diff options
| -rw-r--r-- | ansible.cfg | 2 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/common/tasks/sql.yml | 29 |
3 files changed, 36 insertions, 1 deletions
diff --git a/ansible.cfg b/ansible.cfg index b94c4c2..524103e 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,33 +1,33 @@ # config file for ansible -- http://ansible.github.com # nearly all parameters can be overridden in ansible-playbook or with command line flags # ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first [defaults] # location of inventory file, eliminates need to specify -i #hostfile = ./stage_vms # location of ansible library, eliminates need to specify --module-path -library = /usr/share/ansible/:./lib +library = ./lib/:/usr/share/ansible/ # default module name used in /usr/bin/ansible when -m is not specified module_name = command # home directory where temp files are stored on remote systems. Should # almost always contain $HOME or be a directory writeable by all users remote_tmp = $HOME/.ansible/tmp # the default pattern for ansible-playbooks ("hosts:") pattern = * # the default number of forks (parallelism) to be used. Usually you # can crank this up. forks=5 # the timeout used by various connection types. Usually this corresponds diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 355b2df..81ef705 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,11 +1,17 @@ --- - include: sysctl.yml tags=sysctl - include: hosts.yml - include: apt.yml tags=apt - include: firewall.yml tags=firewall,iptables - include: samhain.yml tags=samhain - include: rkhunter.yml tags=rkhunter - include: fail2ban.yml tags=fail2ban - include: ipsec.yml tags=strongswan,ipsec - include: logging.yml tags=logging - include: mail.yml tags=mail,postfix +- include: sql.yml tags=mysql,sql + # XXX: the conditional here is a bit dirty, because it clutters the + # output with 'skipping' notices. + when: "'MDA' in group_names or + 'webmail' in group_names or + 'backup' in group_names" diff --git a/roles/common/tasks/sql.yml b/roles/common/tasks/sql.yml new file mode 100644 index 0000000..e32c863 --- /dev/null +++ b/roles/common/tasks/sql.yml @@ -0,0 +1,29 @@ +- name: Install MySQL + apt: pkg={{ item }} + with_items: + # XXX: In non-interactive mode apt-get doesn't put a password on + # MySQL's root user; we fix that on the next task, but an intruder + # could exploit the race condition and for instance create dummy + # users. + - mysql-common + - mysql-server + - python-mysqldb + +- name: Force root to use UNIX permissions + mysql_user: name=root auth_plugin=auth_socket + state=present + +- name: Disallow anonymous and TCP/IP root login + mysql_user: name={{ item.name|default('') }} host={{ item.host }} + state=absent + with_items: + - { host: '{{ inventory_hostname_short }}' } + - { host: 'localhost' } + - { host: '127.0.0.1'} + - { host: '::1'} + - { name: root, host: '{{ inventory_hostname_short }}' } + - { name: root, host: '127.0.0.1'} + - { name: root, host: '::1'} + +- name: Start MySQL + service: name=mysql state=started |