Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- - name: "Change database root user password"
- mysql_user:
- name: root
- password: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=32') }}"
- host: "{{ item }}"
- check_implicit_admin: yes
- priv: "*.*:ALL,GRANT"
- state: present
- when: mysql_root_result.stat.exists == False
- with_items:
- - localhost
- - "::1"
- - 127.0.0.1
- [client]
- user={{ item.user }}
- password={{ item.password }}
- # MariaDB: Set up secure root password
- # Set up (and save) secure root password
- # Check for /root/.my.cnf
- # All the other things are skipped if this file already exists
- - name: "Check if we already have a root password config"
- stat:
- path: /root/.my.cnf
- register: mysql_root_result
- # Generate password
- # This uses https://docs.ansible.com/ansible/latest/plugins/lookup/password.html
- # to generate a 32 character random alphanumeric password
- - name: "Generate database root password if needed"
- set_fact:
- mysql_root_passwd: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=32') }}"
- when: mysql_root_result.stat.exists == False
- # Generate /root/.my.cnf.new
- # A temporary file is used to keep it from breaking further commands
- # It also ensures that the password is on the server if the critical
- # parts are interrupted
- - name: "Save new root password in temporary file"
- template:
- src: my_passwd.cnf.j2
- dest: /root/.my.cnf.new
- owner: root
- group: root
- mode: 0400
- when: mysql_root_result.stat.exists == False
- with_items:
- - user: root
- password: "{{ mysql_root_passwd }}"
- # START of area that you don't want to interrupt
- # If this is interrupted after the first task
- # it can be fixed by manually running this on the server
- # mv /root/.my.cnf.new /root/.my.cnf
- # If the playbook is reran before that. The password would be lost!
- # Add DB user
- - name: "Add database root user"
- mysql_user:
- name: root
- password: "{{ mysql_root_passwd }}"
- host: "{{ item }}"
- check_implicit_admin: yes
- priv: "*.*:ALL,GRANT"
- state: present
- when: mysql_root_result.stat.exists == False
- with_items:
- - localhost
- # Now move the config in place
- - name: "Rename config with root password to correct name - Step 1 - link"
- file:
- state: hard
- src: /root/.my.cnf.new
- dest: /root/.my.cnf
- force: yes
- when: mysql_root_result.stat.exists == False
- # END of area that you don't want to interrupt
- # Interrupting before this task will leave a temporary file around
- # Everything will work as it should though
- - name: "Rename config with root password to correct name - Step 2 - unlink"
- file:
- state: absent
- path: /root/.my.cnf.new
- when: mysql_root_result.stat.exists == False
- # Remove additional root users - these don't have the password set
- # You might want to ensure that none of these variables are `localhost`
- # All return somewhat different values on my test system
- - name: "Clean up additional root users"
- mysql_user:
- name: root
- host: "{{ item }}"
- check_implicit_admin: yes
- state: absent
- with_items:
- - "::1"
- - 127.0.0.1
- - "{{ ansible_fqdn }}"
- - "{{ inventory_hostname }}"
- - "{{ ansible_hostname }}"
Add Comment
Please, Sign In to add comment