Install MySQL server during deployment setup

It's finally colocated onto this box, instead of being on the old
server! I think I'm noticing substantial perf improvements, probably
both from increased colocation (tho they were in the same house
before), and also from like ten years of performance optimizations LOL!

As part of this, I created a new `setup_secrets.yml` file that's
similar to `production.env`, but is for values that the setup script
itself needs access to, whereas `production.env` is for values that the
app needs at runtime. (Though they have some things in common, like the
MySQL user password!) It's gitignored for security, as per usual!
This commit is contained in:
Emi Matchu 2024-02-19 13:21:24 -08:00
parent ead0003397
commit abbde80f60
2 changed files with 98 additions and 5 deletions

View file

@ -1 +1,2 @@
/production.env /production.env
/setup_secrets.yml

View file

@ -6,6 +6,10 @@
vars: vars:
email_address: "emi@matchu.dev" # TODO: Extract this to personal config? email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
impress_hostname: impress.openneo.net impress_hostname: impress.openneo.net
vars_files:
# mysql_root_password, mysql_user_password, mysql_user_password_2020,
# dev_ips
- files/setup_secrets.yml
tasks: tasks:
- name: Create SSH folder for logged-in user - name: Create SSH folder for logged-in user
become: no become: no
@ -62,6 +66,22 @@
rule: allow rule: allow
port: "443" port: "443"
- name: Configure ufw firewall to allow MySQL connections from impress-2020
community.general.ufw:
rule: allow
port: "3306"
from_ip: "{{ item }}"
loop:
- "45.56.112.222"
- "2600:3c02::f03c:92ff:fe9a:4615"
- name: Configure ufw firewall to allow MySQL connections from known devs
community.general.ufw:
rule: allow
port: "3306"
from_ip: "{{ item }}"
loop: "{{ dev_ips }}"
- name: Enable ufw firewall with all other ports closed by default - name: Enable ufw firewall with all other ports closed by default
community.general.ufw: community.general.ufw:
state: enabled state: enabled
@ -290,7 +310,7 @@
src: files/sites-available/impress.conf src: files/sites-available/impress.conf
dest: /etc/nginx/sites-available/impress.conf dest: /etc/nginx/sites-available/impress.conf
notify: notify:
- Restart nginx - Reload nginx
- name: Enable impress config file in nginx - name: Enable impress config file in nginx
file: file:
@ -298,12 +318,84 @@
dest: /etc/nginx/sites-enabled/impress.conf dest: /etc/nginx/sites-enabled/impress.conf
state: link state: link
notify: notify:
- Restart nginx - Reload nginx
- name: Install MariaDB
apt:
name: mariadb-server
- name: Install a Python MySQL client, for Ansible to use when configuring
apt:
name: python3-mysqldb
- name: Update MariaDB root password
community.mysql.mysql_user:
name: root
host_all: true
password: "{{mysql_root_password}}"
- name: Create root's .my.cnf file
copy:
content: |
[client]
user=root
password='{{ mysql_root_password }}'
dest: /root/.my.cnf
mode: 0400
- name: Remove test database
community.mysql.mysql_db:
name: test
state: absent
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
- name: Remove anonymous users
community.mysql.mysql_user:
name: ""
state: absent
host_all: true
- name: Remove remote root access
community.mysql.mysql_query:
query:
- DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
- name: Expose MariaDB to the internet (but ufw will block most clients)
copy:
dest: /etc/mysql/mariadb.conf.d/80-bind-address.cnf
content: |
[mysqld]
skip-networking=0
skip-bind-address
notify: Restart MariaDB
- name: Create MySQL databases
community.mysql.mysql_db:
name:
- openneo_impress
- openneo_id
- name: Create MySQL user openneo_impress
community.mysql.mysql_user:
name: openneo_impress
password: "{{ mysql_user_password }}"
priv: "openneo_impress.*:ALL,openneo_id.*:ALL"
- name: Create MySQL user impress2020
community.mysql.mysql_user:
name: impress2020
password: "{{ mysql_user_password_2020 }}"
priv: "openneo_impress.*:ALL,openneo_id.*:ALL"
handlers: handlers:
- name: Restart nginx - name: Reload nginx
systemd: systemd:
name: nginx name: nginx
state: reloaded
- name: Restart MariaDB
systemd:
name: mariadb
state: restarted state: restarted
- name: Reload systemctl - name: Reload systemctl