Default credentials for 'elastic' user and automatic setup for Kibana

README.md

@@ -176,7 +176,7 @@ Use your personal Gitlab deployment- and Hetzner Cloud tokens.
     "gitlab_deploy_token_password": "",
     "aws_access_key_id": "",
     "aws_secret_access_key": "",
-    "hcloud_token_testing": "",
+    "kibana_elasticsearch_password_production": "",
     "hcloud_token_production": "",
     "vault_db_password_production": ""
 }
@@ -260,27 +260,8 @@ You can manually write the created master key to `/mnt/data/vault-root-token`.
 If this file exists and contains a valid master key, it Vault will be unsealed automatically.
 
 #### Configuring Elasticsearch
-This is going to feel a bit hacky, but we need to provision the default set of built-in Elasticsearch users and the easiest way is to use x-pack.
+Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/).
-Since we use a non-standard path for the Elasticsearch "home", we need to copy some files to be able to use the `elasticsarch-setup-passwords` command.
+Sign in with the user 'elastic' and password 'changeme' and go change the password in 'Management' -> 'Security' -> 'Users'.
-```sh
-$ export ES_HOME=/mnt/data/elasticsearch/ # currently missing x-pack commands
-$ find / -type d -name "jre"
-[..]
-/nix/store/g67sykn6hfjmgxhvr6cqv5c7v19d6490-openjdk-headless-8u272-b10-jre/lib/openjdk/jre
-$ export JAVA_HOME=/nix/store/g67sykn6hfjmgxhvr6cqv5c7v19d6490-openjdk-headless-8u272-b10-jre/lib/openjdk/jre
-$ find / -type f -name "elasticsearch-setup-passwords"
-[..]
-/nix/store/j5s9sb7r2hbkq16afm87rjssic3czrqx-elasticsearch-7.5.1/bin/elasticsearch-setup-passwords
-$ cp /nix/store/j5s9sb7r2hbkq16afm87rjssic3czrqx-elasticsearch-7.5.1/bin/x-pack-* /mnt/data/elasticsearch/bin/
-$ cp /nix/store/j5s9sb7r2hbkq16afm87rjssic3czrqx-elasticsearch-7.5.1/bin/elasticsearch-setup-passwords /mnt/data/elasticsearch/bin/
-$ /mnt/data/elasticsearch/bin/elasticsearch-setup-passwords interactive
-```
-Maybe there are better ways to do this using nix-shell.
-If you prefer the passwords to be generated for you, use the argument `auto` instead of `interactive`.
-
-##### Credentials for Kibana
-If you would like to use Kibana (recommended), add the password you set for the `kibana` user to `/mnt/data/kibana-elasticsearch-password` (mode 600) and rebuild NixOS with `systemctl start nixos-rebuild`.
-Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/). (sign in with the `elastic` user)
 
 #### Configuring Guidelines
 ```

infrastructure/modules/compute/cloudinit.tpl

@@ -88,7 +88,7 @@ write_files:
     owner: root:root
     permissions: '0644'
   - path: /mnt/data/kibana-elasticsearch-password
-    content: ""
+    content: ${kibana_elasticsearch_password}
     owner: root:root
     permissions: '0600'
 runcmd:

infrastructure/modules/compute/nix/elasticsearch.nix

@@ -1,6 +1,8 @@
 { pkgs, ... }:
+{ pkgs, lib, ... }:
 {
   nixpkgs.config.allowUnfree = true;
+
   services.elasticsearch.enable = true;
   services.elasticsearch.package = pkgs.elasticsearch7;
   services.elasticsearch.dataDir = "/mnt/data/elasticsearch";
@@ -10,6 +12,26 @@
     xpack.security.enabled: true
   '';
 
+  systemd.services.elasticsearch.postStart = lib.mkForce ''
+    test -f /mnt/data/elasticsearch/config/elasticsearch.keystore && exit 0 
+    mkdir -p /mnt/data/elasticsearch/config
+
+    export PATH=$PATH:${lib.makeBinPath [ pkgs.elasticsearch7 ]}:${lib.makeBinPath [ pkgs.jdk8_headless ]}:${lib.makeBinPath [ pkgs.curl ]}:${lib.makeBinPath [ pkgs.systemd ]}
+    export ES_HOME=/mnt/data/elasticsearch
+    export JAVA_HOME=${pkgs.jdk8_headless}/jre
+
+    printf "Setting up a new keystore for Elasticsearch, with default password for user 'elastic'\n"
+    printf "changeme" | elasticsearch-keystore add -f -x bootstrap.password
+    chown -R elasticsearch:elasticsearch /mnt/data/elasticsearch/config
+    printf "Waiting for Elasticsearch to come back up"
+    until $(curl -s -I -o /dev/null http://10.0.1.51:9200); do
+        printf '.'
+        sleep 5
+    done
+    printf "Setting up Kibana user\n"
+    curl -uelastic:changeme -XPUT -H 'Content-Type: application/json' 'http://10.0.1.51:9200/_xpack/security/user/kibana/_password' -d "{ \"password\":\"$(head -n 1 /mnt/data/kibana-elasticsearch-password)\"}"
+  '';
+
   services.kibana.enable = true;
   services.kibana.package = pkgs.kibana7;
   services.kibana.dataDir = "/mnt/data/kibana";

infrastructure/modules/compute/servers.tf

@@ -43,6 +43,7 @@ data "template_cloudinit_config" "guidelines" {
       domain_name = lookup(jsondecode(file("../../config.json")), "domain_name_${data.terraform_remote_state.environment.outputs.environment_name}", "not found")
       domain_alternative_names = base64encode(lookup(jsondecode(file("../../config.json")), "domain_alternative_names_${data.terraform_remote_state.environment.outputs.environment_name}", "not found"))
       vault_db_password = lookup(jsondecode(file("../../secrets.json")), "vault_db_password_${data.terraform_remote_state.environment.outputs.environment_name}", "not found")
+      kibana_elasticsearch_password = lookup(jsondecode(file("../../secrets.json")), "kibana_elasticsearch_password_${data.terraform_remote_state.environment.outputs.environment_name}", "not found")
       nix_certbot = filebase64("${path.module}/nix/certbot.nix")
       nix_configuration = filebase64("${path.module}/nix/configuration.nix")
       nix_elasticsearch = filebase64("${path.module}/nix/elasticsearch.nix")