geerlingguy · alessekhjoy1824-automation · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -54,10 +54,13 @@ mysql_log_file_group: mysql
 
 # Slow query log settings.
 mysql_slow_query_log_enabled: false
-mysql_slow_query_time: "2"
+mysql_slow_query_time: 2
 # The following variable has a default value depending on operating system.
 # mysql_slow_query_log_file: /var/log/mysql-slow.log
 
+# Security hardening settings.
+mysql_secure_installation: true
+
 # Memory settings (default values optimized ~512MB RAM).
 mysql_key_buffer_size: "256M"
 mysql_max_allowed_packet: "64M"

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -20,6 +20,15 @@
 
 # Configure MySQL.
 - ansible.builtin.include_tasks: configure.yml
+
+- name: Include secure installation tasks
+  include_tasks: secure-install.yml
+  when: mysql_secure_installation | bool
+
+- name: Include slow query log configuration
+  include_tasks: slow-query-log.yml
+  when: mysql_slow_query_log_enabled | bool
+
 - ansible.builtin.include_tasks: secure-installation.yml
 - ansible.builtin.include_tasks: databases.yml
 - ansible.builtin.include_tasks: users.yml

diff --git a/tasks/secure-install.yml b/tasks/secure-install.yml
@@ -0,0 +1,22 @@
+---
+- name: Get list of hosts for the anonymous user
+  ansible.builtin.command: "{{ mysql_daemon }} -NBe \"SELECT Host FROM mysql.user WHERE User = ''\""
+  register: mysql_anonymous_hosts
+  changed_when: false
+  check_mode: false
+
+- name: Remove anonymous MySQL users
+  mysql_user:
+    name: ""
+    host: "{{ item }}"
+    state: absent
+  with_items: "{{ mysql_anonymous_hosts.stdout_lines | default([]) }}"
+
+- name: Disallow root login remotely
+  ansible.builtin.command: "{{ mysql_daemon }} -NBe \"DELETE FROM mysql.user WHERE User='{{ mysql_root_username }}' AND Host NOT IN ('localhost', '127.0.0.1', '::1')\""
+  changed_when: false
+
+- name: Remove MySQL test database
+  mysql_db:
+    name: test
+    state: absent
diff --git a/tasks/slow-query-log.yml b/tasks/slow-query-log.yml
@@ -0,0 +1,21 @@
+---
+- name: Ensure slow query log directory exists
+  ansible.builtin.file:
+    path: /var/log/mysql
+    state: directory
+    owner: mysql
+    group: "{{ mysql_log_file_group }}"
+    mode: 0755
+
+- name: Configure slow query log
+  ansible.builtin.copy:
+    dest: /etc/mysql/conf.d/slow-query.cnf
+    owner: root
+    group: root
+    mode: 0644
+    content: |
+      [mysqld]
+      slow_query_log = {{ 'ON' if mysql_slow_query_log_enabled else 'OFF' }}
+      long_query_time = {{ mysql_slow_query_time | default(2) }}
+      slow_query_log_file = /var/log/mysql/slow.log
+  notify: restart mysql