Updates to many roles, including main user role to allow setting an alternate home directory

db/etcd/files/etcd-3.3-debian11-original/etcd

@@ -0,0 +1,392 @@
+## etcd(1) daemon options
+## See "/usr/share/doc/etcd-server/op-guide/configuration.md.gz"
+
+### Member flags
+
+##### --name
+## Human-readable name for this member.
+## This value is referenced as this node's own entries listed in the
+## `--initial-cluster` flag (e.g., `default=http://localhost:2380`). This
+## needs to match the key used in the flag if using static bootstrapping. When
+## using discovery, each member must have a unique name. `Hostname` or
+## `machine-id` can be a good choice.
+## default: "default"
+# ETCD_NAME="default"
+
+##### --data-dir
+## Path to the data directory.
+## default: "${name}.etcd"
+# ETCD_DATA_DIR="/var/lib/etcd/default"
+
+##### --wal-dir
+## Path to the dedicated wal directory. If this flag is set, etcd will write
+## the WAL files to the walDir rather than the dataDir. This allows a
+## dedicated disk to be used, and helps avoid io competition between logging
+## and other IO operations.
+## default: ""
+# ETCD_WAL_DIR
+
+##### --snapshot-count
+## Number of committed transactions to trigger a snapshot to disk.
+## default: "100000"
+# ETCD_SNAPSHOT_COUNT="100000"
+
+##### --heartbeat-interval
+## Time (in milliseconds) of a heartbeat interval.
+## default: "100"
+# ETCD_HEARTBEAT_INTERVAL="100"
+
+##### --election-timeout
+## Time (in milliseconds) for an election to timeout. See
+## /usr/share/doc/etcd-server/tuning.md.gz for details.
+## default: "1000"
+# ETCD_ELECTION_TIMEOUT="1000"
+
+##### --listen-peer-urls
+## List of URLs to listen on for peer traffic. This flag tells the etcd to
+## accept incoming requests from its peers on the specified scheme://IP:port
+## combinations. Scheme can be either http or https.If 0.0.0.0 is specified as
+## the IP, etcd listens to the given port on all interfaces. If an IP address is
+## given as well as a port, etcd will listen on the given port and interface.
+## Multiple URLs may be used to specify a number of addresses and ports to listen
+## on. The etcd will respond to requests from any of the listed addresses and
+## ports.
+## default: "http://localhost:2380"
+## example: "http://10.0.0.1:2380"
+## invalid example: "http://example.com:2380" (domain name is invalid for binding)
+# ETCD_LISTEN_PEER_URLS="http://localhost:2380"
+
+##### --listen-client-urls
+## List of URLs to listen on for client traffic. This flag tells the etcd to
+## accept incoming requests from the clients on the specified scheme://IP:port
+## combinations. Scheme can be either http or https. If 0.0.0.0 is specified as
+## the IP, etcd listens to the given port on all interfaces. If an IP address is
+## given as well as a port, etcd will listen on the given port and interface.
+## Multiple URLs may be used to specify a number of addresses and ports to listen
+## on. The etcd will respond to requests from any of the listed addresses and
+## ports.
+## default: "http://localhost:2379"
+## example: "http://10.0.0.1:2379"
+## invalid example: "http://example.com:2379" (domain name is invalid for binding)
+# ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"
+
+##### --max-snapshots
+## Maximum number of snapshot files to retain (0 is unlimited)
+## The default for users on Windows is unlimited, and manual purging down to 5
+## (or some preference for safety) is recommended.
+## default: 5
+# ETCD_MAX_SNAPSHOTS="5"
+
+##### --max-wals
+## Maximum number of wal files to retain (0 is unlimited)
+## The default for users on Windows is unlimited, and manual purging down to 5
+## (or some preference for safety) is recommended.
+## default: 5
+# ETCD_MAX_WALS="5"
+
+##### --cors
+## Comma-separated white list of origins for CORS (cross-origin resource
+## sharing).
+## default: none
+# ETCD_CORS
+
+#### --quota-backend-bytes
+## Raise alarms when backend size exceeds the given quota (0 defaults to low
+## space quota).
+## default: 0
+# ETCD_QUOTA_BACKEND_BYTES="0"
+
+#### --backend-batch-limit
+## BackendBatchLimit is the maximum operations before commit the backend
+## transaction.
+## default: 0
+# ETCD_BACKEND_BATCH_LIMIT="0"
+
+#### --backend-batch-interval
+## BackendBatchInterval is the maximum time before commit the backend
+## transaction.
+## default: 0
+# ETCD_BACKEND_BATCH_INTERVAL="0"
+
