From 2cefd6d50d948f3d789913449971d945aa99b831 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 3 Feb 2022 21:19:31 +0000 Subject: [PATCH] mongodb: Initial version of role --- roles/mongodb/files/mongod.logrotate | 7 ++ roles/mongodb/handlers/main.yml | 6 ++ roles/mongodb/tasks/main.yml | 107 +++++++++++++++++++++++++ roles/mongodb/templates/mongod.conf.j2 | 23 ++++++ user.list | 1 + 5 files changed, 144 insertions(+) create mode 100644 roles/mongodb/files/mongod.logrotate create mode 100644 roles/mongodb/handlers/main.yml create mode 100644 roles/mongodb/tasks/main.yml create mode 100644 roles/mongodb/templates/mongod.conf.j2 diff --git a/roles/mongodb/files/mongod.logrotate b/roles/mongodb/files/mongod.logrotate new file mode 100644 index 0000000..c6e69b8 --- /dev/null +++ b/roles/mongodb/files/mongod.logrotate @@ -0,0 +1,7 @@ +/var/log/mongodb/mongod.log + missingok + create 0640 mongod mongod + postrotate + /usr/bin/systemctl kill -s SIGUSR1 mongod.service >/dev/null 2>&1 || true + endscript +} diff --git a/roles/mongodb/handlers/main.yml b/roles/mongodb/handlers/main.yml new file mode 100644 index 0000000..28979b7 --- /dev/null +++ b/roles/mongodb/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart mongod + ansible.builtin.service: + name: mongod + state: restarted diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml new file mode 100644 index 0000000..3b50c7c --- /dev/null +++ b/roles/mongodb/tasks/main.yml @@ -0,0 +1,107 @@ +--- + +- name: create group + ansible.builtin.group: + name: mongod + gid: 1006 + +- name: create user + ansible.builtin.user: + name: mongod + comment: Service MongoDB + createhome: false + group: mongod + home: /var/empty + shell: /sbin/nologin + uid: 1006 + +- name: enable repository + ansible.builtin.yum_repository: + name: mongodb + baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/5.0/x86_64 + description: MongoDB + gpgcheck: true + gpgkey: https://www.mongodb.org/static/pgp/server-5.0.asc + enabled: true + +- name: install packages + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - mongodb-org-server + - mongodb-org-shell + +- name: set selinux file contexts on data directory + community.general.sefcontext: + path: "/export/mongodb(/.*)?" + setype: mongod_var_lib_t + +- name: create data directory + ansible.builtin.file: + path: /export/mongodb + state: directory + mode: 0700 + owner: mongod + group: mongod + setype: _default + +- name: link data directory + ansible.builtin.file: + path: /srv/mongodb + src: /export/mongodb + owner: root + group: "{{ ansible_wheel }}" + state: link + follow: false + +- name: create combined certificate/private key file + ansible.builtin.shell: + cmd: >- + umask 077 && + /bin/cat \ + {{ tls_certs }}/{{ inventory_hostname }}.crt \ + {{ tls_private }}/{{ inventory_hostname }}.key > \ + {{ tls_private }}/mongodb.pem + creates: "{{ tls_private }}/mongodb.pem" + notify: restart mongod + +- name: fix certificate/key file permissions + ansible.builtin.file: + path: "{{ tls_private }}/mongodb.pem" + mode: 0640 + owner: root + group: mongod + +- name: configure logrotate + ansible.builtin.copy: + dest: /etc/logrotate.d/mongod + src: mongod.logrotate + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + +- name: configure startup options + ansible.builtin.copy: + dest: /etc/sysconfig/mongod + content: | + OPTIONS="-f /etc/mongod.conf --logRotate reopen" + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: restart mongod + +- name: create configuration + ansible.builtin.template: + dest: /etc/mongod.conf + src: mongod.conf.j2 + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: restart mongod + +- name: enable service + ansible.builtin.service: + name: mongod + state: started + enabled: true diff --git a/roles/mongodb/templates/mongod.conf.j2 b/roles/mongodb/templates/mongod.conf.j2 new file mode 100644 index 0000000..a05d000 --- /dev/null +++ b/roles/mongodb/templates/mongod.conf.j2 @@ -0,0 +1,23 @@ + +systemLog: + destination: file + logAppend: true + path: /var/log/mongodb/mongod.log + +storage: + dbPath: /srv/mongodb + journal: + enabled: true + +processManagement: + fork: true + pidFilePath: /var/run/mongodb/mongod.pid + timeZoneInfo: /usr/share/zoneinfo + +net: + port: 27017 + bindIpAll: true + tls: + mode: requireTLS + certificateKeyFile: /etc/pki/tls/private/mongodb.pem + CAFile: {{ tls_certs }}/ca.crt diff --git a/user.list b/user.list index 514b91b..8de74be 100644 --- a/user.list +++ b/user.list @@ -11,3 +11,4 @@ id user group notes 1003 collab collab 1004 docker docker docker registry 1005 backup backup +1006 mongod mongod