---

- name: Remove versions from the base repo
  yum:
    name:
      - mongodb
      - mongodb-server
    state: absent
  tags: mongo

- name: Install MongoDB server and tools
  yum:
    name:
      - mongodb-org-server
      - mongodb-org
      - python-pymongo
  tags: mongo

- name: Create data dir
  file: path={{ mongo_db_path }} state=directory
  tags: mongo

  # DO it in two times so parent dir don't have restrictive permissions
- name: Set permissions on data dir
  file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700
  tags: mongo

- name: Set correct SELinux label
  sefcontext:
    target: "{{ mongo_db_path }}"
    setype: mongod_var_lib_t
    state: present
  when: ansible_selinux.status == 'enabled'
  tags: mongo

- name: Restore SELinux contexts
  command: restorecon -R {{ mongo_db_path }}
  when: ansible_selinux.status == 'enabled'
  changed_when: False
  tags: mongo

- name: Create pre and post backup hook dir
  file: path=/etc/backup/{{ item }}.d state=directory
  loop:
    - pre
    - post
  tags: mongo

- name: Deploy pre/post backup scripts
  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750
  loop:
    - pre
    - post
  tags: mongo

- name: Deploy configuration
  template: src=mongod.conf.j2 dest=/etc/mongod.conf
  notify: restart mongod
  tags: mongo

- name: Create systemd unit snippet dir
  file: path=/etc/systemd/system/mongod.service.d state=directory
  tags: mongo

- name: Customize systemd unit
  copy:
    content: |
      [Service]
      Type=simple
      PrivateTmp=yes
      PrivateDevices=yes
      ProtectSystem=full
      ProtectHome=yes
      NoNewPrivileges=yes
      SyslogIdentifier=mongod
      Restart=on-failure
      StartLimitInterval=0
      RestartSec=30
    dest: /etc/systemd/system/mongod.service.d/ansible.conf
  register: mongo_unit
  notify: restart mongod
  tags: mongo

- name: Reload systemd
  systemd: daemon_reload=True
  when: mongo_unit.changed
  tags: mongo

- name: Handle mongodb port
  iptables_raw:
    name: mongo_ports
    state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}"
    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n"
  when: iptables_manage | default(True)
  tags: firewall,mongo

- name: Start and enable MongoDB daemon
  service: name=mongod state=started enabled=yes
  tags: mongo

...