Add role to deploy MongoDB as quadlet on lovelace

jchristgit · jchristgit · commit b1453df0e99f · 2025-11-16T20:58:19.000+01:00
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
@@ -62,11 +62,12 @@
   roles:
     - git-mirrors
 
-- name: Deploy our PostgreSQL database hosts
+- name: Deploy our database hosts
   hosts: databases
   roles:
     - postgres
     - prometheus-postgres-exporter
+    - mongodb
 
 - name: Deploy our LDAP server environment to the LDAP host
   hosts: ldap
diff --git a/ansible/roles/mongodb/README.md b/ansible/roles/mongodb/README.md
@@ -0,0 +1,5 @@
+# mongodb
+
+This role deploys MongoDB using podman quadlets.
+
+The container starts as root, but drops privileges after startup.
diff --git a/ansible/roles/mongodb/handlers/main.yml b/ansible/roles/mongodb/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Restart mongodb
+  ansible.builtin.service:
+    name: mongodb
+    state: restarted
+  tags:
+    - role::mongodb
diff --git a/ansible/roles/mongodb/meta/main.yml b/ansible/roles/mongodb/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - podman
diff --git a/ansible/roles/mongodb/tasks/main.yml b/ansible/roles/mongodb/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Template quadlet services
+  ansible.builtin.template:
+    src: mongodb.{{ item }}.j2
+    dest: /etc/containers/systemd/mongodb.{{ item }}
+    owner: root
+    group: root
+    mode: 0o444
+  register: mongodb_units
+  tags:
+    - role::mongodb
+  notify:
+    - Restart mongodb
+  loop:
+    - container
+    - image
+    - volume
+
+- name: Start and enable the quadlet
+  ansible.builtin.service:
+    name: mongodb.service
+    daemon_reload: "{{ mongodb_units is changed }}"
+    state: started
+    enabled: true
+  tags:
+    - role::mongodb
diff --git a/ansible/roles/mongodb/templates/mongodb.container.j2 b/ansible/roles/mongodb/templates/mongodb.container.j2
@@ -0,0 +1,36 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description = Mongo NoSQL (NonSensical Query Language) Server
+
+[Container]
+Image = mongodb.image
+Pull = missing
+Volume = mongodb.volume:/data/db
+NoNewPrivileges = true
+PublishPort = 27017:27017
+
+[Service]
+# Resource control
+CPUQuota = 20%
+MemoryMax = 900M
+TasksMax = 200
+
+# Sandboxing
+NoNewPrivileges = true
+PrivateDevices = true
+ProtectHome = true
+ProtectKernelLogs = true
+LockPersonality = true
+MemoryDenyWriteExecute = true
+ProtectKernelModules = true
+ProtectSystem = true
+PrivateMounts = true
+RestrictRealtime = true
+RestrictSUIDSGID = true
+UMask = 0077
+
+[Install]
+WantedBy = network-online.target
+
+# vim: ft=dosini.jinja2:
diff --git a/ansible/roles/mongodb/templates/mongodb.image.j2 b/ansible/roles/mongodb/templates/mongodb.image.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description = Mongo NoSQL (NonSensical Query Language) Server image
+After = network-online.target
+
+[Image]
+Image = docker.io/library/mongo:4.4
+
+# vim: ft=dosini.jinja2:
diff --git a/ansible/roles/mongodb/templates/mongodb.volume.j2 b/ansible/roles/mongodb/templates/mongodb.volume.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description = Mongo NoSQL (NonSensical Query Language) volume
+
+[Volume]
+
+# vim: ft=dosini.jinja2:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+dependencies:`
	`3`	`+ - podman`