Updates to many roles, including main user role to allow setting an alternate home directory

db/etcd/files/etcd-3.3-debian11-original/etcd

@@ -0,0 +1,392 @@
+## etcd(1) daemon options
+## See "/usr/share/doc/etcd-server/op-guide/configuration.md.gz"
+
+### Member flags
+
+##### --name
+## Human-readable name for this member.
+## This value is referenced as this node's own entries listed in the
+## `--initial-cluster` flag (e.g., `default=http://localhost:2380`). This
+## needs to match the key used in the flag if using static bootstrapping. When
+## using discovery, each member must have a unique name. `Hostname` or
+## `machine-id` can be a good choice.
+## default: "default"
+# ETCD_NAME="default"
+
+##### --data-dir
+## Path to the data directory.
+## default: "${name}.etcd"
+# ETCD_DATA_DIR="/var/lib/etcd/default"
+
+##### --wal-dir
+## Path to the dedicated wal directory. If this flag is set, etcd will write
+## the WAL files to the walDir rather than the dataDir. This allows a
+## dedicated disk to be used, and helps avoid io competition between logging
+## and other IO operations.
+## default: ""
+# ETCD_WAL_DIR
+
+##### --snapshot-count
+## Number of committed transactions to trigger a snapshot to disk.
+## default: "100000"
+# ETCD_SNAPSHOT_COUNT="100000"
+
+##### --heartbeat-interval
+## Time (in milliseconds) of a heartbeat interval.
+## default: "100"
+# ETCD_HEARTBEAT_INTERVAL="100"
+
+##### --election-timeout
+## Time (in milliseconds) for an election to timeout. See
+## /usr/share/doc/etcd-server/tuning.md.gz for details.
+## default: "1000"
+# ETCD_ELECTION_TIMEOUT="1000"
+
+##### --listen-peer-urls
+## List of URLs to listen on for peer traffic. This flag tells the etcd to
+## accept incoming requests from its peers on the specified scheme://IP:port
+## combinations. Scheme can be either http or https.If 0.0.0.0 is specified as
+## the IP, etcd listens to the given port on all interfaces. If an IP address is
+## given as well as a port, etcd will listen on the given port and interface.
+## Multiple URLs may be used to specify a number of addresses and ports to listen
+## on. The etcd will respond to requests from any of the listed addresses and
+## ports.
+## default: "http://localhost:2380"
+## example: "http://10.0.0.1:2380"
+## invalid example: "http://example.com:2380" (domain name is invalid for binding)
+# ETCD_LISTEN_PEER_URLS="http://localhost:2380"
+
+##### --listen-client-urls
+## List of URLs to listen on for client traffic. This flag tells the etcd to
+## accept incoming requests from the clients on the specified scheme://IP:port
+## combinations. Scheme can be either http or https. If 0.0.0.0 is specified as
+## the IP, etcd listens to the given port on all interfaces. If an IP address is
+## given as well as a port, etcd will listen on the given port and interface.
+## Multiple URLs may be used to specify a number of addresses and ports to listen
+## on. The etcd will respond to requests from any of the listed addresses and
+## ports.
+## default: "http://localhost:2379"
+## example: "http://10.0.0.1:2379"
+## invalid example: "http://example.com:2379" (domain name is invalid for binding)
+# ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"
+
+##### --max-snapshots
+## Maximum number of snapshot files to retain (0 is unlimited)
+## The default for users on Windows is unlimited, and manual purging down to 5
+## (or some preference for safety) is recommended.
+## default: 5
+# ETCD_MAX_SNAPSHOTS="5"
+
+##### --max-wals
+## Maximum number of wal files to retain (0 is unlimited)
+## The default for users on Windows is unlimited, and manual purging down to 5
+## (or some preference for safety) is recommended.
+## default: 5
+# ETCD_MAX_WALS="5"
+
+##### --cors
+## Comma-separated white list of origins for CORS (cross-origin resource
+## sharing).
+## default: none
+# ETCD_CORS
+
+#### --quota-backend-bytes
+## Raise alarms when backend size exceeds the given quota (0 defaults to low
+## space quota).
+## default: 0
+# ETCD_QUOTA_BACKEND_BYTES="0"
+
+#### --backend-batch-limit
+## BackendBatchLimit is the maximum operations before commit the backend
+## transaction.
+## default: 0
+# ETCD_BACKEND_BATCH_LIMIT="0"
+
+#### --backend-batch-interval
+## BackendBatchInterval is the maximum time before commit the backend
+## transaction.
+## default: 0
+# ETCD_BACKEND_BATCH_INTERVAL="0"
+
