From 0f5c666464994205efb71b2fd0cdb0da837e45b5 Mon Sep 17 00:00:00 2001
From: Matej Stajduhar <matej.stajduhar@codeenigma.com>
Date: Thu, 21 Sep 2023 07:02:14 +0200
Subject: [PATCH 1/4] r67016-changing-path-for-database_backup-task

---
 roles/database_backup/database_backup-mysql/defaults/main.yml | 1 +
 roles/database_backup/database_backup-mysql/tasks/deploy.yml  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/database_backup/database_backup-mysql/defaults/main.yml b/roles/database_backup/database_backup-mysql/defaults/main.yml
index 1cbc2e11..3485ba43 100644
--- a/roles/database_backup/database_backup-mysql/defaults/main.yml
+++ b/roles/database_backup/database_backup-mysql/defaults/main.yml
@@ -20,3 +20,4 @@ mysql_backup:
     - database: "{{ (project_name + '_' + build_type) | regex_replace('-', '_') }}" # avoid hyphens in MySQL database names
       user: "{{ (project_name + '_' + build_type) | truncate(32, true, '', 0) }}" # 32 char limit
       credentials_file: "/home/{{ deploy_user }}/.mysql.creds"
+_mysql_password_path: "/tmp/{{ project_name }}_{{ build_type }}_{{ build_number }}"
diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy.yml b/roles/database_backup/database_backup-mysql/tasks/deploy.yml
index 4160806c..c230bdfd 100644
--- a/roles/database_backup/database_backup-mysql/tasks/deploy.yml
+++ b/roles/database_backup/database_backup-mysql/tasks/deploy.yml
@@ -79,7 +79,7 @@
     _mysql_build_user_name: "{{ database.user }}_{{ build_number }}"
   when: mysql_backup.credentials_handling == 'rotate'
 - ansible.builtin.set_fact:
-    _mysql_build_password: "{{ lookup('password', '/dev/shm/{{ project_name }}_{{ build_type }}_{{ build_number }}') }}"
+    _mysql_build_password: "{{ lookup('password', '{{ _mysql_password_path }}') }}"
   when: mysql_backup.credentials_handling == 'rotate'
 
 - ansible.builtin.include_tasks: "deploy-{{ mysql_backup.handling }}.yml"

From eb0b16ff7554efa6ad87dd9cd35acb86cfc7ddd2 Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Wed, 4 Oct 2023 18:00:05 +0200
Subject: [PATCH 2/4] Slight refactor to use a directory we can safelist with
 rkhunter.

---
 .../database_backup-mysql/defaults/main.yml                | 4 +++-
 .../database_backup/database_backup-mysql/tasks/deploy.yml | 7 ++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/roles/database_backup/database_backup-mysql/defaults/main.yml b/roles/database_backup/database_backup-mysql/defaults/main.yml
index ceae7ec6..052bef2d 100644
--- a/roles/database_backup/database_backup-mysql/defaults/main.yml
+++ b/roles/database_backup/database_backup-mysql/defaults/main.yml
@@ -3,6 +3,8 @@ mysql_backup:
   handling: rolling
   dumps_directory: "/home/{{ deploy_user }}/shared/{{ project_name }}_{{ build_type }}/db_backups/mysql/build"
   mysqldump_params: "{{ _mysqldump_params }}" # set in _init but you can override here
+  # Location on deploy server where the generated MySQL password will be stashed - should be temporary storage
+  mysql_password_path: "/tmp/.ce-deploy/{{ project_name }}_{{ build_type }}_{{ build_number }}"
   # Number of dumps/db to keep. Note this is independant from the build codebases.
   keep: 10
   # This can be one of the following:
@@ -21,4 +23,4 @@ mysql_backup:
       user: "{{ (project_name + '_' + build_type) | truncate(32, true, '', 0) }}" # 32 char limit
       credentials_file: "/home/{{ deploy_user }}/.mysql.creds"
       #handling: static # optional override to the main handling method on a per database basis
-_mysql_password_path: "/tmp/{{ project_name }}_{{ build_type }}_{{ build_number }}"
+
diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy.yml b/roles/database_backup/database_backup-mysql/tasks/deploy.yml
index 87aa5f11..8d93c118 100644
--- a/roles/database_backup/database_backup-mysql/tasks/deploy.yml
+++ b/roles/database_backup/database_backup-mysql/tasks/deploy.yml
@@ -71,6 +71,11 @@
     - _legacy_static_creds.stat.exists
 ### End of legacy handling.
 
+- name: Ensure the temporary password directory exists.
+  ansible.builtin.file:
+    state: directory
+    path: "{{ mysql_backup.mysql_password_path }}"
+
 - ansible.builtin.set_fact:
     _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ project_name }}_{{ build_type }}/mysql/{{ _mysql_host }}/{{ database.database }}') }}"
   when: mysql_backup.credentials_handling == 'static'
@@ -79,7 +84,7 @@
     _mysql_build_user_name: "{{ database.user }}_{{ build_number }}"
   when: mysql_backup.credentials_handling == 'rotate'
 - ansible.builtin.set_fact:
-    _mysql_build_password: "{{ lookup('password', '{{ _mysql_password_path }}') }}"
+    _mysql_build_password: "{{ lookup('password', '{{ mysql_backup.mysql_password_path }}') }}"
   when: mysql_backup.credentials_handling == 'rotate'
 
 - name: "Set database handling type to {{ mysql_backup.handling }}."

