enable ansible vault

.gitignore

@@ -22,3 +22,4 @@ tags
 # ---> Ansible
 *.retry
 *.vault
+.vault

.gitmodules

@@ -46,3 +46,6 @@
 [submodule "roles/unbound"]
 	path = roles/unbound
 	url = git@git.ccczh.ch:ansible-roles/role-unbound.git
+[submodule "roles/geerlingguy.mysql"]
+	path = roles/geerlingguy.mysql
+	url = https://github.com/geerlingguy/ansible-role-mysql.git

ansible.cfg

@@ -16,7 +16,7 @@ stdout_callback = yaml
 
 interpreter_python = /usr/bin/python3
 
-# vault_password_file  =./.vault
+vault_password_file  =./.vault
 
 [ssh_connection]
 control_path = %(directory)s/%%h-%%r-%%p

host_vars/mail01.l3d.space.yml

@@ -37,3 +37,16 @@ firewall_allowed_tcp_ports:
   - "80"
   - "443"
 fail2ban_destemail: "fail2ban_notify_{{ inventory_hostname }}@l3d.yt"
+
+# mysql
+mysql_bind_address: '127.0.0.1'
+mysql_root_password: super-secure-password
+mysql_databases:
+  - name: example_db
+    encoding: latin1
+    collation: latin1_general_ci
+mysql_users:
+  - name: example_user
+    host: "%"
+    password: similarly-secure-password
+    priv: "example_db.*:ALL"

roles/geerlingguy.mysql

@@ -0,0 +1 @@
+Subproject commit 4940d8cd41e40320f52ea694a0b169b03034c735

site.yml

@@ -35,5 +35,6 @@
     - { role: acmetool_fix, tags: [mail,acmetool]}
     - { role: acmetool2, tags: [mail,acmetool]}
     - { role: nginx2, tags: [mail,nginx]}
+    - { role: geerlingguy.mysql, tags: [mail,mysql,mariadb]}
     - { role: robertdebock.dovecot, tags: [mail,postfix]}
 #    - { role: dovecot, tags: [mail,dovecot]}