+#### --max-txn-ops
+## Maximum number of operations permitted in a transaction.
+## default: 128
+# ETCD_MAX_TXN_OPS="128"
+
+#### --max-request-bytes
+## Maximum client request size in bytes the server will accept.
+## default: 1572864
+# ETCD_MAX_REQUEST_BYTES="1572864"
+
+#### --grpc-keepalive-min-time
+## Minimum duration interval that a client should wait before pinging server.
+## default: 5s
+# ETCD_GRPC_KEEPALIVE_MIN_TIME="5"
+
+#### --grpc-keepalive-interval
+## Frequency duration of server-to-client ping to check if a connection is
+## alive (0 to disable).
+## default: 2h
+# ETCD_GRPC_KEEPALIVE_INTERVAL="2h"
+
+#### --grpc-keepalive-timeout
+## Additional duration of wait before closing a non-responsive connection
+## (0 to disable).
+## default: 20s
+# ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
+
+
+### Clustering flags
+
+# `--initial` prefix flags are used in bootstrapping (static bootstrap,
+# discovery-service bootstrap or runtime reconfiguration) a new member, and
+# ignored when restarting an existing member.
+
+# `--discovery` prefix flags need to be set when using discovery service.
+
+##### --initial-advertise-peer-urls
+
+## List of this member's peer URLs to advertise to the rest of the cluster.
+## These addresses are used for communicating etcd data around the cluster. At
+## least one must be routable to all cluster members. These URLs can contain
+## domain names.
+## default: "http://localhost:2380"
+## example: "http://example.com:2380, http://10.0.0.1:2380"
+# ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"
+
+##### --initial-cluster
+## Initial cluster configuration for bootstrapping.
+## The key is the value of the `--name` flag for each node provided. The
+## default uses `default` for the key because this is the default for the
+## `--name` flag.
+## default: "default=http://localhost:2380"
+# ETCD_INITIAL_CLUSTER="default=http://localhost:2380"
+
+##### --initial-cluster-state
+## Initial cluster state ("new" or "existing"). Set to `new` for all members
+## present during initial static or DNS bootstrapping. If this option is set to
+## `existing`, etcd will attempt to join the existing cluster. If the wrong value
+## is set, etcd will attempt to start but fail safely.
+## default: "new"
+# ETCD_INITIAL_CLUSTER_STATE="new"
+
+##### --initial-cluster-token
+## Initial cluster token for the etcd cluster during bootstrap.
+## default: "etcd-cluster"
+# ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
+
+##### --advertise-client-urls
+## List of this member's client URLs to advertise to the rest of the cluster.
+## These URLs can contain domain names.
+## Be careful if advertising URLs such as http://localhost:2379 from a cluster
+## member and are using the proxy feature of etcd. This will cause loops, because
+## the proxy will be forwarding requests to itself until its resources (memory,
+## file descriptors) are eventually depleted.
+## default: "http://localhost:2379"
+## example: "http://example.com:2379, http://10.0.0.1:2379"
+# ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"
+
+##### --discovery
+## Discovery URL used to bootstrap the cluster.
+## default: none
+# ETCD_DISCOVERY
+
+##### --discovery-srv
+## DNS srv domain used to bootstrap the cluster.
+## default: none
+# ETCD_DISCOVERY_SRV
+
+##### --discovery-fallback
+## Expected behavior ("exit" or "proxy") when discovery services fails. "proxy"
+## supports v2 API only.
+## default: "proxy"
+# ETCD_DISCOVERY_FALLBACK="proxy"
+
+##### --discovery-proxy
+## HTTP proxy to use for traffic to discovery service.
+## default: none
+# ETCD_DISCOVERY_PROXY
+
+##### --strict-reconfig-check
+## Reject reconfiguration requests that would cause quorum loss.
+## default: false
+# ETCD_STRICT_RECONFIG_CHECK
+
+##### --auto-compaction-retention
+## Auto compaction retention for mvcc key value store in hour. 0 means disable
+## auto compaction.
+## default: 0
+# ETCD_AUTO_COMPACTION_RETENTION="0"
+
+##### --enable-v2
+## Accept etcd V2 client requests
+## default: true
+# ETCD_ENABLE_V2="true"
+
+
+### Proxy flags
+
+# `--proxy` prefix flags configures etcd to run in proxy mode. "proxy" supports
+# v2 API only.
+
+##### --proxy
+## Proxy mode setting ("off", "readonly" or "on").
+## default: "off"
+# ETCD_PROXY="off"
+
+##### --proxy-failure-wait
+## Time (in milliseconds) an endpoint will be held in a failed state before
