add a secure mysql setup to the ansible role

2017-10-29 18:49:04 +01:00 · 2017-10-29 18:49:04 +01:00 · 8576939ae7
parent 3d349653c3
commit 8576939ae7
3 changed files with 84 additions and 1 deletions
--- a/ansible/roles/web_AI-5/tasks/main.yml
+++ b/ansible/roles/web_AI-5/tasks/main.yml
@ -8,5 +8,7 @@
    regexp='(<[dD]irectory /var/www/>[^<]*)AllowOverride None'
    replace='\1AllowOverride All'

+- include: mariadb.yml
+
 - name: Restart apache service
  service: name=apache2 state=restarted
--- a/ansible/roles/web_AI-5/tasks/mariadb.yml
+++ b/ansible/roles/web_AI-5/tasks/mariadb.yml
@ -0,0 +1,77 @@
+---
+- name: "[mySQL] - Service is installed."
+  package: "name=mariadb-server state=present"
+  register: db_install
+
+- name: "[mySQL] - the python module mysqldb is present"
+  # needed by mysql_* ansible modules
+  package: name=python-mysqldb state=present
+
+- block:
+  - name: "[mySQL] - generate mysql root Password:"
+    set_fact: mysql_root_pwd="{{ lookup( '/mysql_root.pwd' ) }}"
+    when: mysql_root_pwd is not defined
+
+  - name: "[mySQL] - Update mysql root password"
+    mysql_user:
+      name: root
+      host: "{{ item }}"
+      password: "{{ mysql_root_pwd }}"
+      login_user: root
+      login_password: ""
+      check_implicit_admin: yes
+      priv: "*.*:ALL,GRANT"
+    with_items:
+      - 127.0.0.1
+      - ::1
+      - localhost
+    ignore_errors: yes
+  
+  - name: "[mySQL] - Delete the anonymous user."
+    mysql_user:
+      user: ""
+      state: "absent"
+      login_password: "{{ mysql_root_pwd }}"
+      login_user: root
+    ignore_errors: yes
+  
+  - name: "[mySQL] - Removes the MySQL test database"
+    mysql_db:
+      name: test
+      state: absent
+      login_password: "{{ mysql_root_pwd }}"
+      login_user: root
+    ignore_errors: yes
+  when: db_install.changed
+  
+- name: "[mySQL] - Check credentials"
+  stat: "path=/root/.my.cnf"
+  register: mycred
+
+- block:
+  - name: "[mySQL] - Make the file .my.cnf"
+    file: path=/root/.my.cnf state=touch mode="0640"
+  
+  - name: "[mySQL] - Add content to .my.cnf"
+    blockinfile:
+      dest: /root/.my.cnf
+      block: |
+        [client]
+        user=root
+        password="{{ mysql_root_pwd }}"
+  when: mycred.stat.exists is defined and not mycred.stat.exists
+
+- name: "[mySQL] - Generate database user Password."
+  set_fact: db_pwd="{{ lookup( '/db_admin.pwd' ) }}"
+  when: db_pwd is not defined
+
+- name: "[mySQL] - Add Database {{ db_name }}."
+  mysql_db: name={{ db_name }} state=present
+   
+- name: "[mySQL] - Configure the database user."
+  mysql_user:
+    name: "{{ db_admin }}"
+    password: "{{ db_pwd }}"
+    priv: "{{ db_name }}.*:ALL"
+    state: present
+
--- a/ansible/roles/web_AI-5/vars/main.yml
+++ b/ansible/roles/web_AI-5/vars/main.yml
@ -2,8 +2,12 @@
 apt_packages:
  - apache2
  - python3-django
-  - mariadb-server
  - libapache2-mod-wsgi-py3

 open_tcp_ports:
  - 80
+
+db_name: "webshopdb"                                                
+db_admin: "webshop"                                                 
+db_pwd: "2YKtY53F3HDDzPyExAaSh3jdVNh6VN"                              
+mysql_root_pwd: "4Dto2NaEpdoFg67eHXzpHWazG4MG3i"