add newmysql_cnf_owner variable, use ansible 2.0 features

Author: Sebastian Gumprich

defaults/main.yml

@@ -2,13 +2,14 @@
 mysql_hardening_enabled: yes
 
 # general configuration
-mysql_hardening_user: 'mysql'
+mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files
+mysql_hardening_user: 'mysql' # owner of data
 mysql_hardening_group: 'root'
 mysql_datadir: '/var/lib/mysql'
 mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf'
 # You have to change this to your own strong enough mysql root password
 mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
-# There .my.cnf with mysql root credentials will be installed 
+# There .my.cnf with mysql root credentials will be installed
 mysql_user_home: "{{ ansible_env.HOME}}"
 
 # ensure the following parameters are set properly
@@ -47,3 +48,5 @@ mysql_hardening_options:
 
   # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv
   secure-file-priv: '/tmp'
+  # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_user
+  user: '{{mysql_hardening_user}}'

tasks/configure.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: protect my.cnf
-  file: path='{{mysql_hardening_mysql_conf_file}}' mode=0400 owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' follow=yes
+  file: path='{{mysql_hardening_mysql_conf_file}}' mode=0400 owner='{{mysql_cnf_owner}}' group='{{mysql_hardening_group}}' follow=yes state=file
 
 - name: ensure permissions on mysql-datadir are correct
   file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}'
@@ -14,5 +14,8 @@
   notify: restart mysql
 
 - name: apply hardening configuration
-  template: src='hardening.cnf.j2' dest='{{mysql_hardening_mysql_hardening_conf_file}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460
+  template: src='hardening.cnf.j2' dest='{{mysql_hardening_mysql_hardening_conf_file}}' owner='{{mysql_cnf_owner}}' group='{{mysql_hardening_group}}' mode=0460
   notify: restart mysql
+
+- name: enable mysql
+  service: name='{{ mysql_daemon }}' enabled=yes

tasks/main.yml

@@ -11,11 +11,11 @@
 
 - include: configure.yml
   when: mysql_hardening_enabled
-  tags: 
+  tags:
     - mysql_hardening
 
 - include: mysql_secure_installation.yml
   when: mysql_hardening_enabled
-  tags: 
+  tags:
     - mysql_hardening
     - mysql_secure_installation

tasks/mysql_secure_installation.yml

@@ -24,32 +24,17 @@
     - 'localhost'
 
 - name: install .my.cnf with credentials
-  template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf 
+  template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf
             mode=0400
   tags: my_cnf
 
 - name: test database is absent
   mysql_db: name=test state=absent
   when: mysql_remove_test_database
 
-# Can use only if ansible ver => 2.1
-#- name: anonymous users are absent
-#  mysql_user: name='' state=absent host_all=yes
-#  when: mysql_remove_anonymous_users
-
-- name: copy mysql_remove_anonymous_users
-  copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql'
-  with_items:
-    - mysql_remove_anonymous_users
-  when: mysql_remove_anonymous_users
-  changed_when: false
-
-- name: apply mysql_remove_anonymous_users
-  mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' 
-  with_items:
-    - mysql_remove_anonymous_users
+- name: anonymous users are absent
+  mysql_user: name='' state=absent host_all=yes
   when: mysql_remove_anonymous_users
-  changed_when: false
 
 - name: copy mysql_remove_remote_root
   copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql'
@@ -59,7 +44,7 @@
   changed_when: false
 
 - name: apply mysql_remove_remote_root
-  mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' 
+  mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql'
   with_items:
     - mysql_remove_remote_root
   when: mysql_remove_remote_root