+## being reconsidered for proxied requests.
+## default: 5000
+# ETCD_PROXY_FAILURE_WAIT="5000"
+
+##### --proxy-refresh-interval
+## Time (in milliseconds) of the endpoints refresh interval.
+## default: 30000
+# ETCD_PROXY_REFRESH_INTERVAL="30000"
+
+##### --proxy-dial-timeout
+## Time (in milliseconds) for a dial to timeout or 0 to disable the timeout
+## default: 1000
+# ETCD_PROXY_DIAL_TIMEOUT="1000"
+
+##### --proxy-write-timeout
+## Time (in milliseconds) for a write to timeout or 0 to disable the timeout.
+## default: 5000
+# ETCD_PROXY_WRITE_TIMEOUT="5000"
+
+##### --proxy-read-timeout
+## Time (in milliseconds) for a read to timeout or 0 to disable the timeout.
+## Don't change this value if using watches because use long polling requests.
+## default: 0
+# ETCD_PROXY_READ_TIMEOUT="0"
+
+
+### Security flags
+
+# The security flags help to build a secure etcd cluster.
+
+##### --ca-file (**DEPRECATED**)
+## Path to the client server TLS CA file. `--ca-file ca.crt` could be replaced
+## by `--trusted-ca-file ca.crt --client-cert-auth` and etcd will perform the
+## same.
+## default: none
+# ETCD_CA_FILE
+
+##### --cert-file
+## Path to the client server TLS cert file.
+## default: none
+# ETCD_CERT_FILE
+
+##### --key-file
+## Path to the client server TLS key file.
+## default: none
+# ETCD_KEY_FILE
+
+##### --client-cert-auth
+## Enable client cert authentication.
+## CN authentication is not supported by gRPC-gateway.
+## default: false
+# ETCD_CLIENT_CERT_AUTH
+
+#### --client-crl-file
+## Path to the client certificate revocation list file.
+## default: ""
+# ETCD_CLIENT_CRL_FILE
+
+##### --trusted-ca-file
+## Path to the client server TLS trusted CA key file.
+## default: none
+# ETCD_TRUSTED_CA_FILE
+
+##### --auto-tls
+## Client TLS using generated certificates
+## default: false
+# ETCD_AUTO_TLS
+
+##### --peer-ca-file (**DEPRECATED**)
+## Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be
+## replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd
+## will perform the same.
+## default: none
+# ETCD_PEER_CA_FILE
+
+##### --peer-cert-file
+## Path to the peer server TLS cert file.
+## default: none
+# ETCD_PEER_CERT_FILE
+
+##### --peer-key-file
+## Path to the peer server TLS key file.
+## default: none
+# ETCD_PEER_KEY_FILE
+
+##### --peer-client-cert-auth
+## Enable peer client cert authentication.
+## default: false
+# ETCD_PEER_CLIENT_CERT_AUTH
+
+#### --peer-crl-file
+## Path to the peer certificate revocation list file.
+## default: ""
+# ETCD_PEER_CRL_FILE
+
+##### --peer-trusted-ca-file
+## Path to the peer server TLS trusted CA file.
+## default: none
+# ETCD_PEER_TRUSTED_CA_FILE
+
+##### --peer-auto-tls
+## Peer TLS using generated certificates
+## default: false
+# ETCD_PEER_AUTO_TLS
+
+#### --peer-cert-allowed-cn
+## Allowed CommonName for inter peer authentication.
+## default: none
+# ETCD_PEER_CERT_ALLOWED_CN
+
+#### --cipher-suites
+## Comma-separated list of supported TLS cipher suites between server/client and
+## peers.
+## default: ""
+# ETCD_CIPHER_SUITES
+
+#### --experimental-peer-skip-client-san-verification
+## Skip verification of SAN field in client certificate for peer connections.
+## default: false
+#+ ETCD_EXPERIMENTAL_PEER_SKIP_CLIENT_SAN_VERIFICATION
+
+
+### Logging flags
+
+#### --log-outputs
+## Specify 'stdout' or 'stderr' to skip journald logging even when running
+## under systemd, or list of comma separated output targets.
+## default: default
+# ETCD_LOG_OUTPUTS
+
+##### --debug
+## Drop the default log level to DEBUG for all subpackages.
+## default: false (INFO for all packages)
+# ETCD_DEBUG
+
+##### --log-package-levels
+## Set individual etcd subpackages to specific log levels. An example being
+## `etcdserver=WARNING,security=DEBUG`
+## default: none (INFO for all packages)
+# ETCD_LOG_PACKAGE_LEVELS
+
+
+### Unsafe flags
+
+# Please be CAUTIOUS when using unsafe flags because it will break the guarantees given by the consensus protocol.
+# For example, it may panic if other members in the cluster are still alive.
+# Follow the instructions when using these flags.
+
+##### --force-new-cluster
+## Force to create a new one-member cluster. It commits configuration changes
+## forcing to remove all existing members in the cluster and add itself. It needs
+## to be set to restore a backup.
+## default: false
+# ETCD_FORCE_NEW_CLUSTER

db/etcd/tasks/install-debian.yml

@@ -0,0 +1,9 @@
+---
+
+# Install etcd
+- name: Installing etcd
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - etcd

db/etcd/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- include_tasks: install-debian.yml
+  when: ansible_os_family == "Debian"

db/mysql-percona/README.md

@@ -0,0 +1,26 @@
+This is the new role for MySQL percona.
+
+Do not use the deprecated mysql-percona-5.7 for new installations.
+
+This role is more advanced with tons of customizable variables.
+
+Example usage:
+
+- role: mysql-percona
+    vars:
+    mysql_version_major: 8
+    mysql_version_minor: 0
+    mysql_datadir: "/opt/mysql"
+    mysql_default_authentication_plugin: "mysql_native_password"
+    mysql_innodb_buffer_pool_size: "3G"
+    mysql_users:
+        - name: mreschke
+          pass: 'passhere'
+          host: '%'
+        - name: squaethem
+        - name: tableau
+
+See `defaults` for all variables.  See `tasks/users.yml` for all user options
+
+
+~mReschke 2022-03-09

db/mysql-percona/defaults/main.yml

@@ -0,0 +1,56 @@
+---
+
+# Version to install, defaulting to 5.6
+mysql_version_major: "8"
+mysql_version_minor: "0"
+mysql_version: "{{ mysql_version_major|int }}.{{ mysql_version_minor|int }}"
+
+# Basic settings
+mysql_root_password: "techie"
+mysql_port: "3306"
+mysql_bind_address: "127.0.0.1"
+mysql_language: "/usr/share/mysql/"
+mysql_datadir: "/var/lib/mysql"
+mysql_tempdir: "/tmp"
+
+# Fine tuning
+mysql_key_buffer: "16M"
+mysql_max_allowed_packet: "256M"
+mysql_thread_stack: "192K"
+mysql_cache_size: "8"
+mysql_myisam_recover: "BACKUP"
+mysql_max_connections: "500"
+mysql_table_cache: "64"
+mysql_thread_concurrency: "10"
+mysql_query_cache_limit: "1M"
+mysql_query_cache_size: "16M"
+mysql_character_set_server: "utf8mb4"
+mysql_collation_server: "utf8mb4_0900_ai_ci"
+mysql_mysqldump_max_allowed_packet: "128M"
+mysql_isamchk_key_buffer: "16M"
+mysql_sort_buffer_size: "256K"
+
+# InnoDB tuning
+mysql_innodb_file_per_table: "1"
+mysql_innodb_flush_method: "fdatasync"
+mysql_innodb_buffer_pool_size: "1G"
+mysql_innodb_flush_log_at_trx_commit: "1"
+mysql_innodb_lock_wait_timeout: "50"
+mysql_innodb_log_buffer_size: "1M"
+mysql_innodb_log_file_size: "64M"
+
+mysql_character_set_client_handshake: "FALSE"
+
+mysql_timezone_info: "false"
+
+mysql_databases: []
+mysql_users: []
+
+install_rpm_repositories: "true"
+
+# To disable log_bin in percona >=8, enabled by default
+mysql_disable_log_bin: "true"
+
+# Default Auth Plugin
+# used in templates when Percona Server >= 5.7
+mysql_default_authentication_plugin: "mysql_native_password"

db/mysql-percona/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: "Restart percona"
+  service: "name=mysql state=restarted"

db/mysql-percona/tasks/check-settings.yml

@@ -0,0 +1,20 @@
+---
+
+- name: "Check if percona-server is installed"
+  shell: dpkg -l | grep -i percona-server-server
+  ignore_errors: yes
+  register: percona_server_is_installed
+
+- name: "Check for innodb_log_file_size setting (Ubuntu)"
+  shell: 
+    cmd: grep -E ^innodb_log_file_size /etc/mysql/my.cnf | awk -F= '{ print $2}' | sed 's/\s//g'
+    removes: "/etc/mysql/my.cnf"
+  register: configured_innodb_log_file_size
+
+- name: "Abort when innodb_log_file_size changes"
+  fail:
+    msg: "The existing MySQL server has innodb_log_file_size={{ configured_innodb_log_file_size.stdout }}, but your are trying to set it to {{ mysql_innodb_log_file_size }}. Please, change this value for the variable in either ansible or the server itself. See: https://dev.mysql.com/doc/refman/5.6/en/innodb-redo-log.html"
+  when:
+    - percona_server_is_installed.stdout|trim != ""
+    - not configured_innodb_log_file_size.stdout | regex_search('^skipped')
+    - configured_innodb_log_file_size.stdout != mysql_innodb_log_file_size

db/mysql-percona/tasks/configure.yml

@@ -0,0 +1,26 @@
+---
+
+- name: "Update the my.cnf"
+  template: "src=etc_mysql_my.cnf.j2 dest=/etc/mysql/my.cnf owner=root mode=0644"
+  register: "config_file"
+  notify:
+    - "Restart percona"
+
+- name: "Ensure that percona is running and enabled"
+  service:
+    name: "mysql"
+    state: "started"
+    enabled: "yes"
+  register: mysql_service
+
+# This service restart is needed when changing default mysql_datadir, mysql_native_password
+# and other settings. So better restart when the my.cnf file changes
+# Restart when my.cnf has changed and it has not been restarted by the above task
+- name: "Restart mysql to apply changes done in my.cnf file"
+  service:
+    name: "mysql"
+    state: "restarted"
+  when:
+    - config_file.changed
+    - mysql_service is defined
+    - not mysql_service.changed

