salt/states/roles/maintain/mysql/init.sls

{%- set os=grains['os'] -%}
mysql-pkg:
  pkg.installed:
    - name: mariadb

mysql-python:
  pkg.installed: []

initialize_mysql:
  cmd.run:
    - name: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
    - unless: 'test -e /var/lib/mysql/mysql'

mysql-service:
  service.running:
    - name: mysqld
    - enable: true

#This currently displays root password in output of salt-call upon failure, should probably create several mysql_query.run states instead
set_root:
  mysql_query.run:
    - database: mysql
    - query: "UPDATE mysql.user SET Password=PASSWORD('{%- include 'secure/passwords/root_db_password.txt' -%}') WHERE User='root';FLUSH PRIVILEGES;"
    - onchanges:
      - cmd: initialize_mysql

secure_mysql:
  mysql_query.run:
    - database: mysql
    - query: "DELETE FROM mysql.user WHERE User='';DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');DROP DATABASE IF EXISTS test;DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';FLUSH PRIVILEGES;"
    - connection_user: root
    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"

#create salt db user
user_salt:
  mysql_user.present:
    - name: salt
    - host: "localhost"
    - password: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
    - connection_user: root
    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"

grant_salt:
  mysql_grants.present:
    - grant: all privileges
    - database: "*.*"
    - user: salt
    - host: "localhost"
    - grant_option: true
    - revoke_first: true
    - connection_user: root
    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"

{##ensure that database pillar exists##}
{%- if pillar['database'] is defined -%}
  {%- if pillar['database']['users'] is defined -%}
    {%- for user in pillar['database']['users'] %}
user_{{user}}:
  mysql_user.present:
    - name: {{user}}
      {%- if pillar['database']['users'][user]['host'] is defined %}
    - host: "{{pillar['database']['users'][user]['host']}}"
      {%- else %}
    - host: "%"
      {%- endif %}
    - password: "{%- include 'secure/passwords/'+user+'_db_password.txt' -%}"
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
    {%- endfor %}
  {%- endif %}

  {% if pillar['database']['databases'] is defined -%}
    {%- for db in pillar['database']['databases'] %}
db_{{db}}:
  mysql_database.present:
    - name: {{db}}
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
      {%- for user in pillar['database']['databases'][db] %}
{{db}}_grant_{{user}}:
  mysql_grants.present:
    - grant: {{pillar['database']['databases'][db][user]['grant']}}
    - database: "{{db}}.*"
    - user: {{user}}
    - host: {{pillar['database']['databases'][db][user]['host']}}
    - revoke_first: true
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
      {%- endfor %}
    {%- endfor %}
  {%- endif %}
{%- endif %}

#set up dbdumb
user_dumpdb:
  mysql_user.present:
    - name: dumpdb
    - host: "localhost"
    - password: "{%- include 'secure/passwords/dumpdb_password.txt' -%}"
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"

grant_dumpdb:
  mysql_grants.present:
    - grant: select, lock tables, show view, event, trigger
    - database: "*.*"
    - user: dumpdb
    - host: "localhost"
    - revoke_first: true
    - connection_user: salt
    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"

"/root/scripts/dumpdb.sh":
  file.managed:
    - source: salt://roles/maintain/mysql/dumpdb.sh
    - user: root
    - group: root
    - mode: 600
    - makedirs: true
    - template: jinja

/usr/lib/systemd/system/dumpdb.service:
  file.managed:
    - source: salt://roles/maintain/mysql/dumpdb.service
    - user: root
    - group: root
    - mode: 644

/usr/lib/systemd/system/dumpdb.timer:
  file.managed:
    - source: salt://roles/maintain/mysql/dumpdb.timer
    - user: root
    - group: root
    - mode: 644

dumpdb.timer:
  service.running:
    - enable: true

dumpdb-reload:
  module.run:
    - name: service.systemctl_reload
    - onchanges:
      - file: /usr/lib/systemd/system/*