Mysql: store NRPE credentials in secure file

mysql/defaults/main.yml

@@ -16,3 +16,5 @@ mysql_thread_cache_size: '{{ ansible_processor_cores }}'
 mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
 
 mysql_cron_optimize: True
+
+mysql_force_new_nrpe_password: False

mysql/tasks/nrpe.yml

@@ -4,39 +4,50 @@
   stat:
     path: /etc/nagios/nrpe.d/evolix.cfg
   check_mode: no
-  
   register: nrpe_evolix_config
   tags:
     - mysql
     - nrpe
 
+- name: NRPE user exists for MySQL ?
+  stat:
+    path: ~nagios/.my.cnf
+  check_mode: no
+  register: nrpe_my_cnf
+  tags:
+    - mysql
+    - nrpe
+
 - block:
   - name: Create a password for NRPE
     shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'
     register: mysql_nrpe_password
     changed_when: False
 
-  - debug:
-      msg: "repl password: {{ mysql_nrpe_password.stdout }}"
-
   - name: Create nrpe user
     mysql_user:
       name: nrpe
       password: '{{ mysql_nrpe_password.stdout }}'
       config_file: /root/.my.cnf
-      update_password: on_create
+      update_password: always
       state: present
     register: create_nrpe_user
 
-  - name: config check_mysql to use the new password
-    replace:
-      dest: /etc/nagios/nrpe.d/evolix.cfg
-      regexp: '\bMYSQL_PASSWD\b'
-      replace: '{{ mysql_nrpe_password.stdout }}'
-    notify: restart nagios-nrpe-server
+  - name: Store credentials in nagios home
+    ini_file:
+      dest: "~nagios/.my.cnf"
+      owner: nagios
+      group: nagios
+      mode: "0600"
+      section: client
+      option: '{{ item.option }}'
+      value: '{{ item.value }}'
+    with_items:
+      - { option: 'user', value: 'nrpe' }
+      - { option: 'password', value: '{{ mysql_nrpe_password.stdout }}' }
     when: create_nrpe_user.changed
 
-  when: nrpe_evolix_config.stat.exists
+  when: nrpe_evolix_config.stat.exists and (not nrpe_my_cnf.stat.exists or mysql_force_new_nrpe_password)
   tags:
     - mysql
     - nrpe