible-role-template \ No newline at end of file +- name: Restart mysql + service: name=mysql state=restarted + +- name: Reload mysql + service: name=mysql state=reloaded diff --git a/meta/main.yml b/meta/main.yml index 5cc055c..bda0796 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,61 +1,23 @@ galaxy_info: - author: your name - description: your description + author: Andrea Dell'Amico + description: Systems Architect company: ISTI-CNR - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY license: EUPL 1.2+ min_ansible_version: 2.8 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # Optionally specify the branch Galaxy will use when accessing the GitHub - # repo for this role. During role install, if no tags are available, - # Galaxy will use this branch. During import Galaxy will access files on - # this branch. If Travis integration is configured, only notifications for this - # branch will be accepted. Otherwise, in all cases, the repo's default branch - # (usually master) will be used. - #github_branch: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. # To view available platforms and versions (or releases), visit: # https://galaxy.ansible.com/api/v1/platforms/ # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + platforms: + - name: Ubuntu + versions: + - bionic - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - mysql dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. - diff --git a/tasks/configure_root_access.yml b/tasks/configure_root_access.yml new file mode 100644 index 0000000..360c50c --- /dev/null +++ b/tasks/configure_root_access.yml @@ -0,0 +1,40 @@ +--- +# 'localhost' needs to be the last item for idempotency, the mysql_user docs +- name: Secure the mysql root user with a password + mysql_user: name=root host={{ item }} password={{ mysql_root_password }} login_unix_socket={{ mysql_socket }} + when: mysql_root_password is defined + with_items: + - '{{ ansible_hostname }}' + - 127.0.0.1 + - ::1 + - localhost + ignore_errors: True + tags: [ 'mysql', 'mysql_root' ] + +- name: Secure the mysql root user when no password has been defined + mysql_user: name=root host={{ item }} password="" login_unix_socket={{ mysql_socket }} + when: mysql_root_password is not defined + with_items: + - '{{ ansible_hostname }}' + - 127.0.0.1 + - ::1 + - localhost + ignore_errors: True + tags: [ 'mysql', 'mysql_root' ] + +- name: Install the .my.cnf file with root password credentials + template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400 + when: mysql_root_password is defined + tags: [ 'mysql', 'mysql_root' ] + +- name: delete anonymous MySQL server user for the server hostname + mysql_user: user="" host="{{ ansible_hostname }}" state="absent" login_unix_socket={{ mysql_socket }} + tags: [ 'mysql', 'mysql_root' ] + +- name: delete anonymous MySQL server user for localhost + mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }} + tags: mysql + +- name: remove the MySQL test database + mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }} + tags: mysql diff --git a/tasks/disable-mariadb-service.yml b/tasks/disable-mariadb-service.yml new file mode 100644 index 0000000..1e878be --- /dev/null +++ b/tasks/disable-mariadb-service.yml @@ -0,0 +1,7 @@ +--- +- name: Stop and disable the mysql server if we do not want it running + service: name=mysql state=stopped enabled=no + when: not mysql_enabled + tags: + - mysql + diff --git a/tasks/main.yml b/tasks/main.yml index 53c6cae..be17d3a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,15 @@ --- -# tasks file for ansible-role-template \ No newline at end of file +- import_tasks: packages.yml +- import_tasks: mysql-conf.yml + when: mysql_enabled | bool +- import_tasks: manage-mysql-service.yml +- import_tasks: configure_root_access.yml + when: mysql_enabled | bool +- import_tasks: manage_my_db.yml + when: mysql_enabled | bool +- import_tasks: mysql-backup.yml + when: mysql_enabled | bool +- import_tasks: mysql-letsencrypt.yml + when: mysql_letsencrypt_certificates | bool + + diff --git a/tasks/manage-mysql-service.yml b/tasks/manage-mysql-service.yml new file mode 100644 index 0000000..730d399 --- /dev/null +++ b/tasks/manage-mysql-service.yml @@ -0,0 +1,11 @@ +--- +- name: Ensure that the mysql server is enabled and running + service: name=mysql state=started enabled=yes + when: mysql_enabled + tags: [ 'mysql', 'mariadb' ] + +- name: Stop and disable the mysql server if we do not want it running + service: name=mysql state=stopped enabled=no + when: not mysql_enabled + tags: [ 'mysql', 'mariadb' ] + diff --git a/tasks/manage_my_db.yml b/tasks/manage_my_db.yml new file mode 100644 index 0000000..851c6cc --- /dev/null +++ b/tasks/manage_my_db.yml @@ -0,0 +1,24 @@ +--- +- name: Add databases to mysql, if any + mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present login_unix_socket={{ mysql_socket }} + with_items: '{{ mysql_db_data | default([]) }}' + when: item.name is defined + tags: [ 'mysql', 'mysql_db' ] + +- name: Add a user for the databases + mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv="{{ item.0.name }}.*:{{ item.0.user_grant }}" state=present login_unix_socket={{ mysql_socket }} + with_subelements: + - '{{ mysql_db_data | default([]) }}' + - allowed_hosts + when: item.0.name is defined + tags: [ 'mysql', 'mysql_db', 'mysql_user' ] + +- name: Additional user privileges, if defined + mysql_user: name={{ item.0.user }} append_privs=yes priv="{{ item.0.name }}.*:{{ item.0.additional_privs }}" state=present login_unix_socket={{ mysql_socket }} + with_subelements: + - '{{ mysql_db_data | default([]) }}' + - allowed_hosts + when: + - item.0.name is defined + - item.0.additional_privs is defined + tags: [ 'mysql', 'mysql_db', 'mysql_user' ] diff --git a/tasks/mysql-backup.yml b/tasks/mysql-backup.yml new file mode 100644 index 0000000..036891b --- /dev/null +++ b/tasks/mysql-backup.yml @@ -0,0 +1,12 @@ +--- +- name: Install a script that performs mysql dumps + copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750 + tags: [ 'mysql', 'mysql_backup' ] + +- name: Install the mysql backup defaults + template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440 + tags: [ 'mysql', 'mysql_backup' ] + +- name: Cron job that executes mysql nightly backups + template: src=mysql-backup.cron.j2 dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755 + tags: [ 'mysql', 'mysql_backup' ] diff --git a/tasks/mysql-conf.yml b/tasks/mysql-conf.yml new file mode 100644 index 0000000..da9cb00 --- /dev/null +++ b/tasks/mysql-conf.yml @@ -0,0 +1,24 @@ +--- +- name: Manage the MySQL configuration files + block: + - name: Create the data directory + file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700 + + - name: Create the log directory + file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750 + + - name: Install the main configuration files. + template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644 + with_items: + - client + - mysql-clients + notify: Restart mysql + + - name: Install the main configuration files. + template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644 + with_items: + - server + notify: Restart mysql + + when: mysql_enabled | bool + tags: [ 'mysql', 'mariadb', 'mysql_conf' ] diff --git a/tasks/mysql-letsencrypt.yml b/tasks/mysql-letsencrypt.yml new file mode 100644 index 0000000..00e75d7 --- /dev/null +++ b/tasks/mysql-letsencrypt.yml @@ -0,0 +1,30 @@ +--- +- name: Manage the letsencrypt configuration + block: + - name: Check if the letsencrypt certificates are in place + stat: path={{ letsencrypt_acme_certs_dir }}/privkey + register: letsencrypt_keyfile + + - name: Copy the letsencrypt certificate key into the right place + copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes + when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool + notify: Restart mysql + + - name: Copy the letsencrypt public certificate into the right place + copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes + when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool + notify: Restart mysql + + - name: Copy the letsencrypt CA certificate into the right place + copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes + when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool + notify: Restart mysql + + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a script that fix the letsencrypt certificate for mysql and then reload the service + copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555 + + when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install | bool + tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ] \ No newline at end of file diff --git a/tasks/packages.yml b/tasks/packages.yml new file mode 100644 index 0000000..c11164b --- /dev/null +++ b/tasks/packages.yml @@ -0,0 +1,6 @@ +--- +- name: install the mysql packages + apt: pkg={{ item }} state={{ mysql_pkg_state }} + with_items: '{{ mysql_packages_list }}' + tags: mysql + diff --git a/templates/client.cnf.j2 b/templates/client.cnf.j2 new file mode 100644 index 0000000..a0bfa0c --- /dev/null +++ b/templates/client.cnf.j2 @@ -0,0 +1,6 @@ +# The following options will be passed to all MariaDB clients +[client] +#password = your_password +port = 3306 +socket = {{ mysql_socket }} + diff --git a/templates/dot_my.cnf.j2 b/templates/dot_my.cnf.j2 new file mode 100644 index 0000000..74c129f --- /dev/null +++ b/templates/dot_my.cnf.j2 @@ -0,0 +1,4 @@ +[client] +user=root +password={{ mysql_root_password }} + diff --git a/templates/mysql-backup.cron.j2 b/templates/mysql-backup.cron.j2 new file mode 100755 index 0000000..eed3f43 --- /dev/null +++ b/templates/mysql-backup.cron.j2 @@ -0,0 +1,22 @@ +#!