Common MySQL configuration.

3 files changed, 36 insertions, 1 deletions

diff --git a/ansible.cfg b/ansible.cfg
index b94c4c2..524103e 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,33 +1,33 @@
 # config file for ansible -- http://ansible.github.com
 # nearly all parameters can be overridden in ansible-playbook or with command line flags
 # ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first
 
 [defaults]
 
 # location of inventory file, eliminates need to specify -i
 
 #hostfile = ./stage_vms
 
 # location of ansible library, eliminates need to specify --module-path
 
-library = /usr/share/ansible/:./lib
+library = ./lib/:/usr/share/ansible/
 
 # default module name used in /usr/bin/ansible when -m is not specified
 
 module_name = command
 
 # home directory where temp files are stored on remote systems.  Should
 # almost always contain $HOME or be a directory writeable by all users
 
 remote_tmp = $HOME/.ansible/tmp
 
 # the default pattern for ansible-playbooks ("hosts:")
 
 pattern = *
 
 # the default number of forks (parallelism) to be used.  Usually you
 # can crank this up.
 
 forks=5
 
 # the timeout used by various connection types.  Usually this corresponds
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 355b2df..81ef705 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,11 +1,17 @@
 ---
 - include: sysctl.yml   tags=sysctl
 - include: hosts.yml
 - include: apt.yml      tags=apt
 - include: firewall.yml tags=firewall,iptables
 - include: samhain.yml  tags=samhain
 - include: rkhunter.yml tags=rkhunter
 - include: fail2ban.yml tags=fail2ban
 - include: ipsec.yml    tags=strongswan,ipsec
 - include: logging.yml  tags=logging
 - include: mail.yml     tags=mail,postfix
+- include: sql.yml      tags=mysql,sql
+  # XXX: the conditional here is a bit dirty, because it clutters the
+  # output with 'skipping' notices.
+  when: "'MDA'     in group_names or
+         'webmail' in group_names or
+         'backup'  in group_names"
diff --git a/roles/common/tasks/sql.yml b/roles/common/tasks/sql.yml
new file mode 100644
index 0000000..e32c863
--- /dev/null
+++ b/roles/common/tasks/sql.yml
@@ -0,0 +1,29 @@
+- name: Install MySQL
+  apt: pkg={{ item }}
+  with_items:
+    # XXX: In non-interactive mode apt-get doesn't put a password on
+    # MySQL's root user; we fix that on the next task, but an intruder
+    # could exploit the race condition and for instance create dummy
+    # users.
+    - mysql-common
+    - mysql-server
+    - python-mysqldb
+
+- name: Force root to use UNIX permissions
+  mysql_user: name=root auth_plugin=auth_socket
+              state=present
+
+- name: Disallow anonymous and TCP/IP root login
+  mysql_user: name={{ item.name|default('') }} host={{ item.host }}
+              state=absent
+  with_items:
+    - {             host: '{{ inventory_hostname_short }}' }
+    - {             host: 'localhost' }
+    - {             host: '127.0.0.1'}
+    - {             host: '::1'}
+    - { name: root, host: '{{ inventory_hostname_short }}' }
+    - { name: root, host: '127.0.0.1'}
+    - { name: root, host: '::1'}
+
+- name: Start MySQL
+  service: name=mysql state=started