db/mysql-percona/tasks/install.yml

@@ -0,0 +1,92 @@
+---
+# (do not put quotes on key id, for some reason it won't work)
+- name: "Obtaining percona public key"
+  apt_key:
+    keyserver: "keyserver.ubuntu.com"
+    id: 9334A25F8507EFA5
+
+- name: "Adding percona repository"
+  apt_repository:
+    repo: "deb http://repo.percona.com/apt {{ ansible_distribution_release }} main"
+    state: "present"
+
+- name: "Update apt cache"
+  apt:
+    update_cache: yes
+    cache_valid_time: 300
+
+- name: "Install percona-release package (Percona version >= 8)"
+  apt:
+    deb: "https://repo.percona.com/apt/percona-release_latest.{{ ansible_distribution_release }}_all.deb"
+  when: mysql_version_major|int >= 8
+
+# https://www.percona.com/doc/percona-server/LATEST/installation/apt_repo.html
+- name: "Enable Percona repository (Percona version >= 8)"
+  command: "percona-release setup ps{{ mysql_version_major }}{{ mysql_version_minor }}"
+  when: mysql_version_major|int >= 8
+
+- name: "Install python-is-python3 (Ubuntu >= Focal/20.04)"
+  apt:
+    name: "python-is-python3"
+  when:
+    - ansible_distribution_version is version_compare('20.04', '>=')
+
+- name: "Get the major version of python used to run ansible"
+  command: "{{ ansible_python_interpreter | default('/usr/bin/python') }} -c 'import sys; print(sys.version_info.major)'"
+  register: ansible_python_major
+  changed_when: false
+
+- debug:
+    msg: "ansible_python_interpreter major version: {{ ansible_python_major.stdout }}"
+
+- name: "Install package dependencies for ansible MySQL modules (python 2)"
+  apt:
+    name: "python-mysqldb"
+  when:
+    - ansible_python_major.stdout == "2"
+
+- name: "Install package dependencies for ansible MySQL modules (python 3)"
+  apt:
+    name: "python3-mysqldb"
+  when:
+    - ansible_python_major.stdout == "3"
+
+- name: "Install percona packages and dependencies on Ubuntu (Percona version < 8)"
+  apt:
+    name:
+      - "percona-server-server-{{ mysql_version_major }}.{{ mysql_version_minor }}"
+      - "percona-server-client-{{ mysql_version_major }}.{{ mysql_version_minor }}"
+      - "percona-toolkit"
+      - "percona-xtrabackup"
+    state: "present"
+  when: mysql_version_major|int < 8
+
+- name: "Install | configure debconf for version 8.0 (Use Legacy Authentication Method)"
+  debconf:
+    name: 'percona-server-server'
+    question: 'percona-server-server/default-auth-override'
+    value: 'Use Legacy Authentication Method (Retain MySQL 5.x Compatibility)'
+    vtype: select
+  changed_when: false
+  when:
+    - mysql_version_major|int >= 8
+    - mysql_default_authentication_plugin is defined
+    - mysql_default_authentication_plugin == "mysql_native_password"
+
+- name: "Install percona packages and dependencies on Ubuntu (Percona version >= 8)"
+  apt:
+    name:
+      - "percona-server-server={{ mysql_version_major }}.{{ mysql_version_minor }}*"
+      - "percona-server-client={{ mysql_version_major }}.{{ mysql_version_minor }}*"
+      - "percona-toolkit"
+      - "percona-xtrabackup-80"
+    state: "present"
+  when: mysql_version_major|int >= 8
+
+- name: "Adjust permissions of datadir"
+  file:
+    path: "{{ mysql_datadir }}"
+    owner: "mysql"
+    group: "mysql"
+    mode: 0700
+    state: "directory"

db/mysql-percona/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- include: check-settings.yml
+- include: install.yml
+- include: configure.yml
+- include: secure.yml
+- include: users.yml

db/mysql-percona/tasks/secure.yml

@@ -0,0 +1,35 @@
+---
+- name: "Copy .my.cnf file into the root home folder"
+  template:
+    src: root-my-cnf.j2
+    dest: /root/.my.cnf
+    owner: root
+    group: root
+    mode: 0600
+
+- name: "Set the root password"
+  mysql_user:
+    name: root
+    host: "{{ item }}"
+    password: "{{ mysql_root_password }}"
+    check_implicit_admin: yes
+    state: present
+  with_items:
+    - "{{ ansible_hostname }}"
+    - "127.0.0.1"
+    - "::1"
+    - "localhost"
+
+- name: "Ensure anonymous users are not in the database"
+  mysql_user:
+    name: ''
+    host: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ ansible_hostname }}"
+    - "localhost"
+
+- name: "Remove the test database"
+  mysql_db:
+    name: test
+    state: absent

db/mysql-percona/tasks/users.yml

@@ -0,0 +1,11 @@
+---
+
+- name: "Make sure the MySQL users are present"
+  mysql_user:
+    name: "{{ item.name }}"
+    password: "{{ item.pass | default('techie') }}"
+    priv: "{{ item.priv | default('*.*:ALL') }}"
+    state: "present"
+    host: "{{ item.host | default('%') }}"
+  with_items: "{{ mysql_users }}"
+  no_log: "true"

