139 lines
3.4 KiB
YAML
139 lines
3.4 KiB
YAML
---
|
|
- name: Create group
|
|
ansible.builtin.group:
|
|
name: mongod
|
|
gid: 302
|
|
|
|
- name: Create user
|
|
ansible.builtin.user:
|
|
name: mongod
|
|
comment: Service MongoDB
|
|
createhome: false
|
|
group: mongod
|
|
home: /var/empty
|
|
shell: /sbin/nologin
|
|
uid: 302
|
|
|
|
- name: Enable repository
|
|
ansible.builtin.yum_repository:
|
|
name: mongodb
|
|
baseurl: >-
|
|
https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64
|
|
description: MongoDB
|
|
gpgcheck: true
|
|
gpgkey: https://www.mongodb.org/static/pgp/server-6.0.asc
|
|
enabled: true
|
|
|
|
- name: Install packages
|
|
ansible.builtin.package:
|
|
name: "{{ item }}"
|
|
state: installed
|
|
with_items:
|
|
- mongodb-mongosh
|
|
- mongodb-org-server
|
|
|
|
- name: Set SELinux file contexts on data directory
|
|
community.general.sefcontext:
|
|
path: "/export/mongodb(/.*)?"
|
|
setype: mongod_var_lib_t
|
|
|
|
- name: Create data directory
|
|
ansible.builtin.file:
|
|
path: /export/mongodb
|
|
state: directory
|
|
mode: "0700"
|
|
owner: mongod
|
|
group: mongod
|
|
setype: _default
|
|
|
|
- name: Link data directory
|
|
ansible.builtin.file:
|
|
path: /srv/mongodb
|
|
src: /export/mongodb
|
|
owner: root
|
|
group: "{{ ansible_wheel }}"
|
|
state: link
|
|
follow: false
|
|
|
|
- name: Generate combined certificate/private key file contents
|
|
ansible.builtin.command:
|
|
argv:
|
|
- /bin/cat
|
|
- "{{ tls_certs }}/{{ inventory_hostname }}.crt"
|
|
- "{{ tls_private }}/{{ inventory_hostname }}.key"
|
|
changed_when: false
|
|
check_mode: false
|
|
register: mongodb_cert_key
|
|
|
|
- name: Create combined certificate/private key file
|
|
ansible.builtin.copy:
|
|
dest: "{{ tls_private }}/mongodb.pem"
|
|
content: "{{ mongodb_cert_key.stdout }}"
|
|
mode: "0640"
|
|
owner: root
|
|
group: mongod
|
|
notify: Restart mongod
|
|
|
|
- name: Configure logrotate
|
|
ansible.builtin.copy:
|
|
dest: /etc/logrotate.d/mongod
|
|
src: mongod.logrotate
|
|
mode: "0644"
|
|
owner: root
|
|
group: "{{ ansible_wheel }}"
|
|
|
|
- name: Create configuration directory
|
|
ansible.builtin.file:
|
|
path: /etc/mongod
|
|
state: directory
|
|
mode: "0750"
|
|
owner: root
|
|
group: mongod
|
|
|
|
- name: Copy keyfile
|
|
ansible.builtin.copy:
|
|
dest: /etc/mongod/mongod.key
|
|
src: "{{ ansible_private }}/files/mongod/mongod.key"
|
|
mode: "0400"
|
|
owner: mongod
|
|
group: mongod
|
|
notify: Restart mongod
|
|
|
|
- name: Configure startup options
|
|
ansible.builtin.copy:
|
|
dest: /etc/sysconfig/mongod
|
|
content: |
|
|
OPTIONS="-f /etc/mongod.conf \
|
|
--auth \
|
|
--bind_ip_all \
|
|
--dbpath /srv/mongodb \
|
|
--keyFile /etc/mongod/mongod.key \
|
|
--logRotate reopen \
|
|
--nounixsocket
|
|
--replSet rs0 \
|
|
--tlsMode requireTLS \
|
|
--tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
|
|
--tlsCAFile {{ tls_certs }}/ca.crt
|
|
--tlsDisabledProtocols TLS1_0,TLS1_1,TLS1_2"
|
|
mode: "0644"
|
|
owner: root
|
|
group: "{{ ansible_wheel }}"
|
|
notify: Restart mongod
|
|
|
|
- name: Enable service
|
|
ansible.builtin.service:
|
|
name: mongod
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Create mongo alias cmd for root
|
|
ansible.builtin.lineinfile:
|
|
path: /root/.bashrc
|
|
line: >
|
|
alias mongosh='mongosh
|
|
--tlsCertificateKeyFile {{ tls_private }}/mongodb.pem
|
|
--tlsCAFile {{ tls_certs }}/ca.crt
|
|
--username root
|
|
--password {{ mongodb_root_password }}
|
|
--tls mongodb://{{ inventory_hostname }}/'
|
|
regexp: ^alias mongosh=.*
|