---

- name: create group
  ansible.builtin.group:
    name: mongod
    gid: 1006

- name: create user
  ansible.builtin.user:
    name: mongod
    comment: Service MongoDB
    createhome: false
    group: mongod
    home: /var/empty
    shell: /sbin/nologin
    uid: 1006

- name: enable repository
  ansible.builtin.yum_repository:
    name: mongodb
    baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/5.0/x86_64
    description: MongoDB
    gpgcheck: true
    gpgkey: https://www.mongodb.org/static/pgp/server-5.0.asc
    enabled: true

- name: install packages
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - mongodb-org-server
    - mongodb-org-shell

- name: set selinux file contexts on data directory
  community.general.sefcontext:
    path: "/export/mongodb(/.*)?"
    setype: mongod_var_lib_t

- name: create data directory
  ansible.builtin.file:
    path: /export/mongodb
    state: directory
    mode: 0700
    owner: mongod
    group: mongod
    setype: _default

- name: link data directory
  ansible.builtin.file:
    path: /srv/mongodb
    src: /export/mongodb
    owner: root
    group: "{{ ansible_wheel }}"
    state: link
    follow: false

- name: create combined certificate/private key file
  ansible.builtin.shell:
    cmd: >-
      umask 077 &&
      /bin/cat \
          {{ tls_certs }}/{{ inventory_hostname }}.crt \
          {{ tls_private }}/{{ inventory_hostname }}.key > \
          {{ tls_private }}/mongodb.pem
    creates: "{{ tls_private }}/mongodb.pem"
  notify: restart mongod

- name: fix certificate/key file permissions
  ansible.builtin.file:
    path: "{{ tls_private }}/mongodb.pem"
    mode: 0640
    owner: root
    group: mongod

- name: configure logrotate
  ansible.builtin.copy:
    dest: /etc/logrotate.d/mongod
    src: mongod.logrotate
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"

- name: configure startup options
  ansible.builtin.copy:
    dest: /etc/sysconfig/mongod
    content: |
      OPTIONS="-f /etc/mongod.conf --logRotate reopen"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  notify: restart mongod

- name: create configuration
  ansible.builtin.template:
    dest: /etc/mongod.conf
    src: mongod.conf.j2
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  notify: restart mongod

- name: enable service
  ansible.builtin.service:
    name: mongod
    state: started
    enabled: true