5 files changed, 67 insertions, 78 deletions

diff --git a/manifests/server/account_security.pp b/manifests/server/account_security.pp
new file mode 100644
index 0000000..23d1cb7
--- /dev/null
+++ b/manifests/server/account_security.pp
@@ -0,0 +1,8 @@
+class mysql::server::account_security {
+   # some installations have some default users which are not required.
+   # We remove them here. You can subclass this class to overwrite this behavior.
+   mysql_user{ [ "root@${fqdn}", "root@127.0.0.1", "@${fqdn}", "@localhost", "@%" ]:
+     ensure => 'absent',
+     require => Service['mysql'],
+   }
+}
diff --git a/manifests/server/base.pp b/manifests/server/base.pp
index 07b26b8..75f5725 100644
--- a/manifests/server/base.pp
+++ b/manifests/server/base.pp
@@ -5,12 +5,12 @@ class mysql::server::base {
     file { 'mysql_main_cnf':
             path => '/etc/mysql/my.cnf',
             source => [
-                "puppet:///modules/site-mysql/${fqdn}/my.cnf",
-                "puppet:///modules/site-mysql/my.cnf.${operatingsystem}.{lsbdistcodename}",
-                "puppet:///modules/site-mysql/my.cnf.${operatingsystem}",
+                "puppet:///modules/site-mysql/${::fqdn}/my.cnf",
+                "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}.{lsbdistcodename}",
+                "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}",
                 "puppet:///modules/site-mysql/my.cnf",
-                "puppet:///modules/mysql/config/my.cnf.${operatingsystem}.{lsbdistcodename}",
-                "puppet:///modules/mysql/config/my.cnf.${operatingsystem}",
+                "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}.{lsbdistcodename}",
+                "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}",
                 "puppet:///modules/mysql/config/my.cnf"
             ],
             ensure => file,
@@ -18,7 +18,7 @@ class mysql::server::base {
             notify => Service['mysql'],
             owner => root, group => 0, mode => 0644;
     }
-    
+
     file { 'mysql_data_dir':
         path => '/var/lib/mysql/data',
         ensure => directory,
@@ -35,17 +35,13 @@ class mysql::server::base {
         owner => mysql, group => mysql, mode => 0660;
     }
 
-    case $mysql_rootpw {
-        '': { fail("You need to define a mysql root password! Please set \$mysql_rootpw in your site.pp or host config") }
-    }
-    
     file { 'mysql_setmysqlpass.sh':
         path => '/usr/local/sbin/setmysqlpass.sh',
-        source => "puppet:///modules/mysql/scripts/${operatingsystem}/setmysqlpass.sh",
+        source => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh",
         require => Package['mysql-server'],
         owner => root, group => 0, mode => 0500;
-    }    
-        
+    }
+
     file { 'mysql_root_cnf':
         path => '/root/.my.cnf',
         content => template('mysql/root/my.cnf.erb'),
@@ -53,22 +49,22 @@ class mysql::server::base {
         owner => root, group => 0, mode => 0400,
         notify => Exec['mysql_set_rootpw'],
     }
-    
+
     exec { 'mysql_set_rootpw':
         command => '/usr/local/sbin/setmysqlpass.sh',
         unless => '/usr/bin/mysqladmin -uroot status > /dev/null',
         require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ],
         refreshonly => true,
     }
-    
-    if ($mysql_backup_cron) {
+
+    if hiera('mysql_backup_cron',false) {
         include mysql::server::cron::backup
     }
-    
-    if ($mysql_optimize_cron) {
+
+    if hiera('mysql_optimize_cron',false) {
         include mysql::server::cron::optimize
     }
-   
+
     service { 'mysql':
         ensure => running,
         enable => true,
@@ -76,8 +72,10 @@ class mysql::server::base {
         require => Package['mysql-server'],
    }
 
+   include mysql::server::account_security
+
     # Collect all databases and users
-    Mysql_database<<| tag == "mysql_${fqdn}" |>>
-    Mysql_user<<| tag == "mysql_${fqdn}"  |>>
-    Mysql_grant<<| tag == "mysql_${fqdn}" |>>
+    Mysql_database<<| tag == "mysql_${::fqdn}" |>>
+    Mysql_user<<| tag == "mysql_${::fqdn}"  |>>
+    Mysql_grant<<| tag == "mysql_${::fqdn}" |>>
 }
diff --git a/manifests/server/cron/backup.pp b/manifests/server/cron/backup.pp
index c1e84d1..4b5c3e5 100644
--- a/manifests/server/cron/backup.pp
+++ b/manifests/server/cron/backup.pp
@@ -1,15 +1,10 @@
 class mysql::server::cron::backup {
-
-    $real_mysql_backup_dir = $mysql_backup_dir ? {
-        '' => '/var/backups/mysql',
-        default => $mysql_backup_dir,
-    }
-
-    case $mysql_manage_backup_dir {
-      false: { info("We don't manage \$mysql_backup_dir ($mysql_backup_dir)") }
+    $mysql_backup_dir = hiera('mysql_backup_dir','/var/backups/mysql')
+    case hiera('mysql_manage_backup_dir',true) {
+      false: { info("We don't manage the mysql_backup_dir") }
       default: {
         file { 'mysql_backup_dir':
-          path => $real_mysql_backup_dir,
+          path => hiera('mysql_backup_dir','/var/backups/mysql'),
           ensure => directory,
           before => Cron['mysql_backup_cron'],
           owner => root, group => 0, mode => 0700;
@@ -18,7 +13,7 @@ class mysql::server::cron::backup {
     }
 
