{ pkgs, lib, ... }:
{
  nixpkgs.config.allowUnfree = true;

  services.elasticsearch.enable = true;
  services.elasticsearch.package = pkgs.elasticsearch7;
  services.elasticsearch.dataDir = "/mnt/data/elasticsearch";
  services.elasticsearch.listenAddress = "10.0.1.51";
  services.elasticsearch.extraConf = ''
    discovery.type: single-node
    xpack.security.enabled: true
  '';

  systemd.services.elasticsearch.postStart = lib.mkForce ''
    test -f /mnt/data/elasticsearch/config/elasticsearch.keystore && exit 0 
    mkdir -p /mnt/data/elasticsearch/config

    export PATH=$PATH:${lib.makeBinPath [ pkgs.elasticsearch7 ]}:${lib.makeBinPath [ pkgs.jdk8_headless ]}:${lib.makeBinPath [ pkgs.curl ]}:${lib.makeBinPath [ pkgs.systemd ]}
    export ES_HOME=/mnt/data/elasticsearch
    export JAVA_HOME=${pkgs.jdk8_headless}/jre

    password="$(head -n 1 /opt/cloud-init-misc-data/elasticsearch_password)"

    printf "Setting up a new keystore for Elasticsearch, with default password for user 'elastic'\n"
    printf "changeme" | elasticsearch-keystore add -f -x bootstrap.password
    chown -R elasticsearch:elasticsearch /mnt/data/elasticsearch/config
    printf "Waiting for Elasticsearch to come back up"
    until $(curl -s -I -o /dev/null http://10.0.1.51:9200); do
        printf '.'
        sleep 5
    done
    printf "Setting up Kibana user\n"
    curl -uelastic:changeme -XPUT -H 'Content-Type: application/json' 'http://10.0.1.51:9200/_xpack/security/user/elastic/_password' -d "{ \"password\":\"$password\"}"
    curl -uelastic:"$password" -XPUT -H 'Content-Type: application/json' 'http://10.0.1.51:9200/_xpack/security/user/kibana/_password' -d "{ \"password\":\"$password\"}"
  '';

  services.kibana.enable = true;
  services.kibana.package = pkgs.kibana7;
  services.kibana.dataDir = "/mnt/data/kibana";
  services.kibana.listenAddress = "0.0.0.0";
  services.kibana.elasticsearch.hosts = [ "http://10.0.1.51:9200" ];
  services.kibana.elasticsearch.username = "kibana";
  services.kibana.elasticsearch.password = (builtins.readFile /opt/cloud-init-misc-data/elasticsearch_password);

  system.activationScripts = {
    mnt = {
      text = "mkdir -p /mnt/data/{elasticsearch,kibana} && chown -R elasticsearch:elasticsearch /mnt/data/elasticsearch && chown -R kibana:root /mnt/data/kibana";
      deps = [];
    };
  };

  networking.firewall.allowedTCPPorts = [ 9200 9300 5601 ];
}