Update to 2021-12-01 19:13

roles/elasticsearch/tasks/backup.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Declare repo in ElasticSearch
+  uri:
+    url: http://localhost:{{ es_port }}/_snapshot/lbkp
+    method: PUT
+    body:
+      type: fs
+      settings:
+        compress: True
+        location: "{{ es_backup_dir }}"
+    body_format: json
+  register: es_lbkp
+  until: es_lbkp.failed == False
+  retries: 10
+  delay: 10
+  tags: es
+

roles/elasticsearch/tasks/conf.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Deploy configuration
+  template: src={{ item }}.j2 dest=/etc/elasticsearch/{{ item }} group=elasticsearch mode=660
+  loop:
+    - elasticsearch.yml
+    - log4j2.properties
+  notify: restart elasticsearch
+  tags: es

roles/elasticsearch/tasks/directories.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Ensure the data dir exists
+  file: path={{ es_data_dir }} state=directory
+  tags: es
+
+  # We do it in two steps, so that parent dirs aren't created with restrictive permissions
+- name: Restrict permissions on data dir
+  file: path={{ es_data_dir }} state=directory owner=elasticsearch group=elasticsearch mode=750
+  tags: es
+
+- name: Create backup dir
+  file: path={{ es_backup_dir }} state=directory owner=elasticsearch group=elasticsearch mode=700
+  tags: es

roles/elasticsearch/tasks/install.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Install needed packages
+  yum:
+    name:
+      - elasticsearch-oss
+      - java-1.8.0-openjdk-headless
+  tags: es
+
+- name: Deploy pre and post backup script
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/es mode=750
+  loop:
+    - pre
+    - post
+  tags: es
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/elasticsearch.service.d state=directory
+  tags: es
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      ProtectSystem=full
+      PrivateDevices=yes
+      ProtectHome=yes
+      NoNewPrivileges=yes
+      SyslogIdentifier=elasticsearch
+      Restart=on-failure
+      ExecStart=
+      ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid
+    dest: /etc/systemd/system/elasticsearch.service.d/ansible.conf
+  register: es_unit
+  notify: restart elasticsearch
+  tags: es
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: es_unit.changed
+  tags: es
+

roles/elasticsearch/tasks/iptables.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Handle Elasticsearch port
+  iptables_raw:
+    name: "{{ item.name }}"
+    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
+  loop:
+    - port: "{{ es_port }}"
+      name: es_port
+      src_ip: "{{ es_src_ip }}"
+  tags: firewall,es
+

roles/elasticsearch/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+- include: install.yml
+- include: directories.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: backup.yml
+

roles/elasticsearch/tasks/services.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=elasticsearch state=started enabled=True
+  tags: es
+