diff --git a/defaults/main.yml b/defaults/main.yml
index fa84e219456a63d9c3143ca19b726e5bb7bbd4a0..20d087f058b8f2cc667c916edf717a7a523af935 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,5 +1,23 @@
 mongodb:
   version: "4.2"
+  api_user: "{{ omit }}"
+  api_password: "{{ omit }}"
+  config:
+    storage:
+      dbPath: /var/lib/mongodb
+      journal:
+        enabled: true
+    systemLog:
+      destination: file
+      logAppend: true
+      path: /var/log/mongodb/mongod.log
+    net:
+      port: 27017
+      bindIp: 127.0.0.1
+    processManagement:
+      timeZoneInfo: /usr/share/zoneinfo
+    replication:
+      replSetName: rs01
   backup:
     enable: true
     keep_days: 2
diff --git a/tasks/main.yml b/tasks/main.yml
index 894677588f56fe2c76f0a8c8ec7ab85c7ad98170..865ce3c078ddb12d113208982bba2da7a1b3e7ac 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,3 +1,8 @@
+- name: install pymongo from pip because the debian version is too old
+  pip:
+    executable: pip3
+    name: pymongo
+
 - name: copy mongodb config
   notify:
   - restart mongodb
@@ -16,6 +21,36 @@
     daemon_reload: yes
     enabled: yes
 
+- name: flush handlers
+  meta: flush_handlers
+
+- name: create replica sets
+  retries: 3
+  delay: 5
+  loop: "{{ mongodb.replicaset|dict2items }}"
+  community.mongodb.mongodb_replicaset:
+    login_host: "{{ mongodb.config.net.bindIp }}"
+    login_port: "{{ mongodb.config.net.port }}"
+    login_user: "{{ mongodb.api_user }}"
+    login_password: "{{ mongodb.api_password }}"
+    replica_set: "{{ item.key|d(mongodb.config.replication.replSetName) }}"
+    members: "{{ item.value.members }}"
+    validate: no
+
+- name: create mongodb user
+  no_log: true
+  loop: "{{ mongodb.user|dict2items }}"
+  community.mongodb.mongodb_user:
+    login_host: "{{ mongodb.config.net.bindIp }}"
+    login_port: "{{ mongodb.config.net.port }}"
+    login_user: "{{ mongodb.api_user }}"
+    login_password: "{{ mongodb.api_password }}"
+    name: "{{ item.key }}"
+    password: "{{ item.value.password }}"
+    roles: "{{ item.value.roles }}"
+    database: "{{ item.value.database|d('admin') }}"
+    replica_set: "{{ item.value.replica_set|d(mongodb.config.replication.replSetName) }}"
+
 - include_tasks: backup.yml
   when:
   - mongodb.backup.enable
diff --git a/templates/mongod.conf.j2 b/templates/mongod.conf.j2
index 64038b060deff4a3ef01d89dc37e591f24f08517..694832debc45074113a59e48e49d6e17510d3153 100644
--- a/templates/mongod.conf.j2
+++ b/templates/mongod.conf.j2
@@ -2,43 +2,7 @@
 
 # for documentation of all options, see:
 #   http://docs.mongodb.org/manual/reference/configuration-options/
-
-# Where and how to store data.
-storage:
-  dbPath: /var/lib/mongodb
-  journal:
-    enabled: true
-#  engine:
-#  mmapv1:
-#  wiredTiger:
-
-# where to write logging data.
-systemLog:
-  destination: file
-  logAppend: true
-  path: /var/log/mongodb/mongod.log
-
-# network interfaces
-net:
-  port: 27017
-  bindIp: 127.0.0.1
-
-
-# how the process runs
-processManagement:
-  timeZoneInfo: /usr/share/zoneinfo
-
-#security:
-
-#operationProfiling:
-
-replication:
-  replSetName: rs01
-
-#sharding:
-
-## Enterprise-Only Options:
-
-#auditLog:
-
-#snmp:
+#
+# {{ ansible_managed }}
+#
+{{ mongodb.config|to_nice_yaml }}
diff --git a/vars/main.yml b/vars/main.yml
index 96de9b331e7e16491e7f23d828ec49d41fcdb04b..b5d38df9d1135d869786fe14161d301537826345 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,5 +1,6 @@
 packages:
   pkg:
+    "python3-pip": {}
     "mongodb-org": {}
   repos:
     mongodb: