From 8576939ae7312d4e5265d18d8de23d3bd316ac05 Mon Sep 17 00:00:00 2001 From: Andreas Zweili Date: Sun, 29 Oct 2017 18:49:04 +0100 Subject: [PATCH] add a secure mysql setup to the ansible role --- ansible/roles/web_AI-5/tasks/main.yml | 2 + ansible/roles/web_AI-5/tasks/mariadb.yml | 77 ++++++++++++++++++++++++ ansible/roles/web_AI-5/vars/main.yml | 6 +- 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/web_AI-5/tasks/mariadb.yml diff --git a/ansible/roles/web_AI-5/tasks/main.yml b/ansible/roles/web_AI-5/tasks/main.yml index 50807cb..32a619f 100644 --- a/ansible/roles/web_AI-5/tasks/main.yml +++ b/ansible/roles/web_AI-5/tasks/main.yml @@ -8,5 +8,7 @@ regexp='(<[dD]irectory /var/www/>[^<]*)AllowOverride None' replace='\1AllowOverride All' +- include: mariadb.yml + - name: Restart apache service service: name=apache2 state=restarted diff --git a/ansible/roles/web_AI-5/tasks/mariadb.yml b/ansible/roles/web_AI-5/tasks/mariadb.yml new file mode 100644 index 0000000..9bedab0 --- /dev/null +++ b/ansible/roles/web_AI-5/tasks/mariadb.yml @@ -0,0 +1,77 @@ +--- +- name: "[mySQL] - Service is installed." + package: "name=mariadb-server state=present" + register: db_install + +- name: "[mySQL] - the python module mysqldb is present" + # needed by mysql_* ansible modules + package: name=python-mysqldb state=present + +- block: + - name: "[mySQL] - generate mysql root Password:" + set_fact: mysql_root_pwd="{{ lookup( '/mysql_root.pwd' ) }}" + when: mysql_root_pwd is not defined + + - name: "[mySQL] - Update mysql root password" + mysql_user: + name: root + host: "{{ item }}" + password: "{{ mysql_root_pwd }}" + login_user: root + login_password: "" + check_implicit_admin: yes + priv: "*.*:ALL,GRANT" + with_items: + - 127.0.0.1 + - ::1 + - localhost + ignore_errors: yes + + - name: "[mySQL] - Delete the anonymous user." + mysql_user: + user: "" + state: "absent" + login_password: "{{ mysql_root_pwd }}" + login_user: root + ignore_errors: yes + + - name: "[mySQL] - Removes the MySQL test database" + mysql_db: + name: test + state: absent + login_password: "{{ mysql_root_pwd }}" + login_user: root + ignore_errors: yes + when: db_install.changed + +- name: "[mySQL] - Check credentials" + stat: "path=/root/.my.cnf" + register: mycred + +- block: + - name: "[mySQL] - Make the file .my.cnf" + file: path=/root/.my.cnf state=touch mode="0640" + + - name: "[mySQL] - Add content to .my.cnf" + blockinfile: + dest: /root/.my.cnf + block: | + [client] + user=root + password="{{ mysql_root_pwd }}" + when: mycred.stat.exists is defined and not mycred.stat.exists + +- name: "[mySQL] - Generate database user Password." + set_fact: db_pwd="{{ lookup( '/db_admin.pwd' ) }}" + when: db_pwd is not defined + +- name: "[mySQL] - Add Database {{ db_name }}." + mysql_db: name={{ db_name }} state=present + +- name: "[mySQL] - Configure the database user." + mysql_user: + name: "{{ db_admin }}" + password: "{{ db_pwd }}" + priv: "{{ db_name }}.*:ALL" + state: present + diff --git a/ansible/roles/web_AI-5/vars/main.yml b/ansible/roles/web_AI-5/vars/main.yml index edfefd3..b6ad0d9 100644 --- a/ansible/roles/web_AI-5/vars/main.yml +++ b/ansible/roles/web_AI-5/vars/main.yml @@ -2,8 +2,12 @@ apt_packages: - apache2 - python3-django - - mariadb-server - libapache2-mod-wsgi-py3 open_tcp_ports: - 80 + +db_name: "webshopdb" +db_admin: "webshop" +db_pwd: "2YKtY53F3HDDzPyExAaSh3jdVNh6VN" +mysql_root_pwd: "4Dto2NaEpdoFg67eHXzpHWazG4MG3i"