db/mysql-percona/templates/etc_mysql_my.cnf.j2

@@ -0,0 +1,129 @@
+#
+# The MySQL database server configuration file.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+[client]
+port        = {{ mysql_port }}
+socket      = /var/run/mysqld/mysqld.sock
+
+[mysqld_safe]
+socket      = /var/run/mysqld/mysqld.sock
+nice        = 0
+open-files-limit = 16384
+
+[mysqld]
+# * Basic Settings
+user        = mysql
+pid-file    = /var/run/mysqld/mysqld.pid
+socket      = /var/run/mysqld/mysqld.sock
+port        = {{ mysql_port }}
+basedir     = /usr
+datadir     = {{ mysql_datadir }}
+tmpdir      = {{ mysql_tempdir }}
+{% if  mysql_version is version('8.0', '>=') and mysql_disable_log_bin|bool %}
+disable_log_bin
+{% endif %}
+{% if  mysql_version is version('5.7', '<') %}
+# language is for pre-5.5. In 5.5 it is an alias for lc_messages_dir.
+language = {{ mysql_language }}
+{% else %}
+lc_messages_dir = {{ mysql_language }}
+{% endif %}
+bind-address = {{ mysql_bind_address }}
+skip-external-locking
+{% if mysql_sql_mode is defined %}
+sql_mode={{ mysql_sql_mode }}
+{% endif %}
+{% if mysql_default_authentication_plugin is defined and mysql_version is version('5.7', '>=') %}
+default_authentication_plugin={{ mysql_default_authentication_plugin }}
+{% endif %}
+
+# * Fine Tuning
+key_buffer_size         = {{ mysql_key_buffer }}
+max_allowed_packet      = {{ mysql_max_allowed_packet }}
+thread_stack            = {{ mysql_thread_stack }}
+thread_cache_size       = {{ mysql_cache_size }}
+{% if  mysql_version is version('5.7', '<') %}
+myisam-recover          = {{ mysql_myisam_recover }}
+{% else %}
+myisam-recover-options  = {{ mysql_myisam_recover }}
+{% endif %}
+max_connections         = {{ mysql_max_connections }}
+table_open_cache        = {{ mysql_table_cache }}
+{% if  mysql_version is version('5.7', '<') %}
+thread_concurrency      = {{ mysql_thread_concurrency }}
+{% endif %}
+sort_buffer_size        = {{ mysql_sort_buffer_size }}
+
+# ** Query Cache Configuration, removed in MySQL >= 8.0
+{% if mysql_version_major|int < 8 %}
+query_cache_limit       = {{ mysql_query_cache_limit }}
+query_cache_size        = {{ mysql_query_cache_size }}
+{% endif %}
+
+# ** Logging and Replication
+log_error = /var/log/mysql/error.log
+{% if mysql_version_major|int < 8 %}
+log_warnings = 2
+{% else %}
+log_error_verbosity = 2
+{% endif %}
+#general_log_file        = /var/log/mysql/mysql.log
+#general_log             = 1
+#
+#log_slow_queries   = /var/log/mysql/mysql-slow.log
+#long_query_time = 2
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+#server-id      = 1
+#log_bin            = /var/log/mysql/mysql-bin.log
+expire_logs_days    = 10
+max_binlog_size     = 100M
+#binlog_do_db       = include_database_name
+#binlog_ignore_db   = include_database_name
+
+# ** InnoDB
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+innodb_flush_log_at_trx_commit = {{ mysql_innodb_flush_log_at_trx_commit }}
+innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
+{% if mysql_innodb_flush_method != 'fdatasync': %}
+innodb_flush_method = {{ mysql_innodb_flush_method }}
+{% endif %}
+innodb_lock_wait_timeout = {{ mysql_innodb_lock_wait_timeout }}
+innodb_log_buffer_size = {{ mysql_innodb_log_buffer_size }}
+innodb_log_file_size = {{ mysql_innodb_log_file_size }}
+innodb_file_per_table = {{ mysql_innodb_file_per_table }}
+
+{% if mysql_optimizer_switch is defined %}
+# Check https://bugs.mysql.com/bug.php?id=69721 for more info
+optimizer_switch = {{ mysql_optimizer_switch }}
+{% endif %}
+
+# ** Security Features
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+
+character_set_server = {{ mysql_character_set_server }}
+collation_server = {{ mysql_collation_server }}
+character-set-client-handshake = {{ mysql_character_set_client_handshake }}
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet  = {{ mysql_mysqldump_max_allowed_packet }}
+
+[mysql]
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer      = {{ mysql_isamchk_key_buffer }}
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+#   The files must end with '.cnf', otherwise they'll be ignored.
+#
+!includedir /etc/mysql/conf.d/

db/mysql-percona/templates/root-my-cnf.j2

@@ -0,0 +1,3 @@
+[client]
+user=root
+password="{{ mysql_root_password }}"

server/files/debian/11/sources.list

@@ -0,0 +1,11 @@
+# Debian 11 Bullseye Software
+deb http://deb.debian.org/debian bullseye main contrib non-free
+deb-src http://deb.debian.org/debian bullseye main contrib non-free
+
+# Debian 11 Bullseye Updates
+deb http://deb.debian.org/debian bullseye-updates main contrib non-free
+deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free
+
+# Debian 11 Bullseye Security
+deb http://security.debian.org/debian-security bullseye-security main contrib non-free
+deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free

server/files/profile.d/bash_aliases.sh

@@ -52,5 +52,6 @@ alias pops='poetry shell && echo "poetry shell has been deactivated" && echo &&
 # Docker
 alias dps="docker ps"
 alias dpsa="docker ps -a"
+alias dnet="docker network ls"
 alias dimg="docker images"
 alias dimga="docker images -a"

server/tasks/debian/all.yml

@@ -5,22 +5,27 @@
 
 # Copy Debian 9 sources.list
 - name: Copying Debian 9 apt/sources.list
-  copy: src=debian/9/sources.list dest=/etc/apt/sources.list
+  copy: src=debian/9/sources.list dest=/etc/apt/sources.list mode=0644
   when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
 
 # Copy Debian 10 sources.list
 - name: Copying Debian 10 apt/sources.list
-  copy: src=debian/10/sources.list dest=/etc/apt/sources.list
+  copy: src=debian/10/sources.list dest=/etc/apt/sources.list mode=0644
   when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
 
