From 9590bf6fe491b219e87f929ea94f11afc6f5c329 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Thu, 12 Aug 2021 20:53:18 +0200
Subject: [PATCH] Only setup backup when rsnapshot is configured, don't use
 password for root auth

---
 mysql/defaults/main.yml    |  2 +
 mysql/tasks/main.yml       | 83 ++++++++++++++++----------------------
 postgres/defaults/main.yml |  1 +
 postgres/tasks/main.yml    | 39 +++++++++---------
 4 files changed, 58 insertions(+), 67 deletions(-)

diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml
index 6e018f2..38ce525 100644
--- a/mysql/defaults/main.yml
+++ b/mysql/defaults/main.yml
@@ -6,3 +6,5 @@ mysql_root_password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysq
 mysql_backup_user: "backup"
 # yamllint disable-line rule:line-length
 mysql_backup_password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql-backup create=true length=20') }}"
+
+mysql_rsnapshot: false
diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml
index c5a4a9f..839a7aa 100644
--- a/mysql/tasks/main.yml
+++ b/mysql/tasks/main.yml
@@ -24,56 +24,41 @@
     state: started
     enabled: true
 
-- name: ensure the mysql root user exists and has the correct password
-  mysql_user:
-    name: root
-    password: "{{ mysql_root_password }}"
-    login_user: root
-    login_password: "{{ mysql_root_password }}"
-  register: mysql_root_creation_result
-  no_log: true
-  ignore_errors: true
+- name: setup mysql backups with rsnapshot
+  when: '{{mysql_rsnapshot}}'
+  block:
+    - name: ensure a read-only mysql user for backups exists
+      mysql_user:
+        name: "{{ mysql_backup_user }}"
+        password: "{{ mysql_backup_password }}"
+        priv: "*.*:SELECT,LOCK TABLES"
+      no_log: true
 
-- name: initialize the mysql root user
-  mysql_user:
-    name: root
-    password: "{{ mysql_root_password }}"
-  no_log: true
-  when: mysql_root_creation_result is failed
+    - name: ensure the backup procedure can access the backup password
+      template:
+        src: my.cnf
+        dest: "/root/.mysql-{{ mysql_backup_user }}.cnf"
+        owner: root
+        group: root
+        mode: '0600'
 
-- name: ensure a read-only mysql user for backups exists
-  mysql_user:
-    name: "{{ mysql_backup_user }}"
-    password: "{{ mysql_backup_password }}"
-    login_user: root
-    login_password: "{{ mysql_root_password }}"
-    priv: "*.*:SELECT,LOCK TABLES"
+    - name: deploy the mysql backup script
+      template:
+        src: mysqlbackup.sh
+        dest: /usr/local/bin/
+        owner: root
+        group: root
+        mode: '0755'
 
-- name: ensure the backup procedure can access the backup password
-  template:
-    src: my.cnf
-    dest: "/root/.mysql-{{ mysql_backup_user }}.cnf"
-    owner: root
-    group: root
-    mode: '0600'
+    - name: ensure we backup all the mysql databases with rsnapshot
+      copy:
+        src: rsnapshot.conf
+        dest: /etc/rsnapshot.d/mysql.conf
+        owner: root
+        group: root
+        mode: '0644'
 
-- name: deploy the mysql backup script
-  template:
-    src: mysqlbackup.sh
-    dest: /usr/local/bin/
-    owner: root
-    group: root
-    mode: '0755'
-
-- name: ensure we backup all the mysql databases with rsnapshot
-  copy:
-    src: rsnapshot.conf
-    dest: /etc/rsnapshot.d/mysql.conf
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: remove obsolete crontab
-  file:
-    path: /etc/cron.d/mysql-snapshot
-    state: absent
+    - name: remove obsolete crontab
+      file:
+        path: /etc/cron.d/mysql-snapshot
+        state: absent
diff --git a/postgres/defaults/main.yml b/postgres/defaults/main.yml
index 45e4dc7..97bb888 100644
--- a/postgres/defaults/main.yml
+++ b/postgres/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 
 postgres_pgdg_repo: false
+postgres_rsnapshot: false
diff --git a/postgres/tasks/main.yml b/postgres/tasks/main.yml
index 1867e9c..b7edf76 100644
--- a/postgres/tasks/main.yml
+++ b/postgres/tasks/main.yml
@@ -36,23 +36,26 @@
     state: started
     enabled: true
 
-- name: ensure we have our postgres backup script
-  copy:
-    src: "pgbackup{{ '-bullseye' if ansible_distribution_major_version|int(default=99) > 10 else '' }}.sh"
-    dest: /usr/local/bin/pgbackup.sh
-    owner: root
-    group: root
-    mode: '0755'
+- name: configure snapshots
+  when: '{{postgres_rsnapshot}}'
+  block:
+    - name: ensure we have our postgres backup script
+      copy:
+        src: "pgbackup{{ '-bullseye' if ansible_distribution_major_version|int(default=99) > 10 else '' }}.sh"
+        dest: /usr/local/bin/pgbackup.sh
+        owner: root
+        group: root
+        mode: '0755'
 
-- name: ensure we have our rsnapshot config
-  copy:
-    src: rsnapshot.conf
-    dest: /etc/rsnapshot.d/postgres.conf
-    owner: root
-    group: root
-    mode: '0644'
+    - name: ensure we have our rsnapshot config
+      copy:
+        src: rsnapshot.conf
+        dest: /etc/rsnapshot.d/postgres.conf
+        owner: root
+        group: root
+        mode: '0644'
 
-- name: remove obsolete crontab
-  file:
-    path: /etc/cron.d/postgres-snapshot
-    state: absent
+    - name: remove obsolete crontab
+      file:
+        path: /etc/cron.d/postgres-snapshot
+        state: absent
-- 
GitLab