mongodb: Initial version of role

roles/mongodb/files/mongod.logrotate

@@ -0,0 +1,7 @@
+/var/log/mongodb/mongod.log
+    missingok
+    create 0640 mongod mongod
+    postrotate
+        /usr/bin/systemctl kill -s SIGUSR1 mongod.service >/dev/null 2>&1 || true
+    endscript
+}

roles/mongodb/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart mongod
+  ansible.builtin.service:
+    name: mongod
+    state: restarted

roles/mongodb/tasks/main.yml

@@ -0,0 +1,107 @@
+---
+
+- name: create group
+  ansible.builtin.group:
+    name: mongod
+    gid: 1006
+
+- name: create user
+  ansible.builtin.user:
+    name: mongod
+    comment: Service MongoDB
+    createhome: false
+    group: mongod
+    home: /var/empty
+    shell: /sbin/nologin
+    uid: 1006
+
+- name: enable repository
+  ansible.builtin.yum_repository:
+    name: mongodb
+    baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/5.0/x86_64
+    description: MongoDB
+    gpgcheck: true
+    gpgkey: https://www.mongodb.org/static/pgp/server-5.0.asc
+    enabled: true
+
+- name: install packages
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: installed
+  with_items:
+    - mongodb-org-server
+    - mongodb-org-shell
+
+- name: set selinux file contexts on data directory
+  community.general.sefcontext:
+    path: "/export/mongodb(/.*)?"
+    setype: mongod_var_lib_t
+
+- name: create data directory
+  ansible.builtin.file:
+    path: /export/mongodb
+    state: directory
+    mode: 0700
+    owner: mongod
+    group: mongod
+    setype: _default
+
+- name: link data directory
+  ansible.builtin.file:
+    path: /srv/mongodb
+    src: /export/mongodb
+    owner: root
+    group: "{{ ansible_wheel }}"
+    state: link
+    follow: false
+
+- name: create combined certificate/private key file
+  ansible.builtin.shell:
+    cmd: >-
+      umask 077 &&
+      /bin/cat \
+          {{ tls_certs }}/{{ inventory_hostname }}.crt \
+          {{ tls_private }}/{{ inventory_hostname }}.key > \
+          {{ tls_private }}/mongodb.pem
+    creates: "{{ tls_private }}/mongodb.pem"
+  notify: restart mongod
+
+- name: fix certificate/key file permissions
+  ansible.builtin.file:
+    path: "{{ tls_private }}/mongodb.pem"
+    mode: 0640
+    owner: root
+    group: mongod
+
+- name: configure logrotate
+  ansible.builtin.copy:
+    dest: /etc/logrotate.d/mongod
+    src: mongod.logrotate
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: configure startup options
+  ansible.builtin.copy:
+    dest: /etc/sysconfig/mongod
+    content: |
+      OPTIONS="-f /etc/mongod.conf --logRotate reopen"
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart mongod
+
+- name: create configuration
+  ansible.builtin.template:
+    dest: /etc/mongod.conf
+    src: mongod.conf.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart mongod
+
+- name: enable service
+  ansible.builtin.service:
+    name: mongod
+    state: started
+    enabled: true

roles/mongodb/templates/mongod.conf.j2

@@ -0,0 +1,23 @@
+
+systemLog:
+  destination: file
+  logAppend: true
+  path: /var/log/mongodb/mongod.log
+
+storage:
+  dbPath: /srv/mongodb
+  journal:
+    enabled: true
+
+processManagement:
+  fork: true
+  pidFilePath: /var/run/mongodb/mongod.pid
+  timeZoneInfo: /usr/share/zoneinfo
+
+net:
+  port: 27017
+  bindIpAll: true
+  tls:
+    mode: requireTLS
+    certificateKeyFile: /etc/pki/tls/private/mongodb.pem
+    CAFile: {{ tls_certs }}/ca.crt

user.list

@@ -11,3 +11,4 @@ id    user               group             notes
 1003  collab             collab
 1004  docker             docker            docker registry
 1005  backup             backup
+1006  mongod             mongod