+#### --max-txn-ops
+## Maximum number of operations permitted in a transaction.
+## default: 128
+# ETCD_MAX_TXN_OPS="128"
+
+#### --max-request-bytes
+## Maximum client request size in bytes the server will accept.
+## default: 1572864
+# ETCD_MAX_REQUEST_BYTES="1572864"
+
+#### --grpc-keepalive-min-time
+## Minimum duration interval that a client should wait before pinging server.
+## default: 5s
+# ETCD_GRPC_KEEPALIVE_MIN_TIME="5"
+
+#### --grpc-keepalive-interval
+## Frequency duration of server-to-client ping to check if a connection is
+## alive (0 to disable).
+## default: 2h
+# ETCD_GRPC_KEEPALIVE_INTERVAL="2h"
+
+#### --grpc-keepalive-timeout
+## Additional duration of wait before closing a non-responsive connection
+## (0 to disable).
+## default: 20s
+# ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
+
+
+### Clustering flags
+
+# `--initial` prefix flags are used in bootstrapping (static bootstrap,
+# discovery-service bootstrap or runtime reconfiguration) a new member, and
+# ignored when restarting an existing member.
+
+# `--discovery` prefix flags need to be set when using discovery service.
+
+##### --initial-advertise-peer-urls
+
+## List of this member's peer URLs to advertise to the rest of the cluster.
+## These addresses are used for communicating etcd data around the cluster. At
+## least one must be routable to all cluster members. These URLs can contain
+## domain names.
+## default: "http://localhost:2380"
+## example: "http://example.com:2380, http://10.0.0.1:2380"
+# ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"
+
+##### --initial-cluster
+## Initial cluster configuration for bootstrapping.
+## The key is the value of the `--name` flag for each node provided. The
+## default uses `default` for the key because this is the default for the
+## `--name` flag.
+## default: "default=http://localhost:2380"
+# ETCD_INITIAL_CLUSTER="default=http://localhost:2380"
+
+##### --initial-cluster-state
+## Initial cluster state ("new" or "existing"). Set to `new` for all members
+## present during initial static or DNS bootstrapping. If this option is set to
+## `existing`, etcd will attempt to join the existing cluster. If the wrong value
+## is set, etcd will attempt to start but fail safely.
+## default: "new"
+# ETCD_INITIAL_CLUSTER_STATE="new"
+
+##### --initial-cluster-token
+## Initial cluster token for the etcd cluster during bootstrap.
+## default: "etcd-cluster"
+# ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
+
+##### --advertise-client-urls
+## List of this member's client URLs to advertise to the rest of the cluster.
+## These URLs can contain domain names.
+## Be careful if advertising URLs such as http://localhost:2379 from a cluster
+## member and are using the proxy feature of etcd. This will cause loops, because
+## the proxy will be forwarding requests to itself until its resources (memory,
+## file descriptors) are eventually depleted.
+## default: "http://localhost:2379"
+## example: "http://example.com:2379, http://10.0.0.1:2379"
+# ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"
+
+##### --discovery
+## Discovery URL used to bootstrap the cluster.
+## default: none
+# ETCD_DISCOVERY
+
+##### --discovery-srv
+## DNS srv domain used to bootstrap the cluster.
+## default: none
+# ETCD_DISCOVERY_SRV
+
+##### --discovery-fallback
+## Expected behavior ("exit" or "proxy") when discovery services fails. "proxy"
+## supports v2 API only.
+## default: "proxy"
+# ETCD_DISCOVERY_FALLBACK="proxy"
+
+##### --discovery-proxy
+## HTTP proxy to use for traffic to discovery service.
+## default: none
+# ETCD_DISCOVERY_PROXY
+
+##### --strict-reconfig-check
+## Reject reconfiguration requests that would cause quorum loss.
+## default: false
+# ETCD_STRICT_RECONFIG_CHECK
+
+##### --auto-compaction-retention
+## Auto compaction retention for mvcc key value store in hour. 0 means disable
+## auto compaction.
+## default: 0
+# ETCD_AUTO_COMPACTION_RETENTION="0"
+
+##### --enable-v2
+## Accept etcd V2 client requests
+## default: true
+# ETCD_ENABLE_V2="true"
+
+
+### Proxy flags
+
+# `--proxy` prefix flags configures etcd to run in proxy mode. "proxy" supports
+# v2 API only.
+
+##### --proxy
+## Proxy mode setting ("off", "readonly" or "on").
+## default: "off"
+# ETCD_PROXY="off"
+
+##### --proxy-failure-wait
+## Time (in milliseconds) an endpoint will be held in a failed state before
+## being reconsidered for proxied requests.
+## default: 5000
+# ETCD_PROXY_FAILURE_WAIT="5000"
+
+##### --proxy-refresh-interval
+## Time (in milliseconds) of the endpoints refresh interval.
+## default: 30000
+# ETCD_PROXY_REFRESH_INTERVAL="30000"
+
+##### --proxy-dial-timeout
+## Time (in milliseconds) for a dial to timeout or 0 to disable the timeout
+## default: 1000
+# ETCD_PROXY_DIAL_TIMEOUT="1000"
+
+##### --proxy-write-timeout
+## Time (in milliseconds) for a write to timeout or 0 to disable the timeout.
+## default: 5000
+# ETCD_PROXY_WRITE_TIMEOUT="5000"
+
+##### --proxy-read-timeout
+## Time (in milliseconds) for a read to timeout or 0 to disable the timeout.
+## Don't change this value if using watches because use long polling requests.
+## default: 0
+# ETCD_PROXY_READ_TIMEOUT="0"
+
+
+### Security flags
+
+# The security flags help to build a secure etcd cluster.
+
+##### --ca-file (**DEPRECATED**)
+## Path to the client server TLS CA file. `--ca-file ca.crt` could be replaced
+## by `--trusted-ca-file ca.crt --client-cert-auth` and etcd will perform the
+## same.
+## default: none
+# ETCD_CA_FILE
+
+##### --cert-file
+## Path to the client server TLS cert file.
+## default: none
+# ETCD_CERT_FILE
+
+##### --key-file
+## Path to the client server TLS key file.
+## default: none
+# ETCD_KEY_FILE
+
+##### --client-cert-auth
+## Enable client cert authentication.
+## CN authentication is not supported by gRPC-gateway.
+## default: false
+# ETCD_CLIENT_CERT_AUTH
+
+#### --client-crl-file
+## Path to the client certificate revocation list file.
+## default: ""
+# ETCD_CLIENT_CRL_FILE
+
+##### --trusted-ca-file
+## Path to the client server TLS trusted CA key file.
+## default: none
+# ETCD_TRUSTED_CA_FILE
+
+##### --auto-tls
+## Client TLS using generated certificates
+## default: false
+# ETCD_AUTO_TLS
+
+##### --peer-ca-file (**DEPRECATED**)
+## Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be
+## replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd
+## will perform the same.
+## default: none
+# ETCD_PEER_CA_FILE
+
+##### --peer-cert-file
+## Path to the peer server TLS cert file.
+## default: none
+# ETCD_PEER_CERT_FILE
+
+##### --peer-key-file
+## Path to the peer server TLS key file.
+## default: none
+# ETCD_PEER_KEY_FILE
+
+##### --peer-client-cert-auth
+## Enable peer client cert authentication.
+## default: false
+# ETCD_PEER_CLIENT_CERT_AUTH
+
+#### --peer-crl-file
+## Path to the peer certificate revocation list file.
+## default: ""
+# ETCD_PEER_CRL_FILE
+
+##### --peer-trusted-ca-file
+## Path to the peer server TLS trusted CA file.
+## default: none
+# ETCD_PEER_TRUSTED_CA_FILE
+
+##### --peer-auto-tls
+## Peer TLS using generated certificates
+## default: false
+# ETCD_PEER_AUTO_TLS
+
+#### --peer-cert-allowed-cn
+## Allowed CommonName for inter peer authentication.
+## default: none
+# ETCD_PEER_CERT_ALLOWED_CN
+
+#### --cipher-suites
+## Comma-separated list of supported TLS cipher suites between server/client and
+## peers.
+## default: ""
+# ETCD_CIPHER_SUITES
+
+#### --experimental-peer-skip-client-san-verification
+## Skip verification of SAN field in client certificate for peer connections.
+## default: false
+#+ ETCD_EXPERIMENTAL_PEER_SKIP_CLIENT_SAN_VERIFICATION
+
+
+### Logging flags
+
+#### --log-outputs
+## Specify 'stdout' or 'stderr' to skip journald logging even when running
+## under systemd, or list of comma separated output targets.
+## default: default
+# ETCD_LOG_OUTPUTS
+
+##### --debug
+## Drop the default log level to DEBUG for all subpackages.
+## default: false (INFO for all packages)
+# ETCD_DEBUG
+
+##### --log-package-levels
+## Set individual etcd subpackages to specific log levels. An example being
+## `etcdserver=WARNING,security=DEBUG`
+## default: none (INFO for all packages)
+# ETCD_LOG_PACKAGE_LEVELS
+
+
+### Unsafe flags
+
+# Please be CAUTIOUS when using unsafe flags because it will break the guarantees given by the consensus protocol.
+# For example, it may panic if other members in the cluster are still alive.
+# Follow the instructions when using these flags.
+
+##### --force-new-cluster
+## Force to create a new one-member cluster. It commits configuration changes
+## forcing to remove all existing members in the cluster and add itself. It needs
+## to be set to restore a backup.
+## default: false
+# ETCD_FORCE_NEW_CLUSTER

