setup authentication

2018-07-07 18:53:03 +02:00 · 2018-07-07 18:53:03 +02:00 · 76f0635074
commit 76f0635074
parent 00b713d9d7
8 changed files with 148 additions and 9 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -8,6 +8,10 @@ mongodb_system_group: mongod
 mongodb_storage_dbpath: /var/lib/mongo
 mongodb_storage_journal_enabled: True

-mongodb_systemlog_destination: syslog
+mongodb_systemlog_destination: logfile
 mongodb_systemlog_logappend: True
 mongodb_systemlog_path: /var/log/mongodb/mongod.log
+
+mongodb_rbac_enabled: True
+mongodb_user_admin_name: mongoadm
+mongodb_user_admin_password: secure
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,6 +1,6 @@
 ---
- name: Restart mongod service
-  systemd:
+- name: Restart service
+  service:
    name: mongod
    state: restarted
    enabled: yes
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -0,0 +1,42 @@
+---
+- block:
+  - name: Backup current config file
+    copy:
+      src: /etc/mongod.conf
+      dest: /etc/mongod.conf.bak
+      remote_src: True
+
+  - name: Deploy config file without auth
+    template:
+      src: etc/mongod_init.conf.j2
+      dest: /etc/mongod.conf
+      mode: 0644
+
+  - name: Restart service
+    service:
+      name: mongod
+      state: restarte
+  become: True
+  changed_when: False
+
+- name: Create admin user
+  mongodb_user:
+    database: admin
+    name: "{{ mongodb_user_admin_name }}"
+    password: "{{ mongodb_user_admin_password }}"
+    roles: readWriteAnyDatabase
+    state: present
+
+- block:
+  - name: Restore config file
+    copy:
+      src: /etc/mongod.conf.bak
+      dest: /etc/mongod.conf
+      remote_src: True
+
+  - name: Restart service
+    service:
+      name: mongod
+      state: restarte
+  changed_when: False
+  become: True
--- a/tasks/config.yml
+++ b/tasks/config.yml
@ -0,0 +1,10 @@
+---
+- name: Configure database
+  block:
+  - name: Deploy configuration file
+    template:
+      src: etc/mongod.conf.j2
+      dest: /etc/mongod.conf
+      mode: 0644
+    notify: __mongod_restart
+  become: True
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -44,11 +44,10 @@
      state: directory
    when: mongodb_systemlog_destination == 'logfile'

-  # - name: Make sure mongodb is running
-  #   systemd:
-  #     name: mongod
-  #     state: started
-  #     enabled: yes
-  #     daemon_reload: yes
+  - name: Make sure mongodb is running
+    systemd:
+      name: mongod
+      state: started
+      enabled: yes
  become: True
  become_user: root
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,2 +1,4 @@
 ---
 - include_tasks: install.yml
+- include_tasks: auth.yml
+- include_tasks: config.yml
--- a/templates/etc/mongod.conf.j2
+++ b/templates/etc/mongod.conf.j2
@ -0,0 +1,41 @@
+## {{ ansible_managed }}
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# where to write logging data.
+systemLog:
+  destination: {{ mongodb_systemlog_destination }}
+  logAppend: {{ mongodb_systemlog_logappend | lower }}
+  path: /var/log/mongodb/mongod.log
+
+# Where and how to store data.
+storage:
+  dbPath: {{ mongodb_storage_dbpath }}
+  journal:
+    enabled: {{ mongodb_storage_journal_enabled | lower }}
+#  engine:
+#  mmapv1:
+#  wiredTiger:
+
+# how the process runs
+processManagement:
+  fork: true  # fork and run in background
+  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
+  timeZoneInfo: /usr/share/zoneinfo
+
+# network interfaces
+net:
+  port: 27017
+  bindIp: 127.0.0.1  # Listen to local interface only, comment to listen on all interfaces.
+
+
+security:
+  authorization: {{ 'enabled' if mongodb_rbac_enabled else 'disabled' }}
+
+#operationProfiling:
+
+#replication:
+
+#sharding:
--- a/templates/etc/mongod_init.conf.j2
+++ b/templates/etc/mongod_init.conf.j2
@ -0,0 +1,41 @@
+## {{ ansible_managed }}
+
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# where to write logging data.
+systemLog:
+  destination: file
+  logAppend: true
+  path: /var/log/mongodb/mongod.log
+
+# Where and how to store data.
+storage:
+  dbPath: /var/lib/mongo
+  journal:
+    enabled: true
+#  engine:
+#  mmapv1:
+#  wiredTiger:
+
+# how the process runs
+processManagement:
+  fork: true  # fork and run in background
+  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
+  timeZoneInfo: /usr/share/zoneinfo
+
+# network interfaces
+net:
+  port: 27017
+  bindIp: 127.0.0.1  # Listen to local interface only, comment to listen on all interfaces.
+
+
+#security:
+
+#operationProfiling:
+
+#replication:
+
+#sharding: