From 29efd6bedb4c7e05dead6ac328011c80eecd185c Mon Sep 17 00:00:00 2001
From: "camille.prugnard" <camille.prugnard@alterway.fr>
Date: Thu, 18 Dec 2025 15:37:55 +0100
Subject: [PATCH] enhance passwords management and add default options

---
 defaults/main.yml        | 69 ++++++++++++++++++++++++++++++++++++++++
 tasks/configure.yml      | 15 +++++++--
 tasks/users.yml          | 18 ++++++++++-
 templates/my.cnf.j2      | 61 ++++++++++++++++++++++++++++++++++-
 templates/root.my.cnf.j2 | 16 ++++++++++
 5 files changed, 174 insertions(+), 5 deletions(-)
 create mode 100644 templates/root.my.cnf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index ebf9b1f..7d4ecd4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,12 +8,75 @@ percona_release_package_url: "https://repo.percona.com/apt/percona-release_lates
 # MySQL root password
 percona_root_password: "root_password_change_me"
 
+# Salt for caching_sha2_password plugin
+percona_caching_sha2_password_salt: "1234567890abcdefghij" # CHANGEME: 20 characters needed
+
 # Bind address
 percona_bind_address: "127.0.0.1"
 
 # Port
 percona_port: 3306
 
+# Connection settings
+percona_max_connections: 151
+percona_max_connect_errors: 100
+percona_connect_timeout: 10
+percona_wait_timeout: 28800
+percona_interactive_timeout: 28800
+
+# Buffer settings
+percona_max_allowed_packet: "64M"
+percona_sort_buffer_size: "2M"
+percona_read_buffer_size: "2M"
+percona_read_rnd_buffer_size: "8M"
+percona_join_buffer_size: "2M"
+percona_thread_cache_size: 8
+percona_table_open_cache: 4000
+percona_table_definition_cache: 2000
+
+# InnoDB settings
+percona_innodb_buffer_pool_size: "1G"
+percona_innodb_log_file_size: "256M"
+percona_innodb_log_buffer_size: "16M"
+percona_innodb_flush_log_at_trx_commit: 1
+percona_innodb_flush_method: "O_DIRECT"
+percona_innodb_file_per_table: 1
+percona_innodb_io_capacity: 200
+percona_innodb_io_capacity_max: 2000
+percona_innodb_thread_concurrency: 0
+percona_innodb_read_io_threads: 4
+percona_innodb_write_io_threads: 4
+percona_innodb_open_files: 4000
+
+# Binary logging
+percona_log_bin: "mysql-bin"
+percona_binlog_format: "ROW"
+percona_binlog_expire_logs_seconds: 604800  # 7 days
+percona_max_binlog_size: "100M"
+percona_sync_binlog: 1
+
+# Logging
+percona_log_error: "/var/log/mysql/error.log"
+percona_slow_query_log: 1
+percona_slow_query_log_file: "/var/log/mysql/slow-query.log"
+percona_long_query_time: 2
+percona_log_queries_not_using_indexes: 0
+
+# Replication settings
+percona_server_id: 1
+percona_gtid_mode: "ON"
+percona_enforce_gtid_consistency: "ON"
+percona_log_slave_updates: 1
+
+# Performance schema
+percona_performance_schema: "ON"
+
+# SQL modes
+percona_sql_mode: "ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION"
+
+# Authentication plugin (caching_sha2_password or mysql_native_password)
+percona_default_authentication_plugin: "caching_sha2_password"
+
 # Databases to create
 # Example:
 # percona_databases:
@@ -29,5 +92,11 @@ percona_databases: []
 #     password: my_password
 #     host: "%"
 #     priv: "my_db.*:ALL"
+#     auth_plugin: caching_sha2_password  # Optional: caching_sha2_password (default) or mysql_native_password for legacy
+#   - name: legacy_user
+#     password: legacy_password
+#     host: "%"
+#     priv: "my_db.*:ALL"
+#     auth_plugin: mysql_native_password  # For legacy applications
 percona_users: []
 
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 7fb7d41..3d0c650 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -12,11 +12,20 @@
     state: started
     enabled: yes
 
+- name: percona | configure root .my.cnf
+  template:
+    src: root.my.cnf.j2
+    dest: /root/.my.cnf
+    mode: '0600'
+    owner: root
+    group: root
+
 - name: percona | update MySQL root password
   mysql_user:
     name: root
     host: localhost
-    password: "{{ percona_root_password }}"
+    plugin: caching_sha2_password
+    plugin_auth_string: "{{ percona_root_password }}"
+    salt: "{{ percona_caching_sha2_password_salt }}"
     login_unix_socket: /var/run/mysqld/mysqld.sock
-    priv: "*.*:ALL,GRANT"
-  ignore_errors: true  # In case password is already set and socket auth is disabled
+  ignore_errors: true  # In case password is already set and socket auth is disabled
\ No newline at end of file
diff --git a/tasks/users.yml b/tasks/users.yml
index 6f9f83e..f7b9fc2 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -1,11 +1,27 @@
 ---
-- name: percona | create users
+- name: percona | create legacy users
   mysql_user:
     name: "{{ item.name }}"
     password: "{{ item.password }}"
     host: "{{ item.host | default('%') }}"
     priv: "{{ item.priv | default('*.*:USAGE') }}"
+    plugin: "mysql_native_password"
     state: present
     login_user: root
     login_password: "{{ percona_root_password }}"
   loop: "{{ percona_users }}"
+  when: item.auth_plugin is defined and item.auth_plugin == 'mysql_native_password'
+
+- name: percona | create users
+  mysql_user:
+    name: "{{ item.name }}"
+    host: "{{ item.host | default('%') }}"
+    priv: "{{ item.priv | default('*.*:USAGE') }}"
+    plugin: caching_sha2_password
+    plugin_auth_string: "{{ item.password }}"
+    salt: "{{ percona_caching_sha2_password_salt }}"
+    state: present
+    login_user: root
+    login_password: "{{ percona_root_password }}"
+  loop: "{{ percona_users }}"
+  when: item.auth_plugin is not defined or item.auth_plugin == 'caching_sha2_password'
diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2
index 297c125..6c7654a 100644
--- a/templates/my.cnf.j2
+++ b/templates/my.cnf.j2
@@ -1,4 +1,5 @@
 [mysqld]
+# Network settings
 bind-address = {{ percona_bind_address }}
 port = {{ percona_port }}
 
@@ -6,4 +7,62 @@ port = {{ percona_port }}
 character-set-server = utf8mb4
 collation-server = utf8mb4_general_ci
 
-# Other settings can be added here
+# Connection settings
+max_connections = {{ percona_max_connections }}
+max_connect_errors = {{ percona_max_connect_errors }}
+connect_timeout = {{ percona_connect_timeout }}
+wait_timeout = {{ percona_wait_timeout }}
+interactive_timeout = {{ percona_interactive_timeout }}
+
+# Buffer settings
+max_allowed_packet = {{ percona_max_allowed_packet }}
+sort_buffer_size = {{ percona_sort_buffer_size }}
+read_buffer_size = {{ percona_read_buffer_size }}
+read_rnd_buffer_size = {{ percona_read_rnd_buffer_size }}
+join_buffer_size = {{ percona_join_buffer_size }}
+thread_cache_size = {{ percona_thread_cache_size }}
+table_open_cache = {{ percona_table_open_cache }}
+table_definition_cache = {{ percona_table_definition_cache }}
+
+# InnoDB settings
+innodb_buffer_pool_size = {{ percona_innodb_buffer_pool_size }}
+innodb_log_file_size = {{ percona_innodb_log_file_size }}
+innodb_log_buffer_size = {{ percona_innodb_log_buffer_size }}
+innodb_flush_log_at_trx_commit = {{ percona_innodb_flush_log_at_trx_commit }}
+innodb_flush_method = {{ percona_innodb_flush_method }}
+innodb_file_per_table = {{ percona_innodb_file_per_table }}
+innodb_io_capacity = {{ percona_innodb_io_capacity }}
+innodb_io_capacity_max = {{ percona_innodb_io_capacity_max }}
+innodb_thread_concurrency = {{ percona_innodb_thread_concurrency }}
+innodb_read_io_threads = {{ percona_innodb_read_io_threads }}
+innodb_write_io_threads = {{ percona_innodb_write_io_threads }}
+innodb_open_files = {{ percona_innodb_open_files }}
+
+# Binary logging
+log_bin = {{ percona_log_bin }}
+binlog_format = {{ percona_binlog_format }}
+binlog_expire_logs_seconds = {{ percona_binlog_expire_logs_seconds }}
+max_binlog_size = {{ percona_max_binlog_size }}
+sync_binlog = {{ percona_sync_binlog }}
+
+# Logging
+log_error = {{ percona_log_error }}
+slow_query_log = {{ percona_slow_query_log }}
+slow_query_log_file = {{ percona_slow_query_log_file }}
+long_query_time = {{ percona_long_query_time }}
+log_queries_not_using_indexes = {{ percona_log_queries_not_using_indexes }}
+
+# Replication settings
+server_id = {{ percona_server_id }}
+gtid_mode = {{ percona_gtid_mode }}
+enforce_gtid_consistency = {{ percona_enforce_gtid_consistency }}
+log_slave_updates = {{ percona_log_slave_updates }}
+
+# Performance schema
+performance_schema = {{ percona_performance_schema }}
+
+# SQL modes
+sql_mode = {{ percona_sql_mode }}
+
+# Authentication
+mysql_native_password = ON
\ No newline at end of file
diff --git a/templates/root.my.cnf.j2 b/templates/root.my.cnf.j2
new file mode 100644
index 0000000..dafeffd
--- /dev/null
+++ b/templates/root.my.cnf.j2
@@ -0,0 +1,16 @@
+[client]
+user = root
+password = {{ percona_root_password }}
+socket = /var/run/mysqld/mysqld.sock
+
+[mysql]
+user = root
+password = {{ percona_root_password }}
+
+[mysqldump]
+user = root
+password = {{ percona_root_password }}
+
+[mysqladmin]
+user = root
+password = {{ percona_root_password }}