---

- name: remove firewalld
  package:
    name: firewalld
    state: absent

- name: make sure iptables is available
  package:
    name: iptables-services
    state: present

- name: allow inbound for internal services
  iptables:
    chain: INPUT
    source: "0.0.0.0/0"
    destination_port: "{{ item }}"
    protocol: tcp
    jump: ACCEPT
  with_items:
  - "5601" # Kibana
  - "8200" # APM
  - "9200" # Elastic
  - "9300" # Elastic

- name: add yum repo for ElasticSearch
  yum_repository:
    name: elasticsearch
    gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
    baseurl: https://artifacts.elastic.co/packages/7.x/yum
    description: Elasticsearch repository for 7.x packages

- name: install elasticsearch and related packages
  package:
    name: "{{ item }}"
    state: present
  with_items:
  - elasticsearch
  - kibana
  - filebeat
  - httpd-tools
  - expect

# XXX (this insecure convolution belongs in some kind of shared library)
# We have to go through this tempfile dance because jinja doesn't actually see
# decrypted vault data, apparently, so as soon as we try to do anything other
# than write the whole decrypted blob to a file it fails to decrypt. That's
# even if we try the various workarounds from:
# https://github.com/ansible/ansible/issues/24425
- name: create Elastic password temp file (ugh)
  tempfile:
    state: file
    suffix: temp
  register: elasticpw_tmpfile
- name: "Write Elastic password to temp file"
  copy:
    dest: "{{ elasticpw_tmpfile.path }}"
    content: "{{ mu_vaults[mu_deploy_id]['elasticpw'] }}"
- name: "Load Elastic password from temp file"
  slurp:
    src: "{{ elasticpw_tmpfile.path }}"
  register: elasticpw_yaml
- name: From tmp YAML to dict
  set_fact:
    elasticpw_dict: "{{ elasticpw_yaml.content | b64decode | from_yaml }}"

- name: decrypt elastic password
  set_fact:
    elasticpw: "{{ elasticpw_dict['password'] }}"

- name: ElasticSearch config files in /etc/elasticsearch
  copy:
    dest: "/etc/elasticsearch/{{ item }}"
    src: "{{ item }}"
    mode: 0660
    owner: root
    group: elasticsearch
  become: yes
  with_items:
  - jvm.options
  notify:
  - Restart elasticsearch

- name: /etc/elasticsearch/elasticsearch.yml
  template:
    src: elasticsearch.yml.j2
    dest: /etc/elasticsearch/elasticsearch.yml
    mode: 0660
    owner: root
    group: elasticsearch
  become: yes
  notify:
  - Restart elasticsearch

- name: Copy ElasticSearch certificate store into place
  copy:
    dest: "/etc/elasticsearch/{{ item }}"
    src: "/opt/mu/var/ssl/{{ inventory_hostname }}.pfx"
    mode: 0640
    group: elasticsearch
  become: yes
  with_items:
  - elastic-certificates.p12
  - http.p12
  notify:
  - Restart elasticsearch

- name: "Enable and start ElasticSearch"
  service:
    name: elasticsearch
    state: started

- name: see if Elastic system passwords have been set
  shell:
    cmd: "/usr/share/elasticsearch/bin/elasticsearch-setup-passwords -s interactive 2>&1 | grep 'user has already been changed'"
  ignore_errors: true
  async: 30
  poll: 5
  no_log: true
  register: passwords_set

- name: Create password-setter script
  template:
    src: password_set.expect.j2
    dest: "/root/password_set.expect"
    mode: 0700
    owner: root
  become: yes
  when: passwords_set is failed

- name: set elastic system passwords
  command:
    cmd: "/root/password_set.expect"
  no_log: true
  become: yes
  when: passwords_set is failed

- name: Remove password-setter scripts
  file:
    path: /root/password_set.expect
    state: absent

- name: Copy Mu's CA
  copy:
    dest: "/etc/{{ item }}/elasticsearch-ca.pem"
    src: /opt/mu/var/ssl/Mu_CA.pem
    mode: 0644
  become: yes
  notify:
  - Restart kibana
  with_items:
  - kibana

- name: Kibana config files in /etc/kibana
  template:
    dest: /etc/kibana/kibana.yml
    src: kibana.yml.j2
    mode: 0640
  become: yes
  notify:
  - Restart kibana

- name: "Enable and start Kibana"
  service:
    name: kibana
    state: started

- name: Check whether ElasticSearch S3 backup plugin is installed
  shell: |
    /usr/share/elasticsearch/bin/elasticsearch-plugin list | grep '^repository-s3$'
  ignore_errors: true
  register: s3_present
  no_log: true
  become: yes

- name: Install ElasticSearch S3 backup plugin
  shell: "/usr/share/elasticsearch/bin/elasticsearch-plugin install -b repository-s3"
  become: yes
  when: s3_present is failed
  notify:
  - Restart elasticsearch

- name: "Force set a reasonable number of shards {{ mu_deployment['servers']['backend'] | json_query('[*].private_ip_address') }}"
  shell: |
    /bin/curl --user "elastic:{{ mu_vaults[mu_deploy_id]['elasticpw'] }}" -k -X PUT "https://{{ mu_deployment['servers']['backend'][inventory_hostname]['private_ip_address'] }}:9200/_cluster/settings" -H "Content-Type: application/json" -d '{ "persistent": { "cluster.max_shards_per_node": "10000" } }'
  become: yes