Update to 2021-12-01 19:13

roles/mongodb_server/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+
+mongo_port: 27017
+mongo_src_ip: []
+mongo_db_path: /var/lib/mongo
+# Should authorization be enabled
+mongo_auth: True
+mongo_admin_user: mongoadmin
+# A random one will be created if not defined here
+# mongo_admin_pass: S3cr3t.
+...

roles/mongodb_server/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: restart mongod
+  service: name=mongod state=restarted enabled=yes

roles/mongodb_server/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: repo_mongodb

roles/mongodb_server/tasks/conf.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Deploy mongorc.js for the root user
+  template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
+  register: mongo_mongorc
+  tags: mongo
+
+- when: mongo_mongorc.changed
+  block:
+
+    - name: Temporarily disable auth
+      template: src=mongod.conf.j2 dest=/etc/mongod.conf
+      vars:
+        - mongo_auth: False
+
+    - name: Restart mongo
+      service: name=mongod state=restarted
+
+    - name: Create the admin user
+      mongodb_user:
+        database: admin
+        name: "{{ mongo_admin_user }}"
+        password: "{{ mongo_admin_pass }}"
+        login_port: "{{ mongo_port }}"
+        roles:
+          - readWriteAnyDatabase
+          - userAdminAnyDatabase
+          - dbAdminAnyDatabase
+      tags: mongo
+
+  tags: mongo
+
+- name: Deploy configuration
+  template: src=mongod.conf.j2 dest=/etc/mongod.conf
+  notify: restart mongod
+  tags: mongo
+
+- name: Deploy mongorc.js for the root user
+  template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
+  tags: mongo

roles/mongodb_server/tasks/facts.yml

@@ -0,0 +1,19 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: mongo
+
+# Create a random encryption password
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "/root/.mongo.pw"
+    - set_fact: mongo_admin_pass={{ rand_pass }}
+  when: mongo_admin_pass is not defined
+  tags: mongo
+

roles/mongodb_server/tasks/install.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Remove versions from the base repo
+  yum:
+    name:
+      - mongodb
+      - mongodb-server
+    state: absent
+  tags: mongo
+
+- name: Install MongoDB server and tools
+  yum: name={{ mongo_packages }}
+  tags: mongo
+
+# We install from pip because pymongo available in repo for both EL7 and EL8 is too old
+# it doesn't support CRAM-SHA-256 for example
+- name: Install pymongo
+  pip: name=pymongo state=latest
+  tags: mongo
+
+- name: Create data dir
+  file: path={{ mongo_db_path }} state=directory
+  tags: mongo
+
+  # Do it in two times so parent dir don't have restrictive permissions
+- name: Set permissions on data dir
+  file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700
+  tags: mongo
+
+- name: Deploy pre/post backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750
+  loop:
+    - pre
+    - post
+  tags: mongo
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/mongod.service.d state=directory
+  tags: mongo
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      PrivateTmp=yes
+      ProtectSystem=full
+      ProtectHome=yes
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+    dest: /etc/systemd/system/mongod.service.d/ansible.conf
+  register: mongo_unit
+  notify: restart mongod
+  tags: mongo
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: mongo_unit.changed
+  tags: mongo
+

roles/mongodb_server/tasks/iptables.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle mongodb port
+  iptables_raw:
+    name: mongo_ports
+    state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n"
+  tags: firewall,mongo
+

roles/mongodb_server/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+
+- include: facts.yml
+- include: install.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: conf.yml
+- include: services.yml
+
+...

roles/mongodb_server/tasks/selinux.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Set correct SELinux label
+  sefcontext:
+    target: "{{ mongo_db_path }}"
+    setype: mongod_var_lib_t
+    state: present
+  tags: mongo
+
+- name: Restore SELinux contexts
+  command: restorecon -R {{ mongo_db_path }}
+  changed_when: False
+  tags: mongo
+

roles/mongodb_server/tasks/services.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable MongoDB daemon
+  service: name=mongod state=started enabled=yes
+  tags: mongo
+

roles/mongodb_server/templates/mongod.conf.j2

@@ -0,0 +1,16 @@
+systemLog:
+  destination: syslog
+processManagement:
+  fork: true
+  pidFilePath: /var/run/mongodb/mongod.pid
+net:
+  port: {{ mongo_port }}
+  bindIp: 0.0.0.0
+  bindIpAll: true
+  unixDomainSocket:
+    pathPrefix: /var/run/mongodb
+security:
+  authorization: {{ mongo_auth | ternary('enabled','disabled') }}
+storage:
+  dbPath: {{ mongo_db_path }}
+  

roles/mongodb_server/templates/mongorc.js.j2

@@ -0,0 +1,2 @@
+db = connect('localhost:{{ mongo_port }}/admin');
+db.auth('{{ mongo_admin_user }}', '{{ mongo_admin_pass }}');

roles/mongodb_server/templates/post-backup.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -rf /home/lbkp/mongo/*

roles/mongodb_server/templates/pre-backup.j2

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mkdir -p /home/lbkp/mongo
+mongodump --username {{ mongo_admin_user }} --password {{ mongo_admin_pass | quote }} --quiet --port {{ mongo_port }} --out /home/lbkp/mongo

roles/mongodb_server/vars/RedHat-7.yml

@@ -0,0 +1,6 @@
+---
+
+mongo_packages:
+  - mongodb-org-server
+  - mongodb-org
+  - python-pip

roles/mongodb_server/vars/RedHat-8.yml

@@ -0,0 +1,6 @@
+---
+
+mongo_packages:
+  - mongodb-org-server
+  - mongodb-org
+  - python3-pip