mongosh: Use startup params and enable replset

roles/mongodb/tasks/main.yml

@@ -82,20 +82,39 @@
     owner: root
     group: "{{ ansible_wheel }}"
 
+- name: Create configuration directory
+  ansible.builtin.file:
+    path: /etc/mongod
+    state: directory
+    mode: 0750
+    owner: root
+    group: mongod
+
+- name: Copy keyfile
+  ansible.builtin.copy:
+    dest: /etc/mongod/mongod.key
+    src: "{{ ansible_private }}/files/mongod/mongod.key"
+    mode: "0400"
+    owner: mongod
+    group: mongod
+  notify: Restart mongod
+
 - name: Configure startup options
   ansible.builtin.copy:
     dest: /etc/sysconfig/mongod
     content: |
-      OPTIONS="-f /etc/mongod.conf --logRotate reopen"
+      OPTIONS="-f /etc/mongod.conf \
-    mode: "0644"
+          --auth \
-    owner: root
+          --bind_ip_all \
-    group: "{{ ansible_wheel }}"
+          --dbpath /srv/mongodb \
-  notify: Restart mongod
+          --keyFile /etc/mongod/mongod.key \
-
+          --logRotate reopen \
-- name: Create configuration
+          --nounixsocket
-  ansible.builtin.template:
+          --replSet rs0 \
-    dest: /etc/mongod.conf
+          --tlsMode requireTLS \
-    src: mongod.conf.j2
+          --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
+          --tlsCAFile {{ tls_certs }}/ca.crt
+          --tlsDisabledProtocols TLS1_0,TLS1_1,TLS1_2"
     mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
@@ -114,5 +133,7 @@
       alias mongosh='mongosh
       --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
       --tlsCAFile {{ tls_certs }}/ca.crt
+      --username root
+      --password {{ mongodb_root_password }}
       --tls mongodb://{{ inventory_hostname }}/'
-    regexp: ^alias mongo=.*
+    regexp: ^alias mongosh=.*

roles/mongodb/templates/mongod.conf.j2

@@ -19,5 +19,5 @@ net:
   bindIpAll: true
   tls:
     mode: requireTLS
-    certificateKeyFile: /etc/pki/tls/private/mongodb.pem
+    certificateKeyFile: {{ tls_private }}/mongodb.pem
     CAFile: {{ tls_certs }}/ca.crt