salt/states/roles/maintain/mysql/init.sls

{%- set os=grains['os'] -%}
mysql-pkg:
  pkg.installed:
    - name: mariadb

mysql-python:
  pkg.installed: []

initialize_mysql:
  cmd.run:
    - name: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
    - unless: 'test -e /var/lib/mysql/mysql'

mysql-service:
  service.running:
    - name: mysqld
    - enable: true

#This currently displays root password in output of salt-call upon failure, should probably create several mysql_query.run states instead
set_root:
  mysql_query.run:
    - database: mysql
    - query: "UPDATE mysql.user SET Password=PASSWORD('{%- include 'secure/passwords/root_db_password.txt' -%}') WHERE User='root';"
    - query: "UPDATE mysql.user SET Password=PASSWORD('{%- include 'secure/passwords/root_db_password.txt' -%}') WHERE User='root';FLUSH PRIVILEGES;"
    - onchanges:
      - cmd: initialize_mysql

secure_mysql:
  mysql_query.run:
    - database: mysql
    - query: "DELETE FROM mysql.user WHERE User='';DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');DROP DATABASE IF EXISTS test;DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';FLUSH PRIVILEGES;"
    - connection_user: root
    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"

#create salt db user
user_salt:
  mysql_user.present:
    - name: salt
    - host: "localhost"
    - password: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
    - connection_user: root
    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"

grant_salt:
  mysql_grants.present:
    - grant: all privileges
    - database: "*.*"
    - user: salt
    - host: "localhost"
    - grant_option: true
    - revoke_first: true
    - connection_user: root
    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"

{##ensure that database pillar exists##}
{%- if pillar['database'] is defined -%}
  {%- if pillar['database']['users'] is defined -%}
    {%- for user in pillar['database']['users'] %}
user_{{user}}:
  mysql_user.present:
    - name: {{user}}
      {%- if pillar['database']['users'][user]['host'] is defined %}
    - host: "{{pillar['database']['users'][user]['host']}}"
      {%- else %}
    - host: "%"
      {%- endif %}
    - password: "{%- include 'secure/passwords/'+user+'_db_password.txt' -%}"
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
    {%- endfor %}
  {%- endif %}

  {% if pillar['database']['databases'] is defined -%}
    {%- for db in pillar['database']['databases'] %}
db_{{db}}:
  mysql_database.present:
    - name: {{db}}
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
      {%- for user in pillar['database']['databases'][db] %}
{{db}}_grant_{{user}}:
  mysql_grants.present:
    - grant: {{pillar['database']['databases'][db][user]['grant']}}
    - database: "{{db}}.*"
    - user: {{user}}
    - host: {{pillar['database']['databases'][db][user]['host']}}
    - revoke_first: true
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
      {%- endfor %}
    {%- endfor %}
  {%- endif %}
{%- endif %}

#set up dbdumb
user_dumpdb:
  mysql_user.present:
    - name: dumpdb
    - host: "localhost"
    - password: "{%- include 'secure/passwords/dumpdb_password.txt' -%}"
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"

grant_dumpdb:
  mysql_grants.present:
    - grant: select, lock tables, show view, event, trigger
    - database: "*.*"
    - user: dumpdb
    - host: "localhost"
    - revoke_first: true
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"

"/root/scripts/dumpdb.sh":
  file.managed:
    - source: salt://roles/maintain/mysql/dumpdb.sh
    - user: root
    - group: root
    - mode: 600
    - makedirs: true
    - template: jinja

/usr/lib/systemd/system/dumpdb.service:
  file.managed:
    - source: salt://roles/maintain/mysql/dumpdb.service
    - user: root
    - group: root
    - mode: 644

/usr/lib/systemd/system/dumpdb.timer:
  file.managed:
    - source: salt://roles/maintain/mysql/dumpdb.timer
    - user: root
    - group: root
    - mode: 644

dumpdb.timer:
  service.running:
    - enable: true

dumpdb-reload:
  module.run:
    - name: service.systemctl_reload
    - onchanges:
      - file: /usr/lib/systemd/system/*
Added icinga2 and sql states and backups/restores 2017-09-15 18:49:53 -05:00			`{%- set os=grains['os'] -%}`
			`mysql-pkg:`
			`pkg.installed:`
			`- name: mariadb`

			`mysql-python:`
			`pkg.installed: []`

			`initialize_mysql:`
			`cmd.run:`
			`- name: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql`
			`- unless: 'test -e /var/lib/mysql/mysql'`