     cron { 'mysql_backup_cron':
-        command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${real_mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${real_mysql_backup_dir}/mysqldump.sql.gz",
+        command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${mysql_backup_dir}/mysqldump.sql.gz",
         user => 'root',
         minute => 0,
         hour => 1,
diff --git a/manifests/server/munin/default.pp b/manifests/server/munin/default.pp
index d64c831..ad43dc3 100644
--- a/manifests/server/munin/default.pp
+++ b/manifests/server/munin/default.pp
@@ -1,44 +1,36 @@
 # manifests/server/munin/default.pp
 
-class mysql::server::munin::default inherits mysql::server::munin::base {
-    case $munin_mysql_password {
-        '': { fail("please specify \$munin_mysql_password to enable mysql munin plugin")}
-    }
+class mysql::server::munin::default {
+  mysql_user{'munin@localhost':
+    password_hash => trocla("mysql_munin_${::fqdn}",'mysql','length: 32'),
+    require => Package['mysql'],
+  }
 
-    mysql_user{'munin@localhost':
-        password_hash => mysql_password("$munin_mysql_password"),
-        require => Package['mysql'],
-    }
+  mysql_grant{'munin@localhost':
+    privileges => 'select_priv',
+    require => [ Mysql_user['munin@localhost'], Package['mysql'] ],
+  }
 
-    mysql_grant{'munin@localhost':
-        privileges => 'select_priv',
-        require => [ Mysql_user['munin@localhost'], Package['mysql'] ],
-    }
+  $munin_mysql_password = trocla("mysql_munin_${::fqdn}",'plain', 'length: 32')
+  munin::plugin {
+    [mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads]:
+      config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
+      require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ]
+  }
 
-    munin::plugin {
-      [ mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads ]:
-        config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
-        require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ];
-
-      [ mysql_connections, mysql_qcache, mysql_qcache_mem, mysql_size_all ]:
-        script_path_in => "/usr/local/share/munin-plugins",
-        config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
-        require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ];
-    }
-
-    Munin::Plugin::Deploy {
-      config => "env.mysqlopts --user=munin --password=$munin_mysql_password -h localhost",
+  Munin::Plugin::Deploy{
+      config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
       require =>
-      [ Mysql_grant['munin@localhost'],
-        Mysql_user['munin@localhost'],
-        Package['mysql'] ]
-    }
-    munin::plugin::deploy{
-      'mysql_connections':
-        source => 'mysql/munin/mysql_connections';
-      'mysql_qcache':
-        source => 'mysql/munin/mysql_qcache';
-      'mysql_qcache_mem':
-        source => 'mysql/munin/mysql_qcache_mem';
-    }
+        [ Mysql_grant['munin@localhost'],
+          Mysql_user['munin@localhost'],
+          Package['mysql'] ]
+  }
+  munin::plugin::deploy{
+    'mysql_connections':
+      source => 'mysql/munin/mysql_connections';
+   'mysql_qcache':
+      source => 'mysql/munin/mysql_qcache';
+    'mysql_qcache_mem':
+      source => 'mysql/munin/mysql_qcache_mem';
+  }
 }
diff --git a/manifests/server/nagios.pp b/manifests/server/nagios.pp
index 28e52bb..26644db 100644
--- a/manifests/server/nagios.pp
+++ b/manifests/server/nagios.pp
@@ -1,28 +1,24 @@
 # manifests/server/nagios.pp
 
 class mysql::server::nagios {
-  case $nagios_mysql_password {
-    '': { fail("please specify \$nagios_mysql_password to enable nagios mysql check")}
-  }
-  
   # Flip this variable if you need to check MySQL through check_ssh or check_nrpe,
   # in that case you will have to manually define nagios::service::mysql
-  if ($nagios_mysql_notcp != true) {
+  if (hiera('nagios_mysql_notcp',false) != true) {
     $nagios_mysql_user = 'nagios@%'
     nagios::service::mysql { 'connection-time':
-      check_host => $fqdn,
+      check_hostname => $::fqdn,
       require => Mysql_grant[$nagios_mysql_user],
     }
   }
   else {
     $nagios_mysql_user = 'nagios@localhost'
   }
-  
+
   mysql_user{$nagios_mysql_user:
-    password_hash => mysql_password("${nagios_mysql_password}"),
+    password_hash => trocla("mysql_nagios_${::fqdn}",'mysql','length: 32'),
     require => Package['mysql'],
   }
-  
+
   # repl_client_priv is needed to check the replication slave status
   # modes: slave-lag, slave-io-running and slave-sql-running
   mysql_grant{$nagios_mysql_user: