forked from ISTI-ansible-roles/ansible-roles
mysql: Install the server config file into the correct place. Support SSL and letsencrypt certificates.
This commit is contained in:
parent
ac53754be0
commit
75f8f92822
|
@ -2,10 +2,14 @@
|
||||||
mysql_enabled: True
|
mysql_enabled: True
|
||||||
mysql_pkg_state: present
|
mysql_pkg_state: present
|
||||||
mysql_conf_dir: /etc/mysql/conf.d
|
mysql_conf_dir: /etc/mysql/conf.d
|
||||||
|
mysql_service_conf_dir: /etc/mysql/mysql.conf.d
|
||||||
mysql_socket: /run/mysqld/mysqld.sock
|
mysql_socket: /run/mysqld/mysqld.sock
|
||||||
mysql_data_dir: /var/lib/mysql
|
mysql_data_dir: /var/lib/mysql
|
||||||
mysql_log_dir: /var/log/mysql
|
mysql_log_dir: /var/log/mysql
|
||||||
|
|
||||||
|
mysql_use_ssl: True
|
||||||
|
mysql_letsencrypt_certificates: True
|
||||||
|
|
||||||
# python-mysqldb is needed by ansible to manage users and databases
|
# python-mysqldb is needed by ansible to manage users and databases
|
||||||
mysql_packages_list:
|
mysql_packages_list:
|
||||||
- mysql-server
|
- mysql-server
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
H_NAME=$( hostname -f )
|
||||||
|
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
||||||
|
LE_LOG_DIR=/var/log/letsencrypt
|
||||||
|
LE_LOG_FILE="${LE_LOG_DIR}/mysql.log"
|
||||||
|
MYSQL_CERTDIR=/var/lib/mysql
|
||||||
|
|
||||||
|
DATE=$( date )
|
||||||
|
|
||||||
|
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||||
|
echo "$DATE" >> $LE_LOG_FILE
|
||||||
|
|
||||||
|
if [ -f "/etc/default/acme_sh_request_env" ] ; then
|
||||||
|
# shellcheck source=/etc/default/acme_sh_request_env
|
||||||
|
source "/etc/default/acme_sh_request_env"
|
||||||
|
else
|
||||||
|
echo "No letsencrypt default file" >> $LE_LOG_FILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Copying the cert files" >> $LE_LOG_FILE
|
||||||
|
if [ ! -f ${MYSQL_CERTDIR}/ca.pem ] ; then
|
||||||
|
/bin/cp -f "${LE_CERTS_DIR}/fullchain" ${MYSQL_CERTDIR}/ca.pem
|
||||||
|
chown mysql:mysql ${MYSQL_CERTDIR}/ca.pem
|
||||||
|
fi
|
||||||
|
|
||||||
|
/bin/cp -f "${LE_CERTS_DIR}/privkey" ${MYSQL_CERTDIR}/client-key.pem
|
||||||
|
chmod 400 ${MYSQL_CERTDIR}/client-key.pem
|
||||||
|
chown mysql:mysql ${MYSQL_CERTDIR}/client-key.pem
|
||||||
|
|
||||||
|
/bin/cp -f "${LE_CERTS_DIR}/cert" ${MYSQL_CERTDIR}/client-cert.pem
|
||||||
|
chmod 440 ${MYSQL_CERTDIR}/client-cert.pem
|
||||||
|
chown mysql:mysql ${MYSQL_CERTDIR}/client-cert.pem
|
||||||
|
|
||||||
|
echo "Reload the mysql service" >> $LE_LOG_FILE
|
||||||
|
if [ -x /bin/systemctl ] ; then
|
||||||
|
systemctl reload mysql >> $LE_LOG_FILE 2>&1
|
||||||
|
else
|
||||||
|
service mysql reload >> $LE_LOG_FILE 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Done." >> $LE_LOG_FILE
|
||||||
|
|
||||||
|
exit 0
|
|
@ -9,4 +9,7 @@
|
||||||
when: mysql_enabled | bool
|
when: mysql_enabled | bool
|
||||||
- import_tasks: mysql-backup.yml
|
- import_tasks: mysql-backup.yml
|
||||||
when: mysql_enabled | bool
|
when: mysql_enabled | bool
|
||||||
|
- import_tasks: mysql-letsencrypt.yml
|
||||||
|
when: mysql_letsencrypt_certificates | bool
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,18 +1,24 @@
|
||||||
---
|
---
|
||||||
- name: Create the data directory
|
- name: Manage the MySQL configuration files
|
||||||
file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700
|
block:
|
||||||
tags: [ 'mysql', 'mariadb', 'mysql-conf' ]
|
- name: Create the data directory
|
||||||
|
file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700
|
||||||
|
|
||||||
|
- name: Create the log directory
|
||||||
|
file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750
|
||||||
|
|
||||||
|
- name: Install the main configuration files.
