Install MySQL server during deployment setup

It's finally colocated onto this box, instead of being on the old server! I think I'm noticing substantial perf improvements, probably both from increased colocation (tho they were in the same house before), and also from like ten years of performance optimizations LOL! As part of this, I created a new `setup_secrets.yml` file that's similar to `production.env`, but is for values that the setup script itself needs access to, whereas `production.env` is for values that the app needs at runtime. (Though they have some things in common, like the MySQL user password!) It's gitignored for security, as per usual!
2024-02-19 13:21:24 -08:00 · 2024-02-19 13:21:24 -08:00 · abbde80f60
commit abbde80f60
parent ead0003397
2 changed files with 98 additions and 5 deletions
--- a/deploy/files/.gitignore
+++ b/deploy/files/.gitignore
@ -1 +1,2 @@
-/production.env
+/production.env
+/setup_secrets.yml
--- a/deploy/setup.yml
+++ b/deploy/setup.yml
@ -6,6 +6,10 @@
  vars:
    email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
    impress_hostname: impress.openneo.net
+  vars_files:
+    # mysql_root_password, mysql_user_password, mysql_user_password_2020,
+    # dev_ips
+    - files/setup_secrets.yml
  tasks:
    - name: Create SSH folder for logged-in user
      become: no
@ -62,6 +66,22 @@
        rule: allow
        port: "443"

+    - name: Configure ufw firewall to allow MySQL connections from impress-2020
+      community.general.ufw:
+        rule: allow
+        port: "3306"
+        from_ip: "{{ item }}"
+      loop:
+        - "45.56.112.222"
+        - "2600:3c02::f03c:92ff:fe9a:4615"
+
+    - name: Configure ufw firewall to allow MySQL connections from known devs
+      community.general.ufw:
+        rule: allow
+        port: "3306"
+        from_ip: "{{ item }}"
+      loop: "{{ dev_ips }}"
+
    - name: Enable ufw firewall with all other ports closed by default
      community.general.ufw:
        state: enabled
@ -258,7 +278,7 @@
    - name: Create service file for impress
      copy:
        src: files/impress.service
-        dest: /etc/systemd/system/impress.service  
+        dest: /etc/systemd/system/impress.service
      notify:
        - Reload systemctl
        - Restart impress
@ -290,7 +310,7 @@
        src: files/sites-available/impress.conf
        dest: /etc/nginx/sites-available/impress.conf
      notify:
-        - Restart nginx
+        - Reload nginx

    - name: Enable impress config file in nginx
      file:
@ -298,12 +318,84 @@
        dest: /etc/nginx/sites-enabled/impress.conf
        state: link
      notify:
-        - Restart nginx
+        - Reload nginx
+
+    - name: Install MariaDB
+      apt:
+        name: mariadb-server
+
+    - name: Install a Python MySQL client, for Ansible to use when configuring
+      apt:
+        name: python3-mysqldb
+
+    - name: Update MariaDB root password
+      community.mysql.mysql_user:
+        name: root
+        host_all: true
+        password: "{{mysql_root_password}}"
+
+    - name: Create root's .my.cnf file
+      copy:
+        content: |
+          [client]
+          user=root
+          password='{{ mysql_root_password }}'
+        dest: /root/.my.cnf
+        mode: 0400
+
+    - name: Remove test database
+      community.mysql.mysql_db:
+        name: test
+        state: absent
+        login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+
+    - name: Remove anonymous users
+      community.mysql.mysql_user:
+        name: ""
+        state: absent
+        host_all: true
+
+    - name: Remove remote root access
+      community.mysql.mysql_query:
+        query:
+          - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
+
+    - name: Expose MariaDB to the internet (but ufw will block most clients)
+      copy:
+        dest: /etc/mysql/mariadb.conf.d/80-bind-address.cnf
+        content: |
+          [mysqld]
+          skip-networking=0
+          skip-bind-address
+      notify: Restart MariaDB
+
+    - name: Create MySQL databases
+      community.mysql.mysql_db:
+        name:
+          - openneo_impress
+          - openneo_id
+
+    - name: Create MySQL user openneo_impress
+      community.mysql.mysql_user:
+        name: openneo_impress
+        password: "{{ mysql_user_password }}"
+        priv: "openneo_impress.*:ALL,openneo_id.*:ALL"
+
+    - name: Create MySQL user impress2020
+      community.mysql.mysql_user:
+        name: impress2020
+        password: "{{ mysql_user_password_2020 }}"
+        priv: "openneo_impress.*:ALL,openneo_id.*:ALL"

  handlers:
-    - name: Restart nginx
+    - name: Reload nginx
      systemd:
        name: nginx
+        state: reloaded
+
+    - name: Restart MariaDB
+      systemd:
+        name: mariadb
        state: restarted

    - name: Reload systemctl