summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/main.yml6
-rw-r--r--roles/common/tasks/sql.yml29
2 files changed, 35 insertions, 0 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 355b2df..81ef705 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -9,3 +9,9 @@
- include: ipsec.yml tags=strongswan,ipsec
- include: logging.yml tags=logging
- include: mail.yml tags=mail,postfix
+- include: sql.yml tags=mysql,sql
+ # XXX: the conditional here is a bit dirty, because it clutters the
+ # output with 'skipping' notices.
+ when: "'MDA' in group_names or
+ 'webmail' in group_names or
+ 'backup' in group_names"
diff --git a/roles/common/tasks/sql.yml b/roles/common/tasks/sql.yml
new file mode 100644
index 0000000..e32c863
--- /dev/null
+++ b/roles/common/tasks/sql.yml
@@ -0,0 +1,29 @@
+- name: Install MySQL
+ apt: pkg={{ item }}
+ with_items:
+ # XXX: In non-interactive mode apt-get doesn't put a password on
+ # MySQL's root user; we fix that on the next task, but an intruder
+ # could exploit the race condition and for instance create dummy
+ # users.
+ - mysql-common
+ - mysql-server
+ - python-mysqldb
+
+- name: Force root to use UNIX permissions
+ mysql_user: name=root auth_plugin=auth_socket
+ state=present
+
+- name: Disallow anonymous and TCP/IP root login
+ mysql_user: name={{ item.name|default('') }} host={{ item.host }}
+ state=absent
+ with_items:
+ - { host: '{{ inventory_hostname_short }}' }
+ - { host: 'localhost' }
+ - { host: '127.0.0.1'}
+ - { host: '::1'}
+ - { name: root, host: '{{ inventory_hostname_short }}' }
+ - { name: root, host: '127.0.0.1'}
+ - { name: root, host: '::1'}
+
+- name: Start MySQL
+ service: name=mysql state=started