forked from OpenNeo/impress
Install MySQL server during deployment setup
It's finally colocated onto this box, instead of being on the old server! I think I'm noticing substantial perf improvements, probably both from increased colocation (tho they were in the same house before), and also from like ten years of performance optimizations LOL! As part of this, I created a new `setup_secrets.yml` file that's similar to `production.env`, but is for values that the setup script itself needs access to, whereas `production.env` is for values that the app needs at runtime. (Though they have some things in common, like the MySQL user password!) It's gitignored for security, as per usual!
This commit is contained in:
parent
ead0003397
commit
abbde80f60
2 changed files with 98 additions and 5 deletions
3
deploy/files/.gitignore
vendored
3
deploy/files/.gitignore
vendored
|
@ -1 +1,2 @@
|
||||||
/production.env
|
/production.env
|
||||||
|
/setup_secrets.yml
|
||||||
|
|
100
deploy/setup.yml
100
deploy/setup.yml
|
@ -6,6 +6,10 @@
|
||||||
vars:
|
vars:
|
||||||
email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
|
email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
|
||||||
impress_hostname: impress.openneo.net
|
impress_hostname: impress.openneo.net
|
||||||
|
vars_files:
|
||||||
|
# mysql_root_password, mysql_user_password, mysql_user_password_2020,
|
||||||
|
# dev_ips
|
||||||
|
- files/setup_secrets.yml
|
||||||
tasks:
|
tasks:
|
||||||
- name: Create SSH folder for logged-in user
|
- name: Create SSH folder for logged-in user
|
||||||
become: no
|
become: no
|
||||||
|
@ -62,6 +66,22 @@
|
||||||
rule: allow
|
rule: allow
|
||||||
port: "443"
|
port: "443"
|
||||||
|
|
||||||
|
- name: Configure ufw firewall to allow MySQL connections from impress-2020
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "3306"
|
||||||
|
from_ip: "{{ item }}"
|
||||||
|
loop:
|
||||||
|
- "45.56.112.222"
|
||||||
|
- "2600:3c02::f03c:92ff:fe9a:4615"
|
||||||
|
|
||||||
|
- name: Configure ufw firewall to allow MySQL connections from known devs
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "3306"
|
||||||
|
from_ip: "{{ item }}"
|
||||||
|
loop: "{{ dev_ips }}"
|
||||||
|
|
||||||
- name: Enable ufw firewall with all other ports closed by default
|
- name: Enable ufw firewall with all other ports closed by default
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
|
@ -258,7 +278,7 @@
|
||||||
- name: Create service file for impress
|
- name: Create service file for impress
|
||||||
copy:
|
copy:
|
||||||
src: files/impress.service
|
src: files/impress.service
|
||||||
dest: /etc/systemd/system/impress.service
|
dest: /etc/systemd/system/impress.service
|
||||||
notify:
|
notify:
|
||||||
- Reload systemctl
|
- Reload systemctl
|
||||||
- Restart impress
|
- Restart impress
|
||||||
|
@ -290,7 +310,7 @@
|
||||||
src: files/sites-available/impress.conf
|
src: files/sites-available/impress.conf
|
||||||
dest: /etc/nginx/sites-available/impress.conf
|
dest: /etc/nginx/sites-available/impress.conf
|
||||||
notify:
|
notify:
|
||||||
- Restart nginx
|
- Reload nginx
|
||||||
|
|
||||||
- name: Enable impress config file in nginx
|
- name: Enable impress config file in nginx
|
||||||
file:
|
file:
|
||||||
|
@ -298,12 +318,84 @@
|
||||||
dest: /etc/nginx/sites-enabled/impress.conf
|
dest: /etc/nginx/sites-enabled/impress.conf
|
||||||
state: link
|
state: link
|
||||||
notify:
|
notify:
|
||||||
- Restart nginx
|
- Reload nginx
|
||||||
|
|
||||||
|
- name: Install MariaDB
|
||||||
|
apt:
|
||||||
|
name: mariadb-server
|
||||||
|
|
||||||
|
- name: Install a Python MySQL client, for Ansible to use when configuring
|
||||||
|
apt:
|
||||||
|
name: python3-mysqldb
|
||||||
|
|
||||||
|
- name: Update MariaDB root password
|
||||||
|
community.mysql.mysql_user:
|
||||||
|
name: root
|
||||||
|
host_all: true
|
||||||
|
password: "{{mysql_root_password}}"
|
||||||
|
|
||||||
|
- name: Create root's .my.cnf file
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[client]
|
||||||
|
user=root
|
||||||
|
password='{{ mysql_root_password }}'
|
||||||
|
dest: /root/.my.cnf
|
||||||
|
mode: 0400
|
||||||
|
|
||||||
|
- name: Remove test database
|
||||||
|
community.mysql.mysql_db:
|
||||||
|
name: test
|
||||||
|
state: absent
|
||||||
|
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||||
|
|
||||||
|
- name: Remove anonymous users
|
||||||
|
community.mysql.mysql_user:
|
||||||
|
name: ""
|
||||||
|
state: absent
|
||||||
|
host_all: true
|
||||||
|
|
||||||
|
- name: Remove remote root access
|
||||||
|
community.mysql.mysql_query:
|
||||||
|
query:
|
||||||
|
- DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
|
||||||
|
|
||||||
|
- name: Expose MariaDB to the internet (but ufw will block most clients)
|
||||||
|
copy:
|
||||||
|
dest: /etc/mysql/mariadb.conf.d/80-bind-address.cnf
|
||||||
|
content: |
|
||||||
|
[mysqld]
|
||||||
|
skip-networking=0
|
||||||
|
skip-bind-address
|
||||||
|
notify: Restart MariaDB
|
||||||
|
|
||||||
|
- name: Create MySQL databases
|
||||||
|
community.mysql.mysql_db:
|
||||||
|
name:
|
||||||
|
- openneo_impress
|
||||||
|
- openneo_id
|
||||||
|
|
||||||
|
- name: Create MySQL user openneo_impress
|
||||||
|
community.mysql.mysql_user:
|
||||||
|
name: openneo_impress
|
||||||
|
password: "{{ mysql_user_password }}"
|
||||||
|
priv: "openneo_impress.*:ALL,openneo_id.*:ALL"
|
||||||
|
|
||||||
|
- name: Create MySQL user impress2020
|
||||||
|
community.mysql.mysql_user:
|
||||||
|
name: impress2020
|
||||||
|
password: "{{ mysql_user_password_2020 }}"
|
||||||
|
priv: "openneo_impress.*:ALL,openneo_id.*:ALL"
|
||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
- name: Restart nginx
|
- name: Reload nginx
|
||||||
systemd:
|
systemd:
|
||||||
name: nginx
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: Restart MariaDB
|
||||||
|
systemd:
|
||||||
|
name: mariadb
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: Reload systemctl
|
- name: Reload systemctl
|
||||||
|
|
Loading…
Reference in a new issue