From 52185770c15ef7034a630a421cc4593870a8b4b3 Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Wed, 4 Oct 2023 18:03:01 +0200
Subject: [PATCH 3/4] Docs update.

---
 docs/roles/cache_clear/cache_clear-opcache.md         | 2 +-
 docs/roles/database_backup/database_backup-mysql.md   | 3 +++
 roles/cache_clear/cache_clear-opcache/README.md       | 2 +-
 roles/database_backup/database_backup-mysql/README.md | 3 +++
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/roles/cache_clear/cache_clear-opcache.md b/docs/roles/cache_clear/cache_clear-opcache.md
index 465307e2..bb0bd05d 100644
--- a/docs/roles/cache_clear/cache_clear-opcache.md
+++ b/docs/roles/cache_clear/cache_clear-opcache.md
@@ -18,7 +18,7 @@ cache_clear_opcache:
   # Bins to clear.
   clear_opcache: true
   clear_apcu: false
-  clear_stat: false
+  clear_stat: true
   # cachetool_bin: "/path/to/cachetool.phar" # see _init for paths if undefined
 
 ```
diff --git a/docs/roles/database_backup/database_backup-mysql.md b/docs/roles/database_backup/database_backup-mysql.md
index 3a7ec471..6637e2da 100644
--- a/docs/roles/database_backup/database_backup-mysql.md
+++ b/docs/roles/database_backup/database_backup-mysql.md
@@ -8,6 +8,8 @@ mysql_backup:
   handling: rolling
   dumps_directory: "/home/{{ deploy_user }}/shared/{{ project_name }}_{{ build_type }}/db_backups/mysql/build"
   mysqldump_params: "{{ _mysqldump_params }}" # set in _init but you can override here
+  # Location on deploy server where the generated MySQL password will be stashed - should be temporary storage
+  mysql_password_path: "/tmp/.ce-deploy/{{ project_name }}_{{ build_type }}_{{ build_number }}"
   # Number of dumps/db to keep. Note this is independant from the build codebases.
   keep: 10
   # This can be one of the following:
@@ -27,6 +29,7 @@ mysql_backup:
       credentials_file: "/home/{{ deploy_user }}/.mysql.creds"
       #handling: static # optional override to the main handling method on a per database basis
 
+
 ```
 
 <!--ENDROLEVARS-->
diff --git a/roles/cache_clear/cache_clear-opcache/README.md b/roles/cache_clear/cache_clear-opcache/README.md
index 465307e2..bb0bd05d 100644
--- a/roles/cache_clear/cache_clear-opcache/README.md
+++ b/roles/cache_clear/cache_clear-opcache/README.md
@@ -18,7 +18,7 @@ cache_clear_opcache:
   # Bins to clear.
   clear_opcache: true
   clear_apcu: false
-  clear_stat: false
+  clear_stat: true
   # cachetool_bin: "/path/to/cachetool.phar" # see _init for paths if undefined
 
 ```
diff --git a/roles/database_backup/database_backup-mysql/README.md b/roles/database_backup/database_backup-mysql/README.md
index 3a7ec471..6637e2da 100644
--- a/roles/database_backup/database_backup-mysql/README.md
+++ b/roles/database_backup/database_backup-mysql/README.md
@@ -8,6 +8,8 @@ mysql_backup:
   handling: rolling
   dumps_directory: "/home/{{ deploy_user }}/shared/{{ project_name }}_{{ build_type }}/db_backups/mysql/build"
   mysqldump_params: "{{ _mysqldump_params }}" # set in _init but you can override here
+  # Location on deploy server where the generated MySQL password will be stashed - should be temporary storage
+  mysql_password_path: "/tmp/.ce-deploy/{{ project_name }}_{{ build_type }}_{{ build_number }}"
   # Number of dumps/db to keep. Note this is independant from the build codebases.
   keep: 10
   # This can be one of the following:
@@ -27,6 +29,7 @@ mysql_backup:
       credentials_file: "/home/{{ deploy_user }}/.mysql.creds"
       #handling: static # optional override to the main handling method on a per database basis
 
+
 ```
 
 <!--ENDROLEVARS-->

From 83d769ede3430aed4e6a2433da21c311c9c93273 Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Wed, 4 Oct 2023 18:06:44 +0200
Subject: [PATCH 4/4] Removing rogue extra line.

---
 roles/database_backup/database_backup-mysql/defaults/main.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/database_backup/database_backup-mysql/defaults/main.yml b/roles/database_backup/database_backup-mysql/defaults/main.yml
index 052bef2d..1091f8d7 100644
--- a/roles/database_backup/database_backup-mysql/defaults/main.yml
+++ b/roles/database_backup/database_backup-mysql/defaults/main.yml
@@ -23,4 +23,3 @@ mysql_backup:
       user: "{{ (project_name + '_' + build_type) | truncate(32, true, '', 0) }}" # 32 char limit
       credentials_file: "/home/{{ deploy_user }}/.mysql.creds"
       #handling: static # optional override to the main handling method on a per database basis
-