|
||||||
|
template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
|
||||||
|
with_items:
|
||||||
|
- client
|
||||||
|
- mysql-clients
|
||||||
|
notify: Restart mysql
|
||||||
|
|
||||||
|
- name: Install the main configuration files.
|
||||||
|
template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644
|
||||||
|
with_items:
|
||||||
|
- server
|
||||||
|
notify: Restart mysql
|
||||||
|
|
||||||
- name: Create the log directory
|
when: mysql_enabled | bool
|
||||||
file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750
|
tags: [ 'mysql', 'mariadb', 'mysql_conf' ]
|
||||||
tags: [ 'mysql', 'mariadb', 'mysql-conf' ]
|
|
||||||
|
|
||||||
- name: Install the main configuration files.
|
|
||||||
template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
|
|
||||||
with_items:
|
|
||||||
- client
|
|
||||||
- server
|
|
||||||
- mysql-clients
|
|
||||||
when: mysql_enabled
|
|
||||||
notify: Restart mysql
|
|
||||||
tags: [ 'mysql', 'mariadb', 'mysql-conf' ]
|
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
- name: Manage the letsencrypt configuration
|
||||||
|
block:
|
||||||
|
- name: Check if the letsencrypt certificates are in place
|
||||||
|
stat: path={{ letsencrypt_acme_certs_dir }}/privkey
|
||||||
|
register: letsencrypt_keyfile
|
||||||
|
|
||||||
|
- name: Copy the letsencrypt certificate key into the right place
|
||||||
|
copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes
|
||||||
|
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||||
|
notify: Restart mysql
|
||||||
|
|
||||||
|
- name: Copy the letsencrypt public certificate into the right place
|
||||||
|
copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
|
||||||
|
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||||
|
notify: Restart mysql
|
||||||
|
|
||||||
|
- name: Copy the letsencrypt CA certificate into the right place
|
||||||
|
copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
|
||||||
|
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||||
|
notify: Restart mysql
|
||||||
|
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
|
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
|
||||||
|
|
||||||
|
- name: Install a script that fix the letsencrypt certificate for mysql and then reload the service
|
||||||
|
copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555
|
||||||
|
|
||||||
|
when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install | bool
|
||||||
|
tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ]
|
|
@ -2,17 +2,33 @@
|
||||||
|
|
||||||
# The MariaDB server
|
# The MariaDB server
|
||||||
[mysqld]
|
[mysqld]
|
||||||
|
user = mysql
|
||||||
|
{% if mysql_listen_on_ext_int %}
|
||||||
|
bind-address = 0.0.0.0
|
||||||
|
{% else %}
|
||||||
|
bind-address = 127.0.0.1
|
||||||
|
{% endif %}
|
||||||
port = {{ mysql_db_port }}
|
port = {{ mysql_db_port }}
|
||||||
socket = {{ mysql_socket }}
|
socket = {{ mysql_socket }}
|
||||||
max_connections = {{ mysql_db_max_connections }}
|
basedir = /usr
|
||||||
datadir = {{ mysql_data_dir }}
|
datadir = {{ mysql_data_dir }}
|
||||||
log_error = {{ mysql_log_dir }}/error.log
|
log_error = {{ mysql_log_dir }}/error.log
|
||||||
skip-external-locking
|
skip-external-locking
|
||||||
|
# Point the following paths to different dedicated disks
|
||||||
|
tmpdir = /tmp
|
||||||
|
lc-messages-dir = /usr/share/mysql
|
||||||
|
|
||||||
|
#
|
||||||
|
# * Fine Tuning
|
||||||
|
#
|
||||||
|
max_connections = {{ mysql_db_max_connections }}
|
||||||
key_buffer_size = 16M
|
key_buffer_size = 16M
|
||||||
max_allowed_packet = {{ mysql_max_allowed_packet }}
|
max_allowed_packet = {{ mysql_max_allowed_packet }}
|
||||||
table_open_cache = 512
|
table_open_cache = 512
|
||||||
sort_buffer_size = 8M
|
sort_buffer_size = 8M
|
||||||
net_buffer_length = 8K
|
net_buffer_length = 8K
|
||||||
|
thread_stack = 192K
|
||||||
|
thread_cache_size = 8
|
||||||
read_buffer_size = {{ mysqld_db_read_buffer_size }}
|
read_buffer_size = {{ mysqld_db_read_buffer_size }}
|
||||||
read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
|
read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
|
||||||
myisam_sort_buffer_size = 16M
|
myisam_sort_buffer_size = 16M
|
||||||
|
@ -31,24 +47,21 @@ ft_min_word_len = {{ mysqld_ft_min_word_lenght }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
ft_boolean_syntax = '{{ mysql_ft_boolean_syntax | default('+ -><()~*:\"\"&|') }}'
|
ft_boolean_syntax = '{{ mysql_ft_boolean_syntax | default('+ -><()~*:\"\"&|') }}'
|
||||||
|
|
||||||
# Point the following paths to different dedicated disks
|
#
|
||||||
#tmpdir = /tmp/
|
# * Query Cache Configuration
|
||||||
|
#
|
||||||
|
query_cache_limit = 1M
|
||||||
|
query_cache_size = 16M
|
||||||
|
|
||||||
# Instead of skip-networking the default is now to listen only on
|
|
||||||
# localhost which is more compatible and is not less secure.
|
|
||||||
{% if mysql_listen_on_ext_int %}
|
|
||||||
bind-address = 0.0.0.0
|
|
||||||
{% else %}
|
|
||||||
bind-address = 127.0.0.1
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if mysql_binary_logging %}
|
{% if mysql_binary_logging %}
|
||||||
server-id={{ mysql_server_id }}
|
server-id={{ mysql_server_id }}
|
||||||
# Enable binary logging. This is required for acting as a MASTER in a
|
# Enable binary logging. This is required for acting as a MASTER in a
|
||||||
# replication configuration. You also need the binary log if you need
|
# replication configuration. You also need the binary log if you need
|
||||||
# the ability to do point in time recovery from your latest backup.
|
# the ability to do point in time recovery from your latest backup.
|
||||||
log-bin=mysql-bin
|
log-bin={{ mysql_log_dir }}/mysql-bin.log
|
||||||
|
expire_logs_days = 10
|
||||||
|
max_binlog_size = 100M
|
||||||
# binary logging format - mixed recommended
|
# binary logging format - mixed recommended
|
||||||
binlog_format=mixed
|
binlog_format=mixed
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -66,5 +79,11 @@ innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }}
|
||||||
innodb_flush_log_at_trx_commit = 1
|
innodb_flush_log_at_trx_commit = 1
|
||||||
innodb_lock_wait_timeout = 50
|
innodb_lock_wait_timeout = 50
|
||||||
|
|
||||||
|
{% if mysql_use_ssl %}
|
||||||
|
ssl-ca=/var/lib/mysql/ca.pem
|
||||||
|
ssl-cert=/var/lib/mysql/client-cert.pem
|
||||||
|
ssl-key=/var/lib/mysql/client-key.pem
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[mysqld_safe]
|
[mysqld_safe]
|
||||||
open-files-limit = {{ mysql_safe_open_files_limit }}
|
open-files-limit = {{ mysql_safe_open_files_limit }}
|
||||||
|
|
Loading…
Reference in New Issue