This playbook installs MongoDB using distro-aware package handling and applies a minimal service baseline. Includes repository configuration and security best practices.
---
- name: Install and configure MongoDB
hosts: mongodb
become: true
vars:
mongodb_version: "8.0"
mongodb_repo_key_url: "https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc"
# Package lists for different OS families
app_packages_debian:
- mongodb-org
- mongodb-org-server
- mongodb-org-mongos
- mongodb-org-tools
app_packages_redhat:
- mongodb-org
- mongodb-org-server
- mongodb-org-mongos
- mongodb-org-tools
tasks:
# Debian/Ubuntu repository setup
- name: Add MongoDB APT key (Debian/Ubuntu)
apt_key:
url: "{{ mongodb_repo_key_url }}"
state: present
when: ansible_os_family == "Debian"
- name: Add MongoDB APT repository (Debian/Ubuntu)
apt_repository:
repo: "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu {{ ansible_distribution_release }}/mongodb-org/{{ mongodb_version }} multiverse"
state: present
filename: mongodb-org-{{ mongodb_version }}
when: ansible_os_family == "Debian"
# RHEL/CentOS/Fedora repository setup
- name: Add MongoDB YUM repository (RHEL/CentOS/Fedora)
yum_repository:
name: mongodb-org-{{ mongodb_version }}
description: MongoDB Repository
baseurl: https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/{{ mongodb_version }}/x86_64/
gpgcheck: yes
enabled: yes
gpgkey: "{{ mongodb_repo_key_url }}"
when: ansible_os_family == "RedHat"
# Update package cache
- name: Update package cache
apt:
update_cache: yes
when: ansible_os_family == "Debian"
# Install MongoDB packages
- name: Install MongoDB packages on Debian family
apt:
name: "{{ app_packages_debian }}"
state: present
update_cache: yes
when: ansible_os_family == "Debian"
- name: Install MongoDB packages on RedHat family
dnf:
name: "{{ app_packages_redhat }}"
state: present
when: ansible_os_family == "RedHat"
# Ensure MongoDB service is enabled and running
- name: Enable and start MongoDB service
systemd:
name: mongod
state: started
enabled: true
daemon_reload: yes
# Wait for MongoDB to be ready
- name: Wait for MongoDB to accept connections
wait_for:
host: 127.0.0.1
port: 27017
delay: 5
timeout: 30
# Validate installation
- name: Validate MongoDB installation
command: mongosh --eval "db.adminCommand('ping')"
register: mongodb_ping
changed_when: false
failed_when: "'ok: 1' not in mongodb_ping.stdout"
- name: Show MongoDB version
command: mongosh --version
register: mongodb_version_output
changed_when: false
- name: Display MongoDB version
debug:
msg: "MongoDB version: {{ mongodb_version_output.stdout }}"
---
- name: Install and configure MongoDB with security
hosts: mongodb
become: true
vars:
mongodb_version: "8.0"
mongodb_admin_user: "{{ vault_mongodb_admin_user | default('admin') }}"
mongodb_admin_password: "{{ vault_mongodb_admin_password | default('changeme') }}"
pre_tasks:
- name: Include vault variables
include_vars: vault.yml
ignore_errors: yes
tasks:
# Repository setup (same as above)
- name: Add MongoDB APT key (Debian/Ubuntu)
apt_key:
url: "https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc"
state: present
when: ansible_os_family == "Debian"
- name: Add MongoDB APT repository (Debian/Ubuntu)
apt_repository:
repo: "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu {{ ansible_distribution_release }}/mongodb-org/{{ mongodb_version }} multiverse"
state: present
filename: mongodb-org-{{ mongodb_version }}
when: ansible_os_family == "Debian"
- name: Add MongoDB YUM repository (RHEL/CentOS/Fedora)
yum_repository:
name: mongodb-org-{{ mongodb_version }}
description: MongoDB Repository
baseurl: https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/{{ mongodb_version }}/x86_64/
gpgcheck: yes
enabled: yes
gpgkey: "https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc"
when: ansible_os_family == "RedHat"
- name: Update package cache
apt:
update_cache: yes
when: ansible_os_family == "Debian"
- name: Install MongoDB packages
package:
name:
- mongodb-org
- mongodb-org-server
- mongodb-org-mongos
- mongodb-org-tools
state: present
notify: restart mongodb
# Configure MongoDB with security settings
- name: Configure MongoDB with security
template:
src: mongod.conf.j2
dest: /etc/mongod.conf
owner: root
group: root
mode: '0644'
notify: restart mongodb
# Ensure MongoDB service is enabled and running
- name: Enable and start MongoDB service
systemd:
name: mongod
state: started
enabled: true
daemon_reload: yes
# Wait for MongoDB to be ready
- name: Wait for MongoDB to accept connections
wait_for:
host: 127.0.0.1
port: 27017
delay: 5
timeout: 30
# Create admin user (only if not already created)
- name: Check if admin user exists
command: mongosh --quiet --eval "db.getUser('{{ mongodb_admin_user }}') ? 1 : 0"
register: admin_user_check
changed_when: false
failed_when: false
- name: Create MongoDB admin user
command: |
mongosh --eval "
use admin;
db.createUser({
user: '{{ mongodb_admin_user }}',
pwd: '{{ mongodb_admin_password }}',
roles: [
{ role: 'userAdminAnyDatabase', db: 'admin' },
{ role: 'readWriteAnyDatabase', db: 'admin' },
{ role: 'dbAdminAnyDatabase', db: 'admin' }
]
});"
when: admin_user_check.rc != 0
no_log: true
# Validate secured installation
- name: Validate secured MongoDB connection
command: |
mongosh -u {{ mongodb_admin_user }} -p {{ mongodb_admin_password }} --authenticationDatabase admin --eval "db.adminCommand('ping')"
no_log: true
register: secured_ping
failed_when: "'ok: 1' not in secured_ping.stdout"
handlers:
- name: restart mongodb
systemd:
name: mongod
state: restarted
Create a template file templates/mongod.conf.j2:
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 127.0.0.1
processManagement:
fork: true
pidFilePath: /var/run/mongodb/mongod.pid
timeZoneInfo: /usr/share/zoneinfo
#security:
# authorization: enabled
setParameter:
enableLocalhostAuthBypass: false
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
Example inventory file (inventory.yml):
all:
children:
mongodb:
hosts:
mongodb1.example.com:
ansible_host: 192.168.1.10
mongodb2.example.com:
ansible_host: 192.168.1.11
# Basic installation
ansible-playbook -i inventory.yml mongodb-install.yml
# With verbose output
ansible-playbook -i inventory.yml mongodb-install.yml -v
# Dry-run to check what would change
ansible-playbook -i inventory.yml mongodb-install.yml --check