configure.yml

---
- name: Protect my.cnf
  ansible.builtin.file:
    path: "{{ mysql_hardening_mysql_conf_file }}"
    mode: "0640"
    owner: "{{ mysql_cnf_owner }}"
    group: "{{ mysql_cnf_group }}"
    follow: true
    state: file

- name: Ensure permissions on mysql-datadir are correct
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: "{{ mysql_hardening_user }}"
    group: "{{ mysql_hardening_user }}"
    mode: "0750"
  when: item is defined and item != ""
  loop:
    - "{{ mysql_settings.settings.datadir }}"
    - '{{ mysql_datadir | default("") }}'

- name: Ensure permissions on mysql-logfile are correct
  ansible.builtin.file:
    path: "{{ item }}"
    state: file
    owner: "{{ mysql_hardening_user }}"
    group: "{{ mysql_hardening_group }}"
    mode: "0640"
  when:
    - item is defined
    - item != ""
    - item != "stderr"
    - item != "stdout"
  loop:
    - "{{ mysql_settings.settings.log_error }}"
    - '{{ mysql_hardening_log_file | default("") }}'

- name: Check mysql configuration-directory exists and has right permissions
  ansible.builtin.file:
    path: "{{ mysql_hardening_mysql_confd_dir }}"
    state: directory
    owner: "{{ mysql_hardening_user }}"
    group: "{{ mysql_hardening_group }}"
    mode: "0750"

- name: Check include-dir directive is present in my.cnf
  ansible.builtin.lineinfile:
    dest: "{{ mysql_hardening_mysql_conf_file }}"
    line: "!includedir {{ mysql_hardening_mysql_confd_dir }}"
    insertafter: EOF
    state: present
    backup: true
  notify: Restart mysql

- name: Apply hardening configuration
  ansible.builtin.template:
    src: hardening.cnf.j2
    dest: "{{ mysql_hardening_mysql_confd_dir + '/hardening.cnf' }}"
    owner: "{{ mysql_cnf_owner }}"
    group: "{{ mysql_cnf_group }}"
    mode: "0640"
  notify: Restart mysql

- name: Enable mysql
  ansible.builtin.service:
    name: "{{ mysql_daemon }}"
    enabled: "{{ mysql_daemon_enabled }}"