+# Copy Debian 11 sources.list
+- name: Copying Debian 11 apt/sources.list
+  copy: src=debian/11/sources.list dest=/etc/apt/sources.list mode=0644
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11"
+
   # Copy Ubuntu 16.04 sources.list
 - name: Copying Ubuntu 16.04 apt/sources.list
-  copy: src=ubuntu/16.04/sources.list dest=/etc/apt/sources.list
+  copy: src=ubuntu/16.04/sources.list dest=/etc/apt/sources.list mode=0644
   when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04"
 
 # Ignore apt translations
 - name: Ignoring apt tranlations
-  copy: src=debian/99translations dest=/etc/apt/apt.conf.d/99translations
+  copy: src=debian/99translations dest=/etc/apt/apt.conf.d/99translations mode=0644
 
 # Install common apps for all debian machines
 - name: Installing common Debian/Ubuntu applications

server/tasks/manjaro/all.yml

@@ -4,7 +4,8 @@
 # ------------------------------------------------------------------------------
 
 # Configure /etc/pacman.conf
-- lineinfile: path=/etc/pacman.conf regexp='^#Color' line='Color'
+- name: Enabling pacman colors
+  lineinfile: path=/etc/pacman.conf regexp='^#Color' line='Color'
 
 # Change the games:x:50: group to staff
 - name: Ensuring group staff:50

user/tasks/create.yml

@@ -24,6 +24,11 @@
     user_groups: [root]
   when: user == 'root'
 
+# Home directory, use /home/username if undefined
+# - set_fact:
+#     home: "/home/{{ user }}"
+#   when: (home is undefined or home == "")
+
 # ------------------------------------------------------------------------------
 
 - include_tasks: debug.yml
@@ -39,6 +44,7 @@
     user_groups: ""
     add_groups: ""
     ssh_info: ""
+    home: ""
     add_sudo: no
     create: yes
     ssh_keys: no

user/tasks/debian.yml

@@ -1,4 +1,9 @@
 ---
+- name: Check if ~/.bashrc exists
+  stat:
+    path: '{{ "~" + user | expanduser }}/.bashrc'
+  register: bashrc
+
 # Comment out ~/.bashrc HIST stuff
 # So it obeys /etc/profile.d/bash_history.sh instead
 - name: Commenting out ~/.bashrc HIST stuff
@@ -6,14 +11,21 @@
     path: '{{ "~" + user | expanduser }}/.bashrc'
     regexp: '^HISTCONTROL=ignoreboth'
     line: '# HISTCONTROL=ignoreboth'
-- lineinfile:
+  when: bashrc.stat.exists == true
+
+- name: Commenting out ~/.bashrc HIST stuff
+  lineinfile:
     path: '{{ "~" + user | expanduser }}/.bashrc'
     regexp: '^HISTSIZE=1000'
     line: '# HISTSIZE=1000'
-- lineinfile:
+  when: bashrc.stat.exists == true
+
+- name: Commenting out ~/.bashrc HIST stuff
+  lineinfile:
     path: '{{ "~" + user | expanduser }}/.bashrc'
     regexp: '^HISTFILESIZE=2000'
     line: '# HISTFILESIZE=2000'
+  when: bashrc.stat.exists == true
 
 # Debian has these by default in ~/.bashrc
 #HISTCONTROL=ignoreboth

user/tasks/debug.yml

@@ -7,4 +7,5 @@
       - "ID: {{ users[user]['id'] }}"
       - "GID: {{ users[user]['gid'] }}"
       - "Groups: {{ user_groups }}"
+      - "Home: {{ home }}"
       #- "Password: {{ users[user]['password'] }}"

user/tasks/user.yml

@@ -15,5 +15,6 @@
     groups: '{{ user_groups }}'
     password: "{{ users[user]['password'] }}"
     update_password: always
+    home: "{{ home }}"
     create_home: "{{ create_home | default('yes') }}"
     shell: "{{ shell | default('/bin/bash') }}"

virt/docker/tasks/main.yml

@@ -9,11 +9,20 @@
       - gnupg2
       - software-properties-common
 
-- name: Addding Docker apt repository key
+- name: Addding Debian Docker apt repository key
   apt_key: url='https://download.docker.com/linux/debian/gpg' state=present
 
-- name: Adding Docker apt repository sources
+- name: Adding Debian 9 Docker apt repository sources
   apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/debian stretch stable' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+- name: Adding Debian 10 Docker apt repository sources
+  apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/debian buster stable' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
+
+- name: Adding Debian 11 Docker apt repository sources
+  apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11"
 
