From abbde80f60a08439200723353e566f9fe549526c Mon Sep 17 00:00:00 2001
From: Emi Matchu <emi@matchu.dev>
Date: Mon, 19 Feb 2024 13:21:24 -0800
Subject: [PATCH] Install MySQL server during deployment setup

It's finally colocated onto this box, instead of being on the old
server! I think I'm noticing substantial perf improvements, probably
both from increased colocation (tho they were in the same house
before), and also from like ten years of performance optimizations LOL!

As part of this, I created a new `setup_secrets.yml` file that's
similar to `production.env`, but is for values that the setup script
itself needs access to, whereas `production.env` is for values that the
app needs at runtime. (Though they have some things in common, like the
MySQL user password!) It's gitignored for security, as per usual!
---
 deploy/files/.gitignore |   3 +-
 deploy/setup.yml        | 100 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 98 insertions(+), 5 deletions(-)

diff --git a/deploy/files/.gitignore b/deploy/files/.gitignore
index c4cdf543..1cf821b0 100644
--- a/deploy/files/.gitignore
+++ b/deploy/files/.gitignore
@@ -1 +1,2 @@
-/production.env
\ No newline at end of file
+/production.env
+/setup_secrets.yml
diff --git a/deploy/setup.yml b/deploy/setup.yml
index 31bbe18a..4487153a 100644
--- a/deploy/setup.yml
+++ b/deploy/setup.yml
@@ -6,6 +6,10 @@
   vars:
     email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
     impress_hostname: impress.openneo.net
+  vars_files:
+    # mysql_root_password, mysql_user_password, mysql_user_password_2020,
+    # dev_ips
+    - files/setup_secrets.yml
   tasks:
     - name: Create SSH folder for logged-in user
       become: no
@@ -62,6 +66,22 @@
         rule: allow
         port: "443"
 
+    - name: Configure ufw firewall to allow MySQL connections from impress-2020
+      community.general.ufw:
+        rule: allow
+        port: "3306"
+        from_ip: "{{ item }}"
+      loop:
+        - "45.56.112.222"
+        - "2600:3c02::f03c:92ff:fe9a:4615"
+
+    - name: Configure ufw firewall to allow MySQL connections from known devs
+      community.general.ufw:
+        rule: allow
+        port: "3306"
+        from_ip: "{{ item }}"
+      loop: "{{ dev_ips }}"
+
     - name: Enable ufw firewall with all other ports closed by default
       community.general.ufw:
         state: enabled
@@ -258,7 +278,7 @@
     - name: Create service file for impress
       copy:
         src: files/impress.service
-        dest: /etc/systemd/system/impress.service  
+        dest: /etc/systemd/system/impress.service
       notify:
         - Reload systemctl
         - Restart impress
@@ -290,7 +310,7 @@
         src: files/sites-available/impress.conf
         dest: /etc/nginx/sites-available/impress.conf
       notify:
-        - Restart nginx
+        - Reload nginx
 
     - name: Enable impress config file in nginx
       file:
@@ -298,12 +318,84 @@
         dest: /etc/nginx/sites-enabled/impress.conf
         state: link
       notify:
-        - Restart nginx
+        - Reload nginx
+
+    - name: Install MariaDB
+      apt:
+        name: mariadb-server
+
+    - name: Install a Python MySQL client, for Ansible to use when configuring
+      apt:
+        name: python3-mysqldb
+
+    - name: Update MariaDB root password
+      community.mysql.mysql_user:
+        name: root
+        host_all: true
+        password: "{{mysql_root_password}}"
+
+    - name: Create root's .my.cnf file
+      copy:
+        content: |
+          [client]
+          user=root
+          password='{{ mysql_root_password }}'
+        dest: /root/.my.cnf
+        mode: 0400
+
+    - name: Remove test database
+      community.mysql.mysql_db:
+        name: test
+        state: absent
+        login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+
+    - name: Remove anonymous users
+      community.mysql.mysql_user:
+        name: ""
+        state: absent
+        host_all: true
+
+    - name: Remove remote root access
+      community.mysql.mysql_query:
+        query:
+          - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
+
+    - name: Expose MariaDB to the internet (but ufw will block most clients)
+      copy:
+        dest: /etc/mysql/mariadb.conf.d/80-bind-address.cnf
+        content: |
+          [mysqld]
+          skip-networking=0
+          skip-bind-address
+      notify: Restart MariaDB
+
+    - name: Create MySQL databases
+      community.mysql.mysql_db:
+        name:
+          - openneo_impress
+          - openneo_id
+
+    - name: Create MySQL user openneo_impress
+      community.mysql.mysql_user:
+        name: openneo_impress
+        password: "{{ mysql_user_password }}"
+        priv: "openneo_impress.*:ALL,openneo_id.*:ALL"
+
+    - name: Create MySQL user impress2020
+      community.mysql.mysql_user:
+        name: impress2020
+        password: "{{ mysql_user_password_2020 }}"
+        priv: "openneo_impress.*:ALL,openneo_id.*:ALL"
 
   handlers:
-    - name: Restart nginx
+    - name: Reload nginx
       systemd:
         name: nginx
+        state: reloaded
+
+    - name: Restart MariaDB
+      systemd:
+        name: mariadb
         state: restarted
 
     - name: Reload systemctl