- hosts: web-analytics-database vars: # Under `vars`, only put variables that really must be available in several # roles and tasks below. They have high precedence and therefore are prone # to clash with other variables of the same name (if you didn't follow # the principle of only one definition), or may set a value in one of the # below roles that you didn't want to be set! Therefore the role name # prefix is so important (`mysql_user_name` instead of `username` because # the latter might also be used in many other places and is hard to grep # for if used all over the place). # When writing many playbooks, you probably don't want to hardcode your # DBA's username everywhere, but define a variable `database_admin_username`. # The rule of putting it as close as possible to its use tells you to # create a group "database-servers" containing all database hosts and put # the variable into `group_vars/database-servers.yml` so it's only available # in the limited scope. # Using variable name prefix `wa_` for "web analytics" as example. wa_mysql_user_name_prefix: '{{ database_admin_username }}' roles: - role: mysql_server # [Comment describing why we chose MySQL 5.5...] # Alternatively (but more risky than requiring it to be defined explicitly), # this might have a default value in the role, stating the version you # normally use in production. mysql_server_version: '5.5' # Admin with full privileges - role: mysql_user mysql_user_name: '{{ wa_mysql_user_name_prefix }}_admin' # This should not have a default. Defaulting to `ALL` means that on a # playbook mistake, a new user may get all privileges! mysql_user_privileges: 'ALL' # Production passwords should not be committed to version control # in plaintext. See article section "Storing sensitive files". mysql_user_password: '{{ lookup("gpgfile", "secure/web-analytics-database.password") }}' # Read-only access - role: mysql_user mysql_user_name: '{{ wa_mysql_user_name_prefix }}_readonly' mysql_user_privileges: 'SELECT' mysql_user_password: '{{ lookup("gpgfile", "secure/web-analytics-database.readonly.password") }}' tasks: # With well-developed roles, you don't need extra {pre_}tasks!