Update to 2021-11-26 15:00

3 years ago · 82d18bf972
parent ce633b5ebb
commit 82d18bf972
11 changed files with 118 additions and 98 deletions
--- a/roles/elasticsearch/defaults/main.yml
+++ b/roles/elasticsearch/defaults/main.yml
@ -1,8 +1,14 @@
 ---
 # Name of the Elasticsearch cluster
 es_cluster_name: elasticsearch
 # Name of this ES node
 es_node_name: "{{ inventory_hostname }}"
 # Port on which ES will bind
 es_port: 9200
 # List of IP/CIDR which will have access to es_port (if iptables_manage == True)
 es_src_ip: []
 # Path where ES will store its data
 es_data_dir: /opt/elasticsearch/data
 # Path where ES will store snapshots for backups (created by pre-backup, removed by post-backup)
 es_backup_dir: /opt/elasticsearch/dumps
--- a/roles/elasticsearch/meta/main.yml
+++ b/roles/elasticsearch/meta/main.yml
@ -2,3 +2,4 @@
 dependencies:
  - role: repo_elasticsearch
  - role: mkdir
--- a/roles/elasticsearch/tasks/backup.yml
+++ b/roles/elasticsearch/tasks/backup.yml
@ -0,0 +1,18 @@
 ---
 - name: Declare repo in ElasticSearch
  uri:
    url: http://localhost:{{ es_port }}/_snapshot/lbkp
    method: PUT
    body:
      type: fs
      settings:
        compress: True
        location: "{{ es_backup_dir }}"
    body_format: json
  register: es_lbkp
  until: es_lbkp.failed == False
  retries: 10
  delay: 10
  tags: es
--- a/roles/elasticsearch/tasks/conf.yml
+++ b/roles/elasticsearch/tasks/conf.yml
@ -0,0 +1,9 @@
 ---
 - name: Deploy configuration
  template: src={{ item }}.j2 dest=/etc/elasticsearch/{{ item }} group=elasticsearch mode=660
  loop:
    - elasticsearch.yml
    - log4j2.properties
  notify: restart elasticsearch
  tags: es
--- a/roles/elasticsearch/tasks/directories.yml
+++ b/roles/elasticsearch/tasks/directories.yml
@ -0,0 +1,14 @@
 ---
 - name: Ensure the data dir exists
  file: path={{ es_data_dir }} state=directory
  tags: es
  # We do it in two steps, so that parent dirs aren't created with restrictive permissions
 - name: Restrict permissions on data dir
  file: path={{ es_data_dir }} state=directory owner=elasticsearch group=elasticsearch mode=750
  tags: es
 - name: Create backup dir
  file: path={{ es_backup_dir }} state=directory owner=elasticsearch group=elasticsearch mode=700
  tags: es
--- a/roles/elasticsearch/tasks/install.yml
+++ b/roles/elasticsearch/tasks/install.yml
@ -0,0 +1,42 @@
 ---
 - name: Install needed packages
  yum:
    name:
      - elasticsearch-oss
      - java-1.8.0-openjdk-headless
  tags: es
 - name: Deploy pre and post backup script
  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/es mode=750
  loop:
    - pre
    - post
  tags: es
 - name: Create systemd unit snippet dir
  file: path=/etc/systemd/system/elasticsearch.service.d state=directory
  tags: es
 - name: Customize systemd unit
  copy:
    content: |
      [Service]
      ProtectSystem=full
      PrivateDevices=yes
      ProtectHome=yes
      NoNewPrivileges=yes
      SyslogIdentifier=elasticsearch
      Restart=on-failure
      ExecStart=
      ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid
    dest: /etc/systemd/system/elasticsearch.service.d/ansible.conf
  register: es_unit
  notify: restart elasticsearch
  tags: es
 - name: Reload systemd
  systemd: daemon_reload=True
  when: es_unit.changed
  tags: es
--- a/roles/elasticsearch/tasks/iptables.yml
+++ b/roles/elasticsearch/tasks/iptables.yml
@ -0,0 +1,13 @@
 ---
 - name: Handle Elasticsearch port
  iptables_raw:
    name: "{{ item.name }}"
    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
  loop:
    - port: "{{ es_port }}"
      name: es_port
      src_ip: "{{ es_src_ip }}"
  tags: firewall,es
