setup authentication

defaults/main.yml

@@ -8,6 +8,10 @@ mongodb_system_group: mongod
 mongodb_storage_dbpath: /var/lib/mongo
 mongodb_storage_journal_enabled: True
 
-mongodb_systemlog_destination: syslog
+mongodb_systemlog_destination: logfile
 mongodb_systemlog_logappend: True
 mongodb_systemlog_path: /var/log/mongodb/mongod.log
+
+mongodb_rbac_enabled: True
+mongodb_user_admin_name: mongoadm
+mongodb_user_admin_password: secure

handlers/main.yml

@@ -1,6 +1,6 @@
 ---
-- name: Restart mongod service
+- name: Restart service
-  systemd:
+  service:
     name: mongod
     state: restarted
     enabled: yes

tasks/auth.yml

@@ -0,0 +1,42 @@
+---
+- block:
+  - name: Backup current config file
+    copy:
+      src: /etc/mongod.conf
+      dest: /etc/mongod.conf.bak
+      remote_src: True
+
+  - name: Deploy config file without auth
+    template:
+      src: etc/mongod_init.conf.j2
+      dest: /etc/mongod.conf
+      mode: 0644
+
+  - name: Restart service
+    service:
+      name: mongod
+      state: restarte
+  become: True
+  changed_when: False
+
+- name: Create admin user
+  mongodb_user:
+    database: admin
+    name: "{{ mongodb_user_admin_name }}"
+    password: "{{ mongodb_user_admin_password }}"
+    roles: readWriteAnyDatabase
+    state: present
+
+- block:
+  - name: Restore config file
+    copy:
+      src: /etc/mongod.conf.bak
+      dest: /etc/mongod.conf
+      remote_src: True
+
+  - name: Restart service
+    service:
+      name: mongod
+      state: restarte
+  changed_when: False
+  become: True

tasks/config.yml

@@ -0,0 +1,10 @@
+---
+- name: Configure database
+  block:
+  - name: Deploy configuration file
+    template:
+      src: etc/mongod.conf.j2
+      dest: /etc/mongod.conf
+      mode: 0644
+    notify: __mongod_restart
+  become: True

tasks/install.yml

@@ -44,11 +44,10 @@
       state: directory
     when: mongodb_systemlog_destination == 'logfile'
 
-  # - name: Make sure mongodb is running
+  - name: Make sure mongodb is running
-  #   systemd:
+    systemd:
-  #     name: mongod
+      name: mongod
-  #     state: started
+      state: started
-  #     enabled: yes
+      enabled: yes
-  #     daemon_reload: yes
   become: True
   become_user: root

tasks/main.yml

@@ -1,2 +1,4 @@
 ---
 - include_tasks: install.yml
+- include_tasks: auth.yml
+- include_tasks: config.yml

templates/etc/mongod.conf.j2

@@ -0,0 +1,41 @@
+## {{ ansible_managed }}
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# where to write logging data.
+systemLog:
+  destination: {{ mongodb_systemlog_destination }}
+  logAppend: {{ mongodb_systemlog_logappend | lower }}
+  path: /var/log/mongodb/mongod.log
+
+# Where and how to store data.
+storage:
+  dbPath: {{ mongodb_storage_dbpath }}
+  journal:
+    enabled: {{ mongodb_storage_journal_enabled | lower }}
+#  engine:
+#  mmapv1:
+#  wiredTiger:
+
+# how the process runs
+processManagement:
+  fork: true  # fork and run in background
+  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
+  timeZoneInfo: /usr/share/zoneinfo
+
+# network interfaces
+net:
+  port: 27017
+  bindIp: 127.0.0.1  # Listen to local interface only, comment to listen on all interfaces.
+
+
+security:
+  authorization: {{ 'enabled' if mongodb_rbac_enabled else 'disabled' }}
+
+#operationProfiling:
+
+#replication:
+
+#sharding:

templates/etc/mongod_init.conf.j2

@@ -0,0 +1,41 @@
+## {{ ansible_managed }}
+
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# where to write logging data.
+systemLog:
+  destination: file
+  logAppend: true
+  path: /var/log/mongodb/mongod.log
+
+# Where and how to store data.
+storage:
+  dbPath: /var/lib/mongo
+  journal:
+    enabled: true
+#  engine:
+#  mmapv1:
+#  wiredTiger:
+
+# how the process runs
+processManagement:
+  fork: true  # fork and run in background
+  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
+  timeZoneInfo: /usr/share/zoneinfo
+
+# network interfaces
+net:
+  port: 27017
+  bindIp: 127.0.0.1  # Listen to local interface only, comment to listen on all interfaces.
+
+
+#security:
+
+#operationProfiling:
+
+#replication:
+
+#sharding: