diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index 95a2546..6a92fce 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -1,8 +1,14 @@ --- +# Name of the Elasticsearch cluster es_cluster_name: elasticsearch +# Name of this ES node es_node_name: "{{ inventory_hostname }}" +# Port on which ES will bind es_port: 9200 +# List of IP/CIDR which will have access to es_port (if iptables_manage == True) es_src_ip: [] +# Path where ES will store its data es_data_dir: /opt/elasticsearch/data +# Path where ES will store snapshots for backups (created by pre-backup, removed by post-backup) es_backup_dir: /opt/elasticsearch/dumps diff --git a/roles/elasticsearch/meta/main.yml b/roles/elasticsearch/meta/main.yml index c0f2548..b65d6f1 100644 --- a/roles/elasticsearch/meta/main.yml +++ b/roles/elasticsearch/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - role: repo_elasticsearch + - role: mkdir diff --git a/roles/elasticsearch/tasks/backup.yml b/roles/elasticsearch/tasks/backup.yml new file mode 100644 index 0000000..9f4774a --- /dev/null +++ b/roles/elasticsearch/tasks/backup.yml @@ -0,0 +1,18 @@ +--- + +- name: Declare repo in ElasticSearch + uri: + url: http://localhost:{{ es_port }}/_snapshot/lbkp + method: PUT + body: + type: fs + settings: + compress: True + location: "{{ es_backup_dir }}" + body_format: json + register: es_lbkp + until: es_lbkp.failed == False + retries: 10 + delay: 10 + tags: es + diff --git a/roles/elasticsearch/tasks/conf.yml b/roles/elasticsearch/tasks/conf.yml new file mode 100644 index 0000000..e432032 --- /dev/null +++ b/roles/elasticsearch/tasks/conf.yml @@ -0,0 +1,9 @@ +--- + +- name: Deploy configuration + template: src={{ item }}.j2 dest=/etc/elasticsearch/{{ item }} group=elasticsearch mode=660 + loop: + - elasticsearch.yml + - log4j2.properties + notify: restart elasticsearch + tags: es diff --git a/roles/elasticsearch/tasks/directories.yml b/roles/elasticsearch/tasks/directories.yml new file mode 100644 index 0000000..55449df --- /dev/null +++ b/roles/elasticsearch/tasks/directories.yml @@ -0,0 +1,14 @@ +--- + +- name: Ensure the data dir exists + file: path={{ es_data_dir }} state=directory + tags: es + + # We do it in two steps, so that parent dirs aren't created with restrictive permissions +- name: Restrict permissions on data dir + file: path={{ es_data_dir }} state=directory owner=elasticsearch group=elasticsearch mode=750 + tags: es + +- name: Create backup dir + file: path={{ es_backup_dir }} state=directory owner=elasticsearch group=elasticsearch mode=700 + tags: es diff --git a/roles/elasticsearch/tasks/install.yml b/roles/elasticsearch/tasks/install.yml new file mode 100644 index 0000000..ff7df13 --- /dev/null +++ b/roles/elasticsearch/tasks/install.yml @@ -0,0 +1,42 @@ +--- + +- name: Install needed packages + yum: + name: + - elasticsearch-oss + - java-1.8.0-openjdk-headless + tags: es + +- name: Deploy pre and post backup script + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/es mode=750 + loop: + - pre + - post + tags: es + +- name: Create systemd unit snippet dir + file: path=/etc/systemd/system/elasticsearch.service.d state=directory + tags: es + +- name: Customize systemd unit + copy: + content: | + [Service] + ProtectSystem=full + PrivateDevices=yes + ProtectHome=yes + NoNewPrivileges=yes + SyslogIdentifier=elasticsearch + Restart=on-failure + ExecStart= + ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid + dest: /etc/systemd/system/elasticsearch.service.d/ansible.conf + register: es_unit + notify: restart elasticsearch + tags: es + +- name: Reload systemd + systemd: daemon_reload=True + when: es_unit.changed + tags: es + diff --git a/roles/elasticsearch/tasks/iptables.yml b/roles/elasticsearch/tasks/iptables.yml new file mode 100644 index 0000000..d98afad --- /dev/null +++ b/roles/elasticsearch/tasks/iptables.yml @@ -0,0 +1,13 @@ +--- + +- name: Handle Elasticsearch port + iptables_raw: + name: "{{ item.name }}" + state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT" + loop: + - port: "{{ es_port }}" + name: es_port + src_ip: "{{ es_src_ip }}" + tags: firewall,es + diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 1d42527..5959d45 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -1,101 +1,10 @@ --- -- name: Install needed packages - yum: - name: - - elasticsearch-oss - - java-1.8.0-openjdk-headless - tags: es - -- name: Deploy configuration - template: src={{ item }}.j2 dest=/etc/elasticsearch/{{ item }} group=elasticsearch mode=660 - loop: - - elasticsearch.yml - - log4j2.properties - notify: restart elasticsearch - tags: es - -- name: Ensure the data dir exists - file: path={{ es_data_dir }} state=directory - tags: es - - # We do it in two steps, so that parent dirs aren't created with restrictive permissions -- name: Restrict permissions on data dir - file: path={{ es_data_dir }} state=directory owner=elasticsearch group=elasticsearch mode=750 - tags: es - -- name: Handle Elasticsearch port - iptables_raw: - name: "{{ item.name }}" - state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}" - rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT" +- include: install.yml +- include: directories.yml +- include: conf.yml +- include: iptables.yml when: iptables_manage | default(True) - loop: - - port: "{{ es_port }}" - name: es_port - src_ip: "{{ es_src_ip }}" - tags: firewall,es - -- name: Create pre/post backup dir - file: path=/etc/backup/{{ item }}.d state=directory - loop: - - pre - - post - tags: es - -- name: Deploy pre and post backup script - template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/es mode=750 - loop: - - pre - - post - tags: es - -- name: Create backup dir - file: path={{ es_backup_dir }} state=directory owner=elasticsearch group=elasticsearch mode=700 - tags: es - -- name: Create systemd unit snippet dir - file: path=/etc/systemd/system/elasticsearch.service.d state=directory - tags: es - -- name: Customize systemd unit - copy: - content: | - [Service] - ProtectSystem=full - PrivateDevices=yes - ProtectHome=yes - NoNewPrivileges=yes - SyslogIdentifier=elasticsearch - Restart=on-failure - ExecStart= - ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid - dest: /etc/systemd/system/elasticsearch.service.d/ansible.conf - register: es_unit - notify: restart elasticsearch - tags: es - -- name: Reload systemd - systemd: daemon_reload=True - when: es_unit.changed - tags: es - -- name: Start and enable the service - service: name=elasticsearch state=started enabled=True - tags: es +- include: services.yml +- include: backup.yml -- name: Declare repo in ElasticSearch - uri: - url: http://localhost:{{ es_port }}/_snapshot/lbkp - method: PUT - body: - type: fs - settings: - compress: True - location: "{{ es_backup_dir }}" - body_format: json - register: es_lbkp - until: es_lbkp.failed == False - retries: 10 - delay: 10 - tags: es diff --git a/roles/elasticsearch/tasks/services.yml b/roles/elasticsearch/tasks/services.yml new file mode 100644 index 0000000..bc2842c --- /dev/null +++ b/roles/elasticsearch/tasks/services.yml @@ -0,0 +1,6 @@ +--- + +- name: Start and enable the service + service: name=elasticsearch state=started enabled=True + tags: es + diff --git a/roles/metabase/defaults/main.yml b/roles/metabase/defaults/main.yml index f739a80..3f50687 100644 --- a/roles/metabase/defaults/main.yml +++ b/roles/metabase/defaults/main.yml @@ -52,3 +52,5 @@ metabase_lang: fr # Will most likely need to be adjusted, because you'll put it behind a reverse proxy don't you ? metabase_public_url: http://{{ inventory_hostname }}:{{ metabase_port }}/ +# Enable or disable big queries cache in metabase DB +metabase_enable_cache: True diff --git a/roles/metabase/templates/env.j2 b/roles/metabase/templates/env.j2 index e0db31f..8c3b97a 100644 --- a/roles/metabase/templates/env.j2 +++ b/roles/metabase/templates/env.j2 @@ -23,4 +23,4 @@ MB_SITE_URL={{ metabase_public_url }} MB_CHECK_FOR_UPDATES=false MB_ENABLE_EMBEDDING=true MB_ENABLE_PUBLIC_SHARING=true -MB_ENABLE_QUERY_CACHING=false +MB_ENABLE_QUERY_CACHING={{ metabase_enable_cache | ternary('true', 'false') }}