db/etcd/tasks/install-debian.yml

@@ -0,0 +1,9 @@
+---
+
+# Install etcd
+- name: Installing etcd
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - etcd

db/etcd/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- include_tasks: install-debian.yml
+  when: ansible_os_family == "Debian"

db/mysql-percona/README.md

@@ -0,0 +1,26 @@
+This is the new role for MySQL percona.
+
+Do not use the deprecated mysql-percona-5.7 for new installations.
+
+This role is more advanced with tons of customizable variables.
+
+Example usage:
+
+- role: mysql-percona
+    vars:
+    mysql_version_major: 8
+    mysql_version_minor: 0
+    mysql_datadir: "/opt/mysql"
+    mysql_default_authentication_plugin: "mysql_native_password"
+    mysql_innodb_buffer_pool_size: "3G"
+    mysql_users:
+        - name: mreschke
+          pass: 'passhere'
+          host: '%'
+        - name: squaethem
+        - name: tableau
+
+See `defaults` for all variables.  See `tasks/users.yml` for all user options
+
+
+~mReschke 2022-03-09

db/mysql-percona/defaults/main.yml

@@ -0,0 +1,56 @@
+---
+
+# Version to install, defaulting to 5.6
+mysql_version_major: "8"
+mysql_version_minor: "0"
+mysql_version: "{{ mysql_version_major|int }}.{{ mysql_version_minor|int }}"
+
+# Basic settings
+mysql_root_password: "techie"
+mysql_port: "3306"
+mysql_bind_address: "127.0.0.1"
+mysql_language: "/usr/share/mysql/"
+mysql_datadir: "/var/lib/mysql"
+mysql_tempdir: "/tmp"
+
+# Fine tuning
+mysql_key_buffer: "16M"
+mysql_max_allowed_packet: "256M"
+mysql_thread_stack: "192K"
+mysql_cache_size: "8"
+mysql_myisam_recover: "BACKUP"
+mysql_max_connections: "500"
+mysql_table_cache: "64"
+mysql_thread_concurrency: "10"
+mysql_query_cache_limit: "1M"
+mysql_query_cache_size: "16M"
+mysql_character_set_server: "utf8mb4"
+mysql_collation_server: "utf8mb4_0900_ai_ci"
+mysql_mysqldump_max_allowed_packet: "128M"
+mysql_isamchk_key_buffer: "16M"
+mysql_sort_buffer_size: "256K"
+
+# InnoDB tuning
+mysql_innodb_file_per_table: "1"
+mysql_innodb_flush_method: "fdatasync"
+mysql_innodb_buffer_pool_size: "1G"
+mysql_innodb_flush_log_at_trx_commit: "1"
+mysql_innodb_lock_wait_timeout: "50"
+mysql_innodb_log_buffer_size: "1M"
+mysql_innodb_log_file_size: "64M"
+
+mysql_character_set_client_handshake: "FALSE"
+
+mysql_timezone_info: "false"
+
+mysql_databases: []
+mysql_users: []
+
+install_rpm_repositories: "true"
+
+# To disable log_bin in percona >=8, enabled by default
+mysql_disable_log_bin: "true"
+
+# Default Auth Plugin
+# used in templates when Percona Server >= 5.7
+mysql_default_authentication_plugin: "mysql_native_password"

