aboutsummaryrefslogtreecommitdiff
path: root/roles/mariadb
diff options
context:
space:
mode:
Diffstat (limited to 'roles/mariadb')
-rw-r--r--roles/mariadb/README.md8
-rw-r--r--roles/mariadb/defaults/main.yml8
-rw-r--r--roles/mariadb/tasks/main.yml15
-rw-r--r--roles/mariadb/templates/50-server.cnf.j2 (renamed from roles/mariadb/files/50-server.cnf)66
4 files changed, 26 insertions, 71 deletions
diff --git a/roles/mariadb/README.md b/roles/mariadb/README.md
index dcf566d..49a732e 100644
--- a/roles/mariadb/README.md
+++ b/roles/mariadb/README.md
@@ -2,6 +2,14 @@
```
---
+mdb:
+ address: '0.0.0.0'
+ ssl:
+ enable: False
+ ca: '/etc/ssl/certs/ca-certificates.crt'
+ cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+
dbs:
- testdb1
- testdb2
diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml
index 155ecf7..7bae77c 100644
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@@ -2,3 +2,11 @@
dbs: []
db_users: []
+
+mdb:
+ address: '0.0.0.0'
+ ssl:
+ enable: False
+ ca: '/etc/ssl/certs/ca-certificates.crt'
+ cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ key: '/etc/ssl/private/ssl-cert-snakeoil.key'
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index 79d7ef0..239affe 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -8,24 +8,13 @@
become: yes
- name: Config File
- copy:
- src: 50-server.cnf
+ template:
+ src: 50-server.cnf.j2
dest: /etc/mysql/mariadb.conf.d/50-server.cnf
become: yes
notify:
- Restart MariaDB
-- name: Generate SSL Certificates
- include_role:
- name: signed_certificate
- vars:
- cert_name: mysql
- ca_path: /etc/mysql
- key_path: /etc/mysql
- cert_path: /etc/mysql
- owner: mysql
- group: mysql
-
- name: Check for changed cert
command: /bin/true
when:
diff --git a/roles/mariadb/files/50-server.cnf b/roles/mariadb/templates/50-server.cnf.j2
index 7ef47b3..c18a635 100644
--- a/roles/mariadb/files/50-server.cnf
+++ b/roles/mariadb/templates/50-server.cnf.j2
@@ -1,13 +1,7 @@
-#
-# These groups are read by MariaDB server.
-# Use it for options that only the server (but not clients) should see
-#
-# See the examples of server my.cnf files in /usr/share/mysql
+# This file is managed by Ansible. Do NOT change.
-# this is read by the standalone daemon and embedded servers
[server]
-# this is only for the mysqld standalone daemon
[mysqld]
#
@@ -16,7 +10,7 @@
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
-#port = 3306
+port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
@@ -25,7 +19,7 @@ lc-messages-dir = /usr/share/mysql
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
-bind-address = 0.0.0.0
+bind-address = {{ mdb.address }}
#
# * Fine Tuning
@@ -78,57 +72,13 @@ expire_logs_days = 10
#binlog_do_db = include_database_name
#binlog_ignore_db = exclude_database_name
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-#chroot = /var/lib/mysql/
-#
-# For generating SSL certificates you can use for example the GUI tool "tinyca".
-#
-ssl-ca = /etc/ssl/certs/ca-certificates.crt
-ssl-cert = /etc/mysql/mysql.pem
-ssl-key = /etc/mysql/mysql.key
-#
-# Accept only connections using the latest and most secure TLS protocol version.
-# ..when MariaDB is compiled with OpenSSL:
+{% if mdb.ssl.enable %}
+ssl-ca = {{ mdb.ssl.ca }}
+ssl-cert = {{ mdb.ssl.cert }}
+ssl-key = {{ mdb.ssl.key }}
ssl-cipher = TLSv1.2
-# ..when MariaDB is compiled with YaSSL (default in Debian):
-#ssl = on
+{% endif %}
-#
-# * Character sets
-#
-# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
-# utf8 4-byte character set. See also client.cnf
-#
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-
-#
-# * Unix socket authentication plugin is built-in since 10.0.22-6
-#
-# Needed so the root database user can authenticate without a password but
-# only when running as the unix root user.
-#
-# Also available for other users if required.
-# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
-
-# this is only for embedded server
-[embedded]
-
-# This group is only read by MariaDB servers, not by MySQL.
-# If you use the same .cnf file for MySQL and MariaDB,
-# you can put MariaDB-only options here
-[mariadb]
-
-# This group is only read by MariaDB-10.3 servers.
-# If you use the same .cnf file for MariaDB of different versions,
-# use this group for options that older servers don't understand
-[mariadb-10.3]