			`mysql-service:`
			`service.running:`
			`- name: mysqld`
			`- enable: true`

			`#This currently displays root password in output of salt-call upon failure, should probably create several mysql_query.run states instead`
			`set_root:`
			`mysql_query.run:`
			`- database: mysql`
Added sshserver state 2017-09-20 11:20:02 -05:00			`- query: "UPDATE mysql.user SET Password=PASSWORD('{%- include 'secure/passwords/root_db_password.txt' -%}') WHERE User='root';"`
Added icinga2 and sql states and backups/restores 2017-09-15 18:49:53 -05:00			`- query: "UPDATE mysql.user SET Password=PASSWORD('{%- include 'secure/passwords/root_db_password.txt' -%}') WHERE User='root';FLUSH PRIVILEGES;"`
			`- onchanges:`
			`- cmd: initialize_mysql`

			`secure_mysql:`
			`mysql_query.run:`
			`- database: mysql`
			`- query: "DELETE FROM mysql.user WHERE User='';DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');DROP DATABASE IF EXISTS test;DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';FLUSH PRIVILEGES;"`
			`- connection_user: root`
			`- connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"`

			`#create salt db user`
			`user_salt:`
			`mysql_user.present:`
			`- name: salt`
			`- host: "localhost"`
			`- password: "{%- include 'secure/passwords/salt_db_password.txt' -%}"`
			`- connection_user: root`
			`- connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"`

			`grant_salt:`
			`mysql_grants.present:`
			`- grant: all privileges`
			`- database: "."`
			`- user: salt`
			`- host: "localhost"`
			`- grant_option: true`
			`- revoke_first: true`
			`- connection_user: root`
			`- connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"`

			`{##ensure that database pillar exists##}`
			`{%- if pillar['database'] is defined -%}`
			`{%- if pillar['database']['users'] is defined -%}`
			`{%- for user in pillar['database']['users'] %}`
			`user_{{user}}:`
			`mysql_user.present:`
			`- name: {{user}}`
			`{%- if pillar['database']['users'][user]['host'] is defined %}`
			`- host: "{{pillar['database']['users'][user]['host']}}"`
			`{%- else %}`
			`- host: "%"`
			`{%- endif %}`
			`- password: "{%- include 'secure/passwords/'+user+'_db_password.txt' -%}"`
			`- connection_user: salt`
			`- connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"`
			`{%- endfor %}`
			`{%- endif %}`

			`{% if pillar['database']['databases'] is defined -%}`
			`{%- for db in pillar['database']['databases'] %}`
			`db_{{db}}:`
			`mysql_database.present:`
			`- name: {{db}}`
			`- connection_user: salt`
			`- connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"`
			`{%- for user in pillar['database']['databases'][db] %}`
			`{{db}}_grant_{{user}}:`
			`mysql_grants.present:`
			`- grant: {{pillar['database']['databases'][db][user]['grant']}}`
			`- database: "{{db}}.*"`
			`- user: {{user}}`
			`- host: {{pillar['database']['databases'][db][user]['host']}}`
			`- revoke_first: true`
			`- connection_user: salt`
			`- connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"`
			`{%- endfor %}`
			`{%- endfor %}`
			`{%- endif %}`
			`{%- endif %}`

			`#set up dbdumb`
			`user_dumpdb:`
			`mysql_user.present:`
			`- name: dumpdb`
			`- host: "localhost"`
			`- password: "{%- include 'secure/passwords/dumpdb_password.txt' -%}"`
			`- connection_user: salt`
			`- connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"`

			`grant_dumpdb:`
			`mysql_grants.present:`
			`- grant: select, lock tables, show view, event, trigger`
			`- database: "."`
			`- user: dumpdb`
			`- host: "localhost"`
			`- revoke_first: true`
			`- connection_user: salt`
			`- connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"`

			`"/root/scripts/dumpdb.sh":`
			`file.managed:`
			`- source: salt://roles/maintain/mysql/dumpdb.sh`
			`- user: root`
			`- group: root`
			`- mode: 600`
			`- makedirs: true`
			`- template: jinja`

			`/usr/lib/systemd/system/dumpdb.service:`
			`file.managed:`
			`- source: salt://roles/maintain/mysql/dumpdb.service`
			`- user: root`
			`- group: root`
			`- mode: 644`

			`/usr/lib/systemd/system/dumpdb.timer:`
			`file.managed:`
			`- source: salt://roles/maintain/mysql/dumpdb.timer`
			`- user: root`
			`- group: root`
			`- mode: 644`

			`dumpdb.timer:`
			`service.running:`
			`- enable: true`

			`dumpdb-reload:`
			`module.run:`
			`- name: service.systemctl_reload`
			`- onchanges:`
			`- file: /usr/lib/systemd/system/*`