enhance passwords management and add default options

2025-12-18 15:37:55 +01:00
parent d81541660e
commit 29efd6bedb
5 changed files with 174 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,12 +8,75 @@ percona_release_package_url: "https://repo.percona.com/apt/percona-release_lates
 # MySQL root password
 percona_root_password: "root_password_change_me"

+# Salt for caching_sha2_password plugin
+percona_caching_sha2_password_salt: "1234567890abcdefghij" # CHANGEME: 20 characters needed
+
 # Bind address
 percona_bind_address: "127.0.0.1"

 # Port
 percona_port: 3306

+# Connection settings
+percona_max_connections: 151
+percona_max_connect_errors: 100
+percona_connect_timeout: 10
+percona_wait_timeout: 28800
+percona_interactive_timeout: 28800
+
+# Buffer settings
+percona_max_allowed_packet: "64M"
+percona_sort_buffer_size: "2M"
+percona_read_buffer_size: "2M"
+percona_read_rnd_buffer_size: "8M"
+percona_join_buffer_size: "2M"
+percona_thread_cache_size: 8
+percona_table_open_cache: 4000
+percona_table_definition_cache: 2000
+
+# InnoDB settings
+percona_innodb_buffer_pool_size: "1G"
+percona_innodb_log_file_size: "256M"
+percona_innodb_log_buffer_size: "16M"
+percona_innodb_flush_log_at_trx_commit: 1
+percona_innodb_flush_method: "O_DIRECT"
+percona_innodb_file_per_table: 1
+percona_innodb_io_capacity: 200
+percona_innodb_io_capacity_max: 2000
+percona_innodb_thread_concurrency: 0
+percona_innodb_read_io_threads: 4
+percona_innodb_write_io_threads: 4
+percona_innodb_open_files: 4000
+
+# Binary logging
+percona_log_bin: "mysql-bin"
+percona_binlog_format: "ROW"
+percona_binlog_expire_logs_seconds: 604800  # 7 days
+percona_max_binlog_size: "100M"
+percona_sync_binlog: 1
+
+# Logging
+percona_log_error: "/var/log/mysql/error.log"
+percona_slow_query_log: 1
+percona_slow_query_log_file: "/var/log/mysql/slow-query.log"
+percona_long_query_time: 2
+percona_log_queries_not_using_indexes: 0
+
+# Replication settings
+percona_server_id: 1
+percona_gtid_mode: "ON"
+percona_enforce_gtid_consistency: "ON"
+percona_log_slave_updates: 1
+
+# Performance schema
+percona_performance_schema: "ON"
+
+# SQL modes
+percona_sql_mode: "ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION"
+
+# Authentication plugin (caching_sha2_password or mysql_native_password)
+percona_default_authentication_plugin: "caching_sha2_password"
+
 # Databases to create
 # Example:
 # percona_databases:
@@ -29,5 +92,11 @@ percona_databases: []
 #     password: my_password
 #     host: "%"
 #     priv: "my_db.*:ALL"
+#     auth_plugin: caching_sha2_password  # Optional: caching_sha2_password (default) or mysql_native_password for legacy
+#   - name: legacy_user
+#     password: legacy_password
+#     host: "%"
+#     priv: "my_db.*:ALL"
+#     auth_plugin: mysql_native_password  # For legacy applications
 percona_users: []

--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -12,11 +12,20 @@
    state: started
    enabled: yes

+- name: percona | configure root .my.cnf
+  template:
+    src: root.my.cnf.j2
+    dest: /root/.my.cnf
+    mode: '0600'
+    owner: root
+    group: root
+
 - name: percona | update MySQL root password
  mysql_user:
    name: root
    host: localhost
-    password: "{{ percona_root_password }}"
+    plugin: caching_sha2_password
+    plugin_auth_string: "{{ percona_root_password }}"
+    salt: "{{ percona_caching_sha2_password_salt }}"
    login_unix_socket: /var/run/mysqld/mysqld.sock
-    priv: "*.*:ALL,GRANT"
  ignore_errors: true  # In case password is already set and socket auth is disabled
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -1,11 +1,27 @@
 ---
- name: percona | create users
+- name: percona | create legacy users
  mysql_user:
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    host: "{{ item.host | default('%') }}"
    priv: "{{ item.priv | default('*.*:USAGE') }}"
+    plugin: "mysql_native_password"
    state: present
    login_user: root
    login_password: "{{ percona_root_password }}"
  loop: "{{ percona_users }}"
+  when: item.auth_plugin is defined and item.auth_plugin == 'mysql_native_password'
+
+- name: percona | create users
+  mysql_user:
+    name: "{{ item.name }}"
+    host: "{{ item.host | default('%') }}"
+    priv: "{{ item.priv | default('*.*:USAGE') }}"
+    plugin: caching_sha2_password
+    plugin_auth_string: "{{ item.password }}"
+    salt: "{{ percona_caching_sha2_password_salt }}"
+    state: present
+    login_user: root
+    login_password: "{{ percona_root_password }}"
+  loop: "{{ percona_users }}"
+  when: item.auth_plugin is not defined or item.auth_plugin == 'caching_sha2_password'
--- a/templates/my.cnf.j2
+++ b/templates/my.cnf.j2
@@ -1,4 +1,5 @@
 [mysqld]
+# Network settings
 bind-address = {{ percona_bind_address }}
 port = {{ percona_port }}

@@ -6,4 +7,62 @@ port = {{ percona_port }}
 character-set-server = utf8mb4
 collation-server = utf8mb4_general_ci

-# Other settings can be added here
+# Connection settings
+max_connections = {{ percona_max_connections }}
+max_connect_errors = {{ percona_max_connect_errors }}
+connect_timeout = {{ percona_connect_timeout }}
+wait_timeout = {{ percona_wait_timeout }}
+interactive_timeout = {{ percona_interactive_timeout }}
+
+# Buffer settings
+max_allowed_packet = {{ percona_max_allowed_packet }}
+sort_buffer_size = {{ percona_sort_buffer_size }}
+read_buffer_size = {{ percona_read_buffer_size }}
+read_rnd_buffer_size = {{ percona_read_rnd_buffer_size }}
+join_buffer_size = {{ percona_join_buffer_size }}
+thread_cache_size = {{ percona_thread_cache_size }}
+table_open_cache = {{ percona_table_open_cache }}
+table_definition_cache = {{ percona_table_definition_cache }}
+
+# InnoDB settings
+innodb_buffer_pool_size = {{ percona_innodb_buffer_pool_size }}
+innodb_log_file_size = {{ percona_innodb_log_file_size }}
+innodb_log_buffer_size = {{ percona_innodb_log_buffer_size }}
+innodb_flush_log_at_trx_commit = {{ percona_innodb_flush_log_at_trx_commit }}
+innodb_flush_method = {{ percona_innodb_flush_method }}
+innodb_file_per_table = {{ percona_innodb_file_per_table }}
+innodb_io_capacity = {{ percona_innodb_io_capacity }}
+innodb_io_capacity_max = {{ percona_innodb_io_capacity_max }}
+innodb_thread_concurrency = {{ percona_innodb_thread_concurrency }}
+innodb_read_io_threads = {{ percona_innodb_read_io_threads }}
+innodb_write_io_threads = {{ percona_innodb_write_io_threads }}
+innodb_open_files = {{ percona_innodb_open_files }}
+
+# Binary logging
+log_bin = {{ percona_log_bin }}
+binlog_format = {{ percona_binlog_format }}
+binlog_expire_logs_seconds = {{ percona_binlog_expire_logs_seconds }}
+max_binlog_size = {{ percona_max_binlog_size }}
+sync_binlog = {{ percona_sync_binlog }}
+
+# Logging
+log_error = {{ percona_log_error }}
+slow_query_log = {{ percona_slow_query_log }}
+slow_query_log_file = {{ percona_slow_query_log_file }}
+long_query_time = {{ percona_long_query_time }}
+log_queries_not_using_indexes = {{ percona_log_queries_not_using_indexes }}
+
+# Replication settings
+server_id = {{ percona_server_id }}
+gtid_mode = {{ percona_gtid_mode }}
+enforce_gtid_consistency = {{ percona_enforce_gtid_consistency }}
+log_slave_updates = {{ percona_log_slave_updates }}
+
+# Performance schema
+performance_schema = {{ percona_performance_schema }}
+
+# SQL modes
+sql_mode = {{ percona_sql_mode }}
+
+# Authentication
+mysql_native_password = ON
--- a/templates/root.my.cnf.j2
+++ b/templates/root.my.cnf.j2
@@ -0,0 +1,16 @@
+[client]
+user = root
+password = {{ percona_root_password }}
+socket = /var/run/mysqld/mysqld.sock
+
+[mysql]
+user = root
+password = {{ percona_root_password }}
+
+[mysqldump]
+user = root
+password = {{ percona_root_password }}
+
+[mysqladmin]
+user = root
+password = {{ percona_root_password }}