/bin/bash + +LOG_FILE=/var/log/mysql-backup.log +if [ -x /etc/cron.daily/duplicity_backup ] ; then + echo "duplicity backups active. Exiting" > $LOG_FILE + exit 0 +fi + +# Remote backup performed by BackupPC. If it is active, do not run via cron +if [ -f /var/log/backuppc.log ] ; then + TMSTMP=$( date +%s ) + . /var/log/backuppc.log + LAST_BACKUP_TIME=$( expr $TMSTMP - $BACKUP_TIMESTAMP ) + if [ $LAST_BACKUP_TIME -lt 86400 -a $BACKUP_RESULT == 'OK' ] ; then + echo "BackupPC is active, doing nothing" > $LOG_FILE + exit 0 + fi +fi + +/usr/local/sbin/mysql-backup > $LOG_FILE 2>&1 + +exit 0 diff --git a/templates/mysql-clients.cnf.j2 b/templates/mysql-clients.cnf.j2 new file mode 100644 index 0000000..0febb17 --- /dev/null +++ b/templates/mysql-clients.cnf.j2 @@ -0,0 +1,20 @@ + +[mysql] + +[mysql_upgrade] + +[mysqladmin] + +[mysqlbinlog] + +[mysqlcheck] + +[mysqldump] +quick +max_allowed_packet = 16M + +[mysqlimport] + +[mysqlshow] + +[mysqlslap] diff --git a/templates/mysql_backup-default.j2 b/templates/mysql_backup-default.j2 new file mode 100644 index 0000000..b189f3d --- /dev/null +++ b/templates/mysql_backup-default.j2 @@ -0,0 +1,8 @@ +MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}' +MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}' +MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}' +N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}' +MY_BACKUP_DIR='{{ mysql_backup_destdir }}' +MY_DATA_DIR='{{ mysql_data_dir }}' +# Exclude list +EXCLUDE_LIST='{{ mysql_backup_exclude_list }}' diff --git a/templates/server.cnf.j2 b/templates/server.cnf.j2 new file mode 100644 index 0000000..d70998a --- /dev/null +++ b/templates/server.cnf.j2 @@ -0,0 +1,88 @@ +# Here follows entries for some specific programs + +# The MariaDB server +[mysqld] +user = mysql +{% if mysql_listen_on_ext_int %} +bind-address = 0.0.0.0 +{% else %} +bind-address = 127.0.0.1 +{% endif %} +port = {{ mysql_db_port }} +socket = {{ mysql_socket }} +basedir = /usr +datadir = {{ mysql_data_dir }} +log_error = {{ mysql_log_dir }}/error.log +skip-external-locking +# Point the following paths to different dedicated disks +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql + +# +# * Fine Tuning +# +max_connections = {{ mysql_db_max_connections }} +key_buffer_size = 16M +max_allowed_packet = {{ mysql_max_allowed_packet }} +table_open_cache = 512 +sort_buffer_size = 8M +net_buffer_length = 8K +thread_stack = 192K +thread_cache_size = 8 +read_buffer_size = {{ mysqld_db_read_buffer_size }} +read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }} +myisam_sort_buffer_size = 16M +{% if mysql_skip_name_resolve %} +skip-name-resolve +{% endif %} + +{% if mysqld_sql_mode is defined %} +sql_mode = {{ mysqld_sql_mode }} +{% endif %} +{% if mysqld_ft_stopword_file is defined %} +ft_stopword_file = {{ mysqld_ft_stopword_file }} +{% endif %} +{% if mysqld_ft_min_word_lenght is defined %} +ft_min_word_len = {{ mysqld_ft_min_word_lenght }} +{% endif %} +ft_boolean_syntax = '{{ mysql_ft_boolean_syntax | default('+ -><()~*:\"\"&|') }}' + +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M + +{% if mysql_binary_logging %} +server-id={{ mysql_server_id }} +# Enable binary logging. This is required for acting as a MASTER in a +# replication configuration. You also need the binary log if you need +# the ability to do point in time recovery from your latest backup. +log-bin={{ mysql_binlog_dir }}/mysql-bin.log +expire_logs_days = {{ mysql_binlog_expire_logs_days }} +max_binlog_size = {{ mysql_binlog_max_binlog_size }} +# binary logging format - mixed recommended +binlog_format=mixed +{% endif %} + +# Uncomment the following if you are using InnoDB tables +innodb_data_home_dir = {{ mysql_data_dir }} +innodb_data_file_path = {{ mysql_db_innodb_data_file_path }} +innodb_log_group_home_dir = {{ mysql_data_dir }} +# You can set .._buffer_pool_size up to 50 - 80 % +# of RAM but beware of setting memory usage too high +innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }} +# Set .._log_file_size to 25 % of buffer pool size +innodb_log_file_size = {{ mysql_db_innodb_log_file_size }} +innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }} +innodb_flush_log_at_trx_commit = 1 +innodb_lock_wait_timeout = 50 + +{% if mysql_use_ssl %} +ssl-ca=/var/lib/mysql/ca.pem +ssl-cert=/var/lib/mysql/client-cert.pem +ssl-key=/var/lib/mysql/client-key.pem +{% endif %} + +[mysqld_safe] +open-files-limit = {{ mysql_safe_open_files_limit }}