From f2b0a1d4dd1eae9278855cb34e824cd307dc09c4 Mon Sep 17 00:00:00 2001
From: Jochen Issing <github@nesono.com>
Date: Sat, 28 Mar 2026 14:16:25 +0100
Subject: [PATCH 1/2] Upgrade MySQL from 8.0 to 8.4 LTS (step 2 of LTS
 migration)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Second step of the safe migration path: 5.7 → 8.0 → 8.4 LTS.
MySQL 8.4 is the current LTS release (supported until April 2032).

- Enable --mysql-native-password=ON since 8.4 disables it by default;
  existing clients (dovecot, postfix, postfixadmin, WordPress) still
  use the old auth plugin. Users should be migrated to
  caching_sha2_password in a follow-up.
- Disable healthchecks during migration to prevent premature container
  kills while the upgrade runs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 roles/compose/files/docker-compose.yaml | 38 ++++++++++++++-----------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/roles/compose/files/docker-compose.yaml b/roles/compose/files/docker-compose.yaml
index bc5230d..4f5f742 100644
--- a/roles/compose/files/docker-compose.yaml
+++ b/roles/compose/files/docker-compose.yaml
@@ -98,7 +98,8 @@ services:
 
   # MySQL database for mail
   mysql_mail:
-    image: mysql:8.0
+    image: mysql:8.4
+    command: --mysql-native-password=ON
     volumes:
       - mysql_mail_data:/var/lib/mysql
       - mysql_mail_init_db:/docker-entrypoint-initdb.d
@@ -113,15 +114,16 @@ services:
       - mysql_mail_root_password
     networks:
       - mail_internal
-    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_mail_root_password) || exit 1",
-        ]
-      interval: 30s
-      timeout: 10s
-      retries: 3
+    # healthcheck disabled during 8.0 → 8.4 migration
+    # healthcheck:
+    #   test:
+    #     [
+    #       "CMD-SHELL",
+    #       "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_mail_root_password) || exit 1",
+    #     ]
+    #   interval: 30s
+    #   timeout: 10s
+    #   retries: 3
     restart: unless-stopped
 
   # Dovecot IMAP server
@@ -624,7 +626,8 @@ services:
 
   # WordPress services
   mysql_wordpress_noerpel:
-    image: mysql:8.0
+    image: mysql:8.4
+    command: --mysql-native-password=ON
     volumes:
       - mysql_wordpress_noerpel_data:/var/lib/mysql
     environment:
@@ -638,12 +641,13 @@ services:
       - mysql_wordpress_noerpel_root_password
     networks:
       - wordpress_noerpel_internal
-    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_wordpress_noerpel_root_password) || exit 1",
-        ]
+    # healthcheck disabled during 8.0 → 8.4 migration
+    # healthcheck:
+    #   test:
+    #     [
+    #       "CMD-SHELL",
+    #       "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_wordpress_noerpel_root_password) || exit 1",
+    #     ]
     restart: unless-stopped
 
   wordpress_noerpel:

From 53e2d94ab1330058530b5b598adf2cf602f3a299 Mon Sep 17 00:00:00 2001
From: Jochen Issing <github@nesono.com>
Date: Sat, 28 Mar 2026 14:36:45 +0100
Subject: [PATCH 2/2] Re-enable MySQL healthchecks after 8.4 migration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 roles/compose/files/docker-compose.yaml | 32 ++++++++++++-------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/roles/compose/files/docker-compose.yaml b/roles/compose/files/docker-compose.yaml
index 4f5f742..9855a78 100644
--- a/roles/compose/files/docker-compose.yaml
+++ b/roles/compose/files/docker-compose.yaml
@@ -114,16 +114,15 @@ services:
       - mysql_mail_root_password
     networks:
       - mail_internal
-    # healthcheck disabled during 8.0 → 8.4 migration
-    # healthcheck:
-    #   test:
-    #     [
-    #       "CMD-SHELL",
-    #       "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_mail_root_password) || exit 1",
-    #     ]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 3
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_mail_root_password) || exit 1",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     restart: unless-stopped
 
   # Dovecot IMAP server
@@ -641,13 +640,12 @@ services:
       - mysql_wordpress_noerpel_root_password
     networks:
       - wordpress_noerpel_internal
-    # healthcheck disabled during 8.0 → 8.4 migration
-    # healthcheck:
-    #   test:
-    #     [
-    #       "CMD-SHELL",
-    #       "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_wordpress_noerpel_root_password) || exit 1",
-    #     ]
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "mysqladmin ping -h localhost -u root -p$$(cat /run/secrets/mysql_wordpress_noerpel_root_password) || exit 1",
+        ]
     restart: unless-stopped
 
   wordpress_noerpel: