diff --git a/README.md b/README.md index 3bcc931..7c8867c 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ Use your personal Gitlab deployment- and Hetzner Cloud tokens. "gitlab_deploy_token_password": "", "aws_access_key_id": "", "aws_secret_access_key": "", - "hcloud_token_testing": "", + "kibana_elasticsearch_password_production": "", "hcloud_token_production": "", "vault_db_password_production": "" } @@ -260,27 +260,8 @@ You can manually write the created master key to `/mnt/data/vault-root-token`. If this file exists and contains a valid master key, it Vault will be unsealed automatically. #### Configuring Elasticsearch -This is going to feel a bit hacky, but we need to provision the default set of built-in Elasticsearch users and the easiest way is to use x-pack. -Since we use a non-standard path for the Elasticsearch "home", we need to copy some files to be able to use the `elasticsarch-setup-passwords` command. -```sh -$ export ES_HOME=/mnt/data/elasticsearch/ # currently missing x-pack commands -$ find / -type d -name "jre" -[..] -/nix/store/g67sykn6hfjmgxhvr6cqv5c7v19d6490-openjdk-headless-8u272-b10-jre/lib/openjdk/jre -$ export JAVA_HOME=/nix/store/g67sykn6hfjmgxhvr6cqv5c7v19d6490-openjdk-headless-8u272-b10-jre/lib/openjdk/jre -$ find / -type f -name "elasticsearch-setup-passwords" -[..] -/nix/store/j5s9sb7r2hbkq16afm87rjssic3czrqx-elasticsearch-7.5.1/bin/elasticsearch-setup-passwords -$ cp /nix/store/j5s9sb7r2hbkq16afm87rjssic3czrqx-elasticsearch-7.5.1/bin/x-pack-* /mnt/data/elasticsearch/bin/ -$ cp /nix/store/j5s9sb7r2hbkq16afm87rjssic3czrqx-elasticsearch-7.5.1/bin/elasticsearch-setup-passwords /mnt/data/elasticsearch/bin/ -$ /mnt/data/elasticsearch/bin/elasticsearch-setup-passwords interactive -``` -Maybe there are better ways to do this using nix-shell. -If you prefer the passwords to be generated for you, use the argument `auto` instead of `interactive`. - -##### Credentials for Kibana -If you would like to use Kibana (recommended), add the password you set for the `kibana` user to `/mnt/data/kibana-elasticsearch-password` (mode 600) and rebuild NixOS with `systemctl start nixos-rebuild`. -Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/). (sign in with the `elastic` user) +Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/). +Sign in with the user 'elastic' and password 'changeme' and go change the password in 'Management' -> 'Security' -> 'Users'. #### Configuring Guidelines ``` diff --git a/infrastructure/modules/compute/cloudinit.tpl b/infrastructure/modules/compute/cloudinit.tpl index 31ec160..f273bd0 100644 --- a/infrastructure/modules/compute/cloudinit.tpl +++ b/infrastructure/modules/compute/cloudinit.tpl @@ -88,7 +88,7 @@ write_files: owner: root:root permissions: '0644' - path: /mnt/data/kibana-elasticsearch-password - content: "" + content: ${kibana_elasticsearch_password} owner: root:root permissions: '0600' runcmd: diff --git a/infrastructure/modules/compute/nix/elasticsearch.nix b/infrastructure/modules/compute/nix/elasticsearch.nix index d31a6d8..02b2617 100644 --- a/infrastructure/modules/compute/nix/elasticsearch.nix +++ b/infrastructure/modules/compute/nix/elasticsearch.nix @@ -1,6 +1,8 @@ { pkgs, ... }: +{ pkgs, lib, ... }: { nixpkgs.config.allowUnfree = true; + services.elasticsearch.enable = true; services.elasticsearch.package = pkgs.elasticsearch7; services.elasticsearch.dataDir = "/mnt/data/elasticsearch"; @@ -10,6 +12,26 @@ xpack.security.enabled: true ''; + systemd.services.elasticsearch.postStart = lib.mkForce '' + test -f /mnt/data/elasticsearch/config/elasticsearch.keystore && exit 0 + mkdir -p /mnt/data/elasticsearch/config + + export PATH=$PATH:${lib.makeBinPath [ pkgs.elasticsearch7 ]}:${lib.makeBinPath [ pkgs.jdk8_headless ]}:${lib.makeBinPath [ pkgs.curl ]}:${lib.makeBinPath [ pkgs.systemd ]} + export ES_HOME=/mnt/data/elasticsearch + export JAVA_HOME=${pkgs.jdk8_headless}/jre + + printf "Setting up a new keystore for Elasticsearch, with default password for user 'elastic'\n" + printf "changeme" | elasticsearch-keystore add -f -x bootstrap.password + chown -R elasticsearch:elasticsearch /mnt/data/elasticsearch/config + printf "Waiting for Elasticsearch to come back up" + until $(curl -s -I -o /dev/null http://10.0.1.51:9200); do + printf '.' + sleep 5 + done + printf "Setting up Kibana user\n" + curl -uelastic:changeme -XPUT -H 'Content-Type: application/json' 'http://10.0.1.51:9200/_xpack/security/user/kibana/_password' -d "{ \"password\":\"$(head -n 1 /mnt/data/kibana-elasticsearch-password)\"}" + ''; + services.kibana.enable = true; services.kibana.package = pkgs.kibana7; services.kibana.dataDir = "/mnt/data/kibana"; diff --git a/infrastructure/modules/compute/servers.tf b/infrastructure/modules/compute/servers.tf index 0bd1635..211b85d 100644 --- a/infrastructure/modules/compute/servers.tf +++ b/infrastructure/modules/compute/servers.tf @@ -43,6 +43,7 @@ data "template_cloudinit_config" "guidelines" { domain_name = lookup(jsondecode(file("../../config.json")), "domain_name_${data.terraform_remote_state.environment.outputs.environment_name}", "not found") domain_alternative_names = base64encode(lookup(jsondecode(file("../../config.json")), "domain_alternative_names_${data.terraform_remote_state.environment.outputs.environment_name}", "not found")) vault_db_password = lookup(jsondecode(file("../../secrets.json")), "vault_db_password_${data.terraform_remote_state.environment.outputs.environment_name}", "not found") + kibana_elasticsearch_password = lookup(jsondecode(file("../../secrets.json")), "kibana_elasticsearch_password_${data.terraform_remote_state.environment.outputs.environment_name}", "not found") nix_certbot = filebase64("${path.module}/nix/certbot.nix") nix_configuration = filebase64("${path.module}/nix/configuration.nix") nix_elasticsearch = filebase64("${path.module}/nix/elasticsearch.nix")