From 1f10474860222d46bd8d1ac84ea931025af491c5 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sat, 16 Mar 2024 16:13:56 +0000
Subject: [PATCH] mongosh: Use startup params and enable replset

---
 roles/mongodb/tasks/main.yml           | 43 +++++++++++++++++++-------
 roles/mongodb/templates/mongod.conf.j2 |  2 +-
 2 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml
index 71ad3ce..41c12a2 100644
--- a/roles/mongodb/tasks/main.yml
+++ b/roles/mongodb/tasks/main.yml
@@ -82,20 +82,39 @@
     owner: root
     group: "{{ ansible_wheel }}"
 
+- name: Create configuration directory
+  ansible.builtin.file:
+    path: /etc/mongod
+    state: directory
+    mode: 0750
+    owner: root
+    group: mongod
+
+- name: Copy keyfile
+  ansible.builtin.copy:
+    dest: /etc/mongod/mongod.key
+    src: "{{ ansible_private }}/files/mongod/mongod.key"
+    mode: "0400"
+    owner: mongod
+    group: mongod
+  notify: Restart mongod
+
 - name: Configure startup options
   ansible.builtin.copy:
     dest: /etc/sysconfig/mongod
     content: |
-      OPTIONS="-f /etc/mongod.conf --logRotate reopen"
-    mode: "0644"
-    owner: root
-    group: "{{ ansible_wheel }}"
-  notify: Restart mongod
-
-- name: Create configuration
-  ansible.builtin.template:
-    dest: /etc/mongod.conf
-    src: mongod.conf.j2
+      OPTIONS="-f /etc/mongod.conf \
+          --auth \
+          --bind_ip_all \
+          --dbpath /srv/mongodb \
+          --keyFile /etc/mongod/mongod.key \
+          --logRotate reopen \
+          --nounixsocket
+          --replSet rs0 \
+          --tlsMode requireTLS \
+          --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
+          --tlsCAFile {{ tls_certs }}/ca.crt
+          --tlsDisabledProtocols TLS1_0,TLS1_1,TLS1_2"
     mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
@@ -114,5 +133,7 @@
       alias mongosh='mongosh
       --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
       --tlsCAFile {{ tls_certs }}/ca.crt
+      --username root
+      --password {{ mongodb_root_password }}
       --tls mongodb://{{ inventory_hostname }}/'
-    regexp: ^alias mongo=.*
+    regexp: ^alias mongosh=.*
diff --git a/roles/mongodb/templates/mongod.conf.j2 b/roles/mongodb/templates/mongod.conf.j2
index a05d000..dd90429 100644
--- a/roles/mongodb/templates/mongod.conf.j2
+++ b/roles/mongodb/templates/mongod.conf.j2
@@ -19,5 +19,5 @@ net:
   bindIpAll: true
   tls:
     mode: requireTLS
-    certificateKeyFile: /etc/pki/tls/private/mongodb.pem
+    certificateKeyFile: {{ tls_private }}/mongodb.pem
     CAFile: {{ tls_certs }}/ca.crt