--- a/roles/elasticsearch/tasks/main.yml
+++ b/roles/elasticsearch/tasks/main.yml
@ -1,101 +1,10 @@
 ---
- name: Install needed packages
+- include: install.yml
-  yum:
+- include: directories.yml
-    name:
+- include: conf.yml
-      - elasticsearch-oss
+- include: iptables.yml
      - java-1.8.0-openjdk-headless
  tags: es
 - name: Deploy configuration
  template: src={{ item }}.j2 dest=/etc/elasticsearch/{{ item }} group=elasticsearch mode=660
  loop:
    - elasticsearch.yml
    - log4j2.properties
  notify: restart elasticsearch
  tags: es
 - name: Ensure the data dir exists
  file: path={{ es_data_dir }} state=directory
  tags: es
  # We do it in two steps, so that parent dirs aren't created with restrictive permissions
 - name: Restrict permissions on data dir
  file: path={{ es_data_dir }} state=directory owner=elasticsearch group=elasticsearch mode=750
  tags: es
 - name: Handle Elasticsearch port
  iptables_raw:
    name: "{{ item.name }}"
    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
  when: iptables_manage | default(True)
-  loop:
+- include: services.yml
-    - port: "{{ es_port }}"
+- include: backup.yml
      name: es_port
      src_ip: "{{ es_src_ip }}"
  tags: firewall,es
 - name: Create pre/post backup dir
  file: path=/etc/backup/{{ item }}.d state=directory
  loop:
    - pre
    - post
  tags: es
 - name: Deploy pre and post backup script
  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/es mode=750
  loop:
    - pre
    - post
  tags: es
 - name: Create backup dir
  file: path={{ es_backup_dir }} state=directory owner=elasticsearch group=elasticsearch mode=700
  tags: es
 - name: Create systemd unit snippet dir
  file: path=/etc/systemd/system/elasticsearch.service.d state=directory
  tags: es
 - name: Customize systemd unit
  copy:
    content: |
      [Service]
      ProtectSystem=full
      PrivateDevices=yes
      ProtectHome=yes
      NoNewPrivileges=yes
      SyslogIdentifier=elasticsearch
      Restart=on-failure
      ExecStart=
      ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid
    dest: /etc/systemd/system/elasticsearch.service.d/ansible.conf
  register: es_unit
  notify: restart elasticsearch
  tags: es
 - name: Reload systemd
  systemd: daemon_reload=True
  when: es_unit.changed
  tags: es
 - name: Start and enable the service
  service: name=elasticsearch state=started enabled=True
  tags: es
 - name: Declare repo in ElasticSearch
  uri:
    url: http://localhost:{{ es_port }}/_snapshot/lbkp
    method: PUT
    body:
      type: fs
      settings:
        compress: True
        location: "{{ es_backup_dir }}"
    body_format: json
  register: es_lbkp
  until: es_lbkp.failed == False
  retries: 10
  delay: 10
  tags: es
--- a/roles/elasticsearch/tasks/services.yml
+++ b/roles/elasticsearch/tasks/services.yml
@ -0,0 +1,6 @@
 ---
 - name: Start and enable the service
  service: name=elasticsearch state=started enabled=True
  tags: es
--- a/roles/metabase/defaults/main.yml
+++ b/roles/metabase/defaults/main.yml
@ -52,3 +52,5 @@ metabase_lang: fr
 # Will most likely need to be adjusted, because you'll put it behind a reverse proxy don't you ?
 metabase_public_url: http://{{ inventory_hostname }}:{{ metabase_port }}/
 # Enable or disable big queries cache in metabase DB
 metabase_enable_cache: True
--- a/roles/metabase/templates/env.j2
+++ b/roles/metabase/templates/env.j2
@ -23,4 +23,4 @@ MB_SITE_URL={{ metabase_public_url }}
 MB_CHECK_FOR_UPDATES=false
 MB_ENABLE_EMBEDDING=true
 MB_ENABLE_PUBLIC_SHARING=true
-MB_ENABLE_QUERY_CACHING=false
+MB_ENABLE_QUERY_CACHING={{ metabase_enable_cache | ternary('true', 'false') }}