Update to 2021-12-01 19:13

roles/mongodb_server/tasks/conf.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Deploy mongorc.js for the root user
+  template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
+  register: mongo_mongorc
+  tags: mongo
+
+- when: mongo_mongorc.changed
+  block:
+
+    - name: Temporarily disable auth
+      template: src=mongod.conf.j2 dest=/etc/mongod.conf
+      vars:
+        - mongo_auth: False
+
+    - name: Restart mongo
+      service: name=mongod state=restarted
+
+    - name: Create the admin user
+      mongodb_user:
+        database: admin
+        name: "{{ mongo_admin_user }}"
+        password: "{{ mongo_admin_pass }}"
+        login_port: "{{ mongo_port }}"
+        roles:
+          - readWriteAnyDatabase
+          - userAdminAnyDatabase
+          - dbAdminAnyDatabase
+      tags: mongo
+
+  tags: mongo
+
+- name: Deploy configuration
+  template: src=mongod.conf.j2 dest=/etc/mongod.conf
+  notify: restart mongod
+  tags: mongo
+
+- name: Deploy mongorc.js for the root user
+  template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
+  tags: mongo

roles/mongodb_server/tasks/facts.yml

@@ -0,0 +1,19 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: mongo
+
+# Create a random encryption password
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "/root/.mongo.pw"
+    - set_fact: mongo_admin_pass={{ rand_pass }}
+  when: mongo_admin_pass is not defined
+  tags: mongo
+

roles/mongodb_server/tasks/install.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Remove versions from the base repo
+  yum:
+    name:
+      - mongodb
+      - mongodb-server
+    state: absent
+  tags: mongo
+
+- name: Install MongoDB server and tools
+  yum: name={{ mongo_packages }}
+  tags: mongo
+
+# We install from pip because pymongo available in repo for both EL7 and EL8 is too old
+# it doesn't support CRAM-SHA-256 for example
+- name: Install pymongo
+  pip: name=pymongo state=latest
+  tags: mongo
+
+- name: Create data dir
+  file: path={{ mongo_db_path }} state=directory
+  tags: mongo
+
+  # Do it in two times so parent dir don't have restrictive permissions
+- name: Set permissions on data dir
+  file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700
+  tags: mongo
+
+- name: Deploy pre/post backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750
+  loop:
+    - pre
+    - post
+  tags: mongo
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/mongod.service.d state=directory
+  tags: mongo
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      PrivateTmp=yes
+      ProtectSystem=full
+      ProtectHome=yes
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+    dest: /etc/systemd/system/mongod.service.d/ansible.conf
+  register: mongo_unit
+  notify: restart mongod
+  tags: mongo
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: mongo_unit.changed
+  tags: mongo
+

roles/mongodb_server/tasks/iptables.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle mongodb port
+  iptables_raw:
+    name: mongo_ports
+    state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n"
+  tags: firewall,mongo
+

roles/mongodb_server/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+
+- include: facts.yml
+- include: install.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: conf.yml
+- include: services.yml
+
+...

roles/mongodb_server/tasks/selinux.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Set correct SELinux label
+  sefcontext:
+    target: "{{ mongo_db_path }}"
+    setype: mongod_var_lib_t
+    state: present
+  tags: mongo
+
+- name: Restore SELinux contexts
+  command: restorecon -R {{ mongo_db_path }}
+  changed_when: False
+  tags: mongo
+

roles/mongodb_server/tasks/services.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable MongoDB daemon
+  service: name=mongod state=started enabled=yes
+  tags: mongo
+