db/mysql-percona/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: "Restart percona"
+  service: "name=mysql state=restarted"

db/mysql-percona/tasks/check-settings.yml

@@ -0,0 +1,20 @@
+---
+
+- name: "Check if percona-server is installed"
+  shell: dpkg -l | grep -i percona-server-server
+  ignore_errors: yes
+  register: percona_server_is_installed
+
+- name: "Check for innodb_log_file_size setting (Ubuntu)"
+  shell: 
+    cmd: grep -E ^innodb_log_file_size /etc/mysql/my.cnf | awk -F= '{ print $2}' | sed 's/\s//g'
+    removes: "/etc/mysql/my.cnf"
+  register: configured_innodb_log_file_size
+
+- name: "Abort when innodb_log_file_size changes"
+  fail:
+    msg: "The existing MySQL server has innodb_log_file_size={{ configured_innodb_log_file_size.stdout }}, but your are trying to set it to {{ mysql_innodb_log_file_size }}. Please, change this value for the variable in either ansible or the server itself. See: https://dev.mysql.com/doc/refman/5.6/en/innodb-redo-log.html"
+  when:
+    - percona_server_is_installed.stdout|trim != ""
+    - not configured_innodb_log_file_size.stdout | regex_search('^skipped')
+    - configured_innodb_log_file_size.stdout != mysql_innodb_log_file_size

db/mysql-percona/tasks/configure.yml

@@ -0,0 +1,26 @@
+---
+
+- name: "Update the my.cnf"
+  template: "src=etc_mysql_my.cnf.j2 dest=/etc/mysql/my.cnf owner=root mode=0644"
+  register: "config_file"
+  notify:
+    - "Restart percona"
+
+- name: "Ensure that percona is running and enabled"
+  service:
+    name: "mysql"
+    state: "started"
+    enabled: "yes"
+  register: mysql_service
+
+# This service restart is needed when changing default mysql_datadir, mysql_native_password
+# and other settings. So better restart when the my.cnf file changes
+# Restart when my.cnf has changed and it has not been restarted by the above task
+- name: "Restart mysql to apply changes done in my.cnf file"
+  service:
+    name: "mysql"
+    state: "restarted"
+  when:
+    - config_file.changed
+    - mysql_service is defined
+    - not mysql_service.changed

db/mysql-percona/tasks/install.yml

@@ -0,0 +1,92 @@
+---
+# (do not put quotes on key id, for some reason it won't work)
+- name: "Obtaining percona public key"
+  apt_key:
+    keyserver: "keyserver.ubuntu.com"
+    id: 9334A25F8507EFA5
+
+- name: "Adding percona repository"
+  apt_repository:
+    repo: "deb http://repo.percona.com/apt {{ ansible_distribution_release }} main"
+    state: "present"
+
+- name: "Update apt cache"
+  apt:
+    update_cache: yes
+    cache_valid_time: 300
+
+- name: "Install percona-release package (Percona version >= 8)"
+  apt:
+    deb: "https://repo.percona.com/apt/percona-release_latest.{{ ansible_distribution_release }}_all.deb"
+  when: mysql_version_major|int >= 8
+
+# https://www.percona.com/doc/percona-server/LATEST/installation/apt_repo.html
+- name: "Enable Percona repository (Percona version >= 8)"
+  command: "percona-release setup ps{{ mysql_version_major }}{{ mysql_version_minor }}"
+  when: mysql_version_major|int >= 8
+
+- name: "Install python-is-python3 (Ubuntu >= Focal/20.04)"
+  apt:
+    name: "python-is-python3"
+  when:
+    - ansible_distribution_version is version_compare('20.04', '>=')
+
+- name: "Get the major version of python used to run ansible"
+  command: "{{ ansible_python_interpreter | default('/usr/bin/python') }} -c 'import sys; print(sys.version_info.major)'"
+  register: ansible_python_major
+  changed_when: false
+
+- debug:
+    msg: "ansible_python_interpreter major version: {{ ansible_python_major.stdout }}"
+
+- name: "Install package dependencies for ansible MySQL modules (python 2)"
+  apt:
+    name: "python-mysqldb"
+  when:
+    - ansible_python_major.stdout == "2"
+
+- name: "Install package dependencies for ansible MySQL modules (python 3)"
+  apt:
+    name: "python3-mysqldb"
+  when:
+    - ansible_python_major.stdout == "3"
+
+- name: "Install percona packages and dependencies on Ubuntu (Percona version < 8)"
+  apt:
+    name:
+      - "percona-server-server-{{ mysql_version_major }}.{{ mysql_version_minor }}"
+      - "percona-server-client-{{ mysql_version_major }}.{{ mysql_version_minor }}"
+      - "percona-toolkit"
+      - "percona-xtrabackup"
+    state: "present"
+  when: mysql_version_major|int < 8
+
+- name: "Install | configure debconf for version 8.0 (Use Legacy Authentication Method)"
+  debconf:
+    name: 'percona-server-server'
+    question: 'percona-server-server/default-auth-override'
+    value: 'Use Legacy Authentication Method (Retain MySQL 5.x Compatibility)'
+    vtype: select
+  changed_when: false
+  when:
+    - mysql_version_major|int >= 8
+    - mysql_default_authentication_plugin is defined
+    - mysql_default_authentication_plugin == "mysql_native_password"
+
+- name: "Install percona packages and dependencies on Ubuntu (Percona version >= 8)"
+  apt:
+    name:
+      - "percona-server-server={{ mysql_version_major }}.{{ mysql_version_minor }}*"
+      - "percona-server-client={{ mysql_version_major }}.{{ mysql_version_minor }}*"
+      - "percona-toolkit"
+      - "percona-xtrabackup-80"
+    state: "present"
+  when: mysql_version_major|int >= 8
+
+- name: "Adjust permissions of datadir"
+  file:
+    path: "{{ mysql_datadir }}"
+    owner: "mysql"
+    group: "mysql"
+    mode: 0700
+    state: "directory"

db/mysql-percona/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- include: check-settings.yml
+- include: install.yml
+- include: configure.yml
+- include: secure.yml
+- include: users.yml

db/mysql-percona/tasks/secure.yml

@@ -0,0 +1,35 @@
+---
+- name: "Copy .my.cnf file into the root home folder"
+  template:
+    src: root-my-cnf.j2
+    dest: /root/.my.cnf
+    owner: root
+    group: root
+    mode: 0600
+
+- name: "Set the root password"
+  mysql_user:
+    name: root
+    host: "{{ item }}"
+    password: "{{ mysql_root_password }}"
+    check_implicit_admin: yes
+    state: present
+  with_items:
+    - "{{ ansible_hostname }}"
+    - "127.0.0.1"
+    - "::1"
+    - "localhost"
+
+- name: "Ensure anonymous users are not in the database"
+  mysql_user:
+    name: ''
+    host: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ ansible_hostname }}"
+    - "localhost"
+
+- name: "Remove the test database"
+  mysql_db:
+    name: test
+    state: absent

db/mysql-percona/tasks/users.yml

@@ -0,0 +1,11 @@
+---
+
+- name: "Make sure the MySQL users are present"
+  mysql_user:
+    name: "{{ item.name }}"
+    password: "{{ item.pass | default('techie') }}"
+    priv: "{{ item.priv | default('*.*:ALL') }}"
+    state: "present"
+    host: "{{ item.host | default('%') }}"
+  with_items: "{{ mysql_users }}"
+  no_log: "true"

db/mysql-percona/templates/etc_mysql_my.cnf.j2

@@ -0,0 +1,129 @@
+#
+# The MySQL database server configuration file.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+[client]
+port        = {{ mysql_port }}
+socket      = /var/run/mysqld/mysqld.sock
+
+[mysqld_safe]
+socket      = /var/run/mysqld/mysqld.sock
+nice        = 0
+open-files-limit = 16384
+
+[mysqld]
+# * Basic Settings
+user        = mysql
+pid-file    = /var/run/mysqld/mysqld.pid
+socket      = /var/run/mysqld/mysqld.sock
+port        = {{ mysql_port }}
+basedir     = /usr
+datadir     = {{ mysql_datadir }}
+tmpdir      = {{ mysql_tempdir }}
+{% if  mysql_version is version('8.0', '>=') and mysql_disable_log_bin|bool %}
+disable_log_bin
+{% endif %}
+{% if  mysql_version is version('5.7', '<') %}
+# language is for pre-5.5. In 5.5 it is an alias for lc_messages_dir.
+language = {{ mysql_language }}
+{% else %}
+lc_messages_dir = {{ mysql_language }}
+{% endif %}
+bind-address = {{ mysql_bind_address }}
+skip-external-locking
+{% if mysql_sql_mode is defined %}
+sql_mode={{ mysql_sql_mode }}
+{% endif %}
+{% if mysql_default_authentication_plugin is defined and mysql_version is version('5.7', '>=') %}
+default_authentication_plugin={{ mysql_default_authentication_plugin }}
+{% endif %}
+
+# * Fine Tuning
+key_buffer_size         = {{ mysql_key_buffer }}
+max_allowed_packet      = {{ mysql_max_allowed_packet }}
+thread_stack            = {{ mysql_thread_stack }}
+thread_cache_size       = {{ mysql_cache_size }}
+{% if  mysql_version is version('5.7', '<') %}
+myisam-recover          = {{ mysql_myisam_recover }}
+{% else %}
+myisam-recover-options  = {{ mysql_myisam_recover }}
+{% endif %}
+max_connections         = {{ mysql_max_connections }}
+table_open_cache        = {{ mysql_table_cache }}
+{% if  mysql_version is version('5.7', '<') %}
+thread_concurrency      = {{ mysql_thread_concurrency }}
+{% endif %}
+sort_buffer_size        = {{ mysql_sort_buffer_size }}
+
+# ** Query Cache Configuration, removed in MySQL >= 8.0
+{% if mysql_version_major|int < 8 %}
+query_cache_limit       = {{ mysql_query_cache_limit }}
+query_cache_size        = {{ mysql_query_cache_size }}
+{% endif %}
+
+# ** Logging and Replication
+log_error = /var/log/mysql/error.log
+{% if mysql_version_major|int < 8 %}
+log_warnings = 2
+{% else %}
+log_error_verbosity = 2
+{% endif %}
+#general_log_file        = /var/log/mysql/mysql.log
+#general_log             = 1
+#
+#log_slow_queries   = /var/log/mysql/mysql-slow.log
+#long_query_time = 2
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+#server-id      = 1
+#log_bin            = /var/log/mysql/mysql-bin.log
+expire_logs_days    = 10
+max_binlog_size     = 100M
+#binlog_do_db       = include_database_name
+#binlog_ignore_db   = include_database_name
+
+# ** InnoDB
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+innodb_flush_log_at_trx_commit = {{ mysql_innodb_flush_log_at_trx_commit }}
+innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
+{% if mysql_innodb_flush_method != 'fdatasync': %}
+innodb_flush_method = {{ mysql_innodb_flush_method }}
+{% endif %}
+innodb_lock_wait_timeout = {{ mysql_innodb_lock_wait_timeout }}
+innodb_log_buffer_size = {{ mysql_innodb_log_buffer_size }}
+innodb_log_file_size = {{ mysql_innodb_log_file_size }}
+innodb_file_per_table = {{ mysql_innodb_file_per_table }}
+
+{% if mysql_optimizer_switch is defined %}
+# Check https://bugs.mysql.com/bug.php?id=69721 for more info
+optimizer_switch = {{ mysql_optimizer_switch }}
+{% endif %}
+
+# ** Security Features
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+
+character_set_server = {{ mysql_character_set_server }}
+collation_server = {{ mysql_collation_server }}
+character-set-client-handshake = {{ mysql_character_set_client_handshake }}
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet  = {{ mysql_mysqldump_max_allowed_packet }}
+
+[mysql]
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer      = {{ mysql_isamchk_key_buffer }}
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+#   The files must end with '.cnf', otherwise they'll be ignored.
+#
+!includedir /etc/mysql/conf.d/

db/mysql-percona/templates/root-my-cnf.j2

@@ -0,0 +1,3 @@
+[client]
+user=root
+password="{{ mysql_root_password }}"