chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

REQUIRES REGENERATING ansible.cfg!
2025-02-23 00:00:00 +00:00 · 2025-02-23 00:00:00 +00:00 · 888590ed9f
commit 888590ed9f
parent 4af69c31ce
188 changed files with 30 additions and 30 deletions
--- a/ansible_collections/nullified/infrastructure/roles/mariadb/templates/mariadb_init.sql.j2
+++ b/ansible_collections/nullified/infrastructure/roles/mariadb/templates/mariadb_init.sql.j2
@ -0,0 +1,22 @@
+{% if mariadb_server_run_init_sql %}
+# Run hardening steps from `mysql_secure_installation`
+DELETE FROM mysql.global_priv WHERE User='';
+DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+DROP DATABASE IF EXISTS test;
+DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+
+UPDATE mysql.global_priv
+SET priv=json_set(
+        priv,
+        '$.password_last_changed', UNIX_TIMESTAMP(),
+        '$.plugin', 'mysql_native_password',
+        '$.authentication_string', PASSWORD('{{ mariadb_server_root_password }}'),
+        '$.auth_or', json_array(json_object(), json_object('plugin', 'unix_socket'))
+ )
+WHERE User='root';
+
+FLUSH PRIVILEGES;
+{% endif %}
+{% if mariadb_server_run_custom_sql and mariadb_server_custom_sql|length %}
+{{ mariadb_server_custom_sql }}
+{% endif %}
--- a/ansible_collections/nullified/infrastructure/roles/mariadb/templates/nftables.d/mariadb.nft.j2
+++ b/ansible_collections/nullified/infrastructure/roles/mariadb/templates/nftables.d/mariadb.nft.j2
@ -0,0 +1,26 @@
+{%- set allowed_ingress_list4 = mariadb_nft_allowed_ingress_list | ansible.utils.ipv4 -%}
+{%- set allowed_ingress_list6 = mariadb_nft_allowed_ingress_list | ansible.utils.ipv6 -%}
+{%- set allowed_egress_list4 = mariadb_nft_allowed_egress_list | ansible.utils.ipv4 | default([], true) -%}
+{%- set allowed_egress_list6 = mariadb_nft_allowed_egress_list | ansible.utils.ipv6 | default([], true) -%}
+table inet filter {
+{% if mariadb_install_server %}
+    chain input {
+{% if mariadb_nft_filter_input %}
+        {%+ if allowed_ingress_list4 %}ip saddr { {{ allowed_ingress_list4 | join(', ') }} } tcp dport {{ mariadb_server_port }} accept{% endif +%}
+        {%+ if allowed_ingress_list6 %}ip6 saddr { {{ allowed_ingress_list6 | join(', ') }} } tcp dport {{ mariadb_server_port }} accept{% endif +%}
+{% else %}
+        tcp dport {{ mariadb_server_port }} accept
+{% endif %}
+    }
+{% endif %}
+{% if mariadb_install_client %}
+    chain output {
+{% if mariadb_nft_filter_output %}
+        {%+ if allowed_egress_list4 %}ip daddr { {{ allowed_egress_list4 | join(', ') }} } tcp dport {{ mariadb_server_port }} accept{% endif +%}
+        {%+ if allowed_egress_list6 %}ip daddr { {{ allowed_egress_list6 | join(', ') }} } tcp dport {{ mariadb_server_port }} accept{% endif +%}
+{% else %}
+        tcp dport {{ mariadb_server_port }} accept
+{% endif %}
+    }
+{% endif %}
+}