---
- name: Create group
  ansible.builtin.group:
    name: mongod
    gid: 302

- name: Create user
  ansible.builtin.user:
    name: mongod
    comment: Service MongoDB
    createhome: false
    group: mongod
    home: /var/empty
    shell: /sbin/nologin
    uid: 302

- name: Enable repository
  ansible.builtin.yum_repository:
    name: mongodb
    baseurl: >-
      https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64
    description: MongoDB
    gpgcheck: true
    gpgkey: https://www.mongodb.org/static/pgp/server-6.0.asc
    enabled: true

- name: Install packages
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - mongodb-database-tools
    - mongodb-mongosh
    - mongodb-org-server

- name: Set SELinux file contexts on data directory
  community.general.sefcontext:
    path: "/export/mongodb(/.*)?"
    setype: mongod_var_lib_t

- name: Create data directory
  ansible.builtin.file:
    path: /export/mongodb
    state: directory
    mode: "0700"
    owner: mongod
    group: mongod
    setype: _default

- name: Link data directory
  ansible.builtin.file:
    path: /srv/mongodb
    src: /export/mongodb
    owner: root
    group: "{{ ansible_wheel }}"
    state: link
    follow: false

- name: Generate combined certificate/private key file contents
  ansible.builtin.command:
    argv:
      - /bin/cat
      - "{{ tls_certs }}/{{ inventory_hostname }}.crt"
      - "{{ tls_private }}/{{ inventory_hostname }}.key"
  changed_when: false
  check_mode: false
  register: mongodb_cert_key

- name: Create combined certificate/private key file
  ansible.builtin.copy:
    dest: "{{ tls_private }}/mongodb.pem"
    content: "{{ mongodb_cert_key.stdout }}"
    mode: "0640"
    owner: root
    group: mongod
  notify: Restart mongod

- name: Configure logrotate
  ansible.builtin.copy:
    dest: /etc/logrotate.d/mongod
    src: mongod.logrotate
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Create configuration directory
  ansible.builtin.file:
    path: /etc/mongod
    state: directory
    mode: "0750"
    owner: root
    group: mongod

- name: Copy keyfile
  ansible.builtin.copy:
    dest: /etc/mongod/mongod.key
    src: "{{ ansible_private }}/files/mongod/mongod.key"
    mode: "0400"
    owner: mongod
    group: mongod
  notify: Restart mongod

- name: Configure startup options
  ansible.builtin.copy:
    dest: /etc/sysconfig/mongod
    content: |
      OPTIONS="-f /etc/mongod.conf \
          --auth \
          --bind_ip_all \
          --dbpath /srv/mongodb \
          --keyFile /etc/mongod/mongod.key \
          --logRotate reopen \
          --nounixsocket
          --replSet rs0 \
          --maxConns 16384 \
          --tlsMode requireTLS \
          --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
          --tlsCAFile {{ tls_certs }}/ca.crt
          --tlsDisabledProtocols TLS1_0,TLS1_1,TLS1_2"
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart mongod

- name: Enable service
  ansible.builtin.service:
    name: mongod
    state: started
    enabled: true

- name: Copy backup script
  ansible.builtin.template:
    dest: /usr/local/sbin/mongodb-backup
    src: mongodb-backup.sh.j2
    mode: "0700"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Create backup cron job
  ansible.builtin.cron:
    name: mongodb-backup
    job: /usr/local/sbin/mongodb-backup
    hour: "0"
    minute: "20"
    user: root

- name: Create mongo alias cmd for root
  ansible.builtin.lineinfile:
    path: /root/.bashrc
    line: >
      alias mongosh='mongosh
      --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
      --tlsCAFile {{ tls_certs }}/ca.crt
      --username root
      --password {{ mongodb_root_password }}
      --tls mongodb://{{ inventory_hostname }}/'
    regexp: ^alias mongosh=.*