 - name: Installing Docker
   apt:
@@ -21,4 +30,6 @@
     state: present
     name:
       - docker-ce
+      - docker-ce-cli
+      - containerd.io
       - docker-compose

virt/opennebula-6.2-controller/files/ssh.config

@@ -0,0 +1,3 @@
+# So ansible does not have to add each hypervisor node to known_hosts
+StrictHostKeyChecking=no
+UserKnownHostsFile=/dev/null

virt/opennebula-6.2-controller/tasks/main.yml

@@ -0,0 +1,65 @@
+---
+- name: Adding Debian OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.io/repo/repo.key' state=present
+  when: ansible_os_family == "Debian"
+
+# Note, using http instead of https so apt-cacher-ng may cache the repo
+- name: Adding Debian 10 OpenNebula repository
+  apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/10 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
+
+- name: Adding Debian 11 OpenNebula repository
+  apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/11 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11"
+
+# Install OpenNebula
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - opennebula
+      - opennebula-sunstone
+      - opennebula-fireedge
+      - opennebula-gate
+      - opennebula-flow
+      - opennebula-provision
+
+# NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave.
+# This is good as we want to set passwords and other configurations before we start OpenNebula for the first time.
+
+# Set permissions on /var/lib/one folder
+- name: Ensuring permissions on /var/lib/one directory
+  file:
+    path: /var/lib/one
+    state: directory
+    owner: oneadmin
+    group: oneadmin
+    mode: '0755'
+
+# Create /var/lib/one/.ssh folder
+- name: Creating /var/lib/one/.ssh directory
+  file:
+    path: /var/lib/one/.ssh
+    state: directory
+    owner: oneadmin
+    group: oneadmin
+    mode: '0755'
+
+# Create /var/log/one folder or the daemon will not start
+- name: Creating /var/log/one directory
+  file:
+    path: /var/log/one
+    state: directory
+    owner: oneadmin
+    group: oneadmin
+    mode: '0755'
+
+# Copy ssh client config for oneadmin user
+- name: Copying oneadmin SSH client config
+  copy:
+    src: 'files/ssh.config'
+    dest: '/var/lib/one/.ssh/config'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: '0644'

virt/opennebula-6.2-kvm-node/files/ssh.config

@@ -0,0 +1,3 @@
+# So ansible does not have to add each hypervisor node to known_hosts
+StrictHostKeyChecking=no
+UserKnownHostsFile=/dev/null

virt/opennebula-6.2-kvm-node/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart libvirtd
+  service: name=libvirtd state=restarted

virt/opennebula-6.2-kvm-node/tasks/main.yml

@@ -0,0 +1,79 @@
+---
+- name: Adding Debian OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.io/repo/repo.key' state=present
+  when: ansible_os_family == "Debian"
+
+# Note, using http instead of https so apt-cacher-ng may cache the repo
+- name: Adding Debian 10 OpenNebula repository
+  apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/10 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
+
+- name: Adding Debian 11 OpenNebula repository
+  apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/11 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11"
+
+# Install OpenNebula Node
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name: opennebula-node-kvm
+  notify: restart libvirtd
+
+# Copy /etc/libvirt/libvirt.conf to bypass polkit socket permissions
+# - name: Copying libvirtd.conf
+#   copy:
+#     src: 'libvirtd-debian10.conf'
+#     dest: '/etc/libvirt/libvirtd.conf'
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'
+#   notify: restart libvirtd
+#   when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
+
+# # Copy /etc/libvirt/libvirt.conf to bypass polkit socker permissions
+# - name: Copying libvirtd.conf
+#   copy:
+#     src: 'libvirtd-debian9.conf'
+#     dest: '/etc/libvirt/libvirtd.conf'
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'
+#   notify: restart libvirtd
+#   when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+# Set permissions on /var/lib/one folder
+- name: Ensuring permissions on /var/lib/one directory
+  file:
+    path: /var/lib/one
+    state: directory
+    owner: oneadmin
+    group: oneadmin
+    mode: '0755'
+
+# Create /var/lib/one/.ssh folder
+- name: Creating /var/lib/one/.ssh directory
+  file:
+    path: /var/lib/one/.ssh
+    state: directory
+    owner: oneadmin
+    group: oneadmin
+    mode: '0755'
+
+# Create /var/log/one folder or the daemon will not start
+- name: Creating /var/log/one directory
+  file:
+    path: /var/log/one
+    state: directory
+    owner: oneadmin
+    group: oneadmin
+    mode: '0755'
+
+# Copy ssh client config for oneadmin user
+- name: Copying oneadmin SSH client config
+  copy:
+    src: 'files/ssh.config'
+    dest: '/var/lib/one/.ssh/config'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: '0644'

web/haproxy/files/originals/debian11/49-haproxy.conf

@@ -0,0 +1,9 @@
+# Create an additional socket in haproxy's chroot in order to allow logging via
+# /dev/log to chroot'ed HAProxy processes
+$AddUnixListenSocket /var/lib/haproxy/dev/log
+
+# Send HAProxy messages to a dedicated logfile
+:programname, startswith, "haproxy" {
+  /var/log/haproxy.log
+  stop
+}

web/haproxy/files/originals/debian11/haproxy.cfg

@@ -0,0 +1,34 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http

web/haproxy/files/originals/debian11/rsyslog.conf

@@ -0,0 +1,92 @@
+# /etc/rsyslog.conf configuration file for rsyslog
+#
+# For more information install rsyslog-doc and see
+# /usr/share/doc/rsyslog-doc/html/configuration/index.html
+
+
+#################
+#### MODULES ####
+#################
+
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog")   # provides kernel logging support
+#module(load="immark")  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#module(load="imudp")
+#input(type="imudp" port="514")
+
+# provides TCP syslog reception
+#module(load="imtcp")
+#input(type="imtcp" port="514")
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+	auth,authpriv.none;\
+	mail.none		-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*