-
Notifications
You must be signed in to change notification settings - Fork 192
/
main.yml
164 lines (146 loc) · 4.57 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
---
#
# Install/run logstash
#
- name: Copy logstash yum repo file
copy:
src=logstash.repo
dest=/etc/yum.repos.d/logstash.repo
owner=root
group=root
mode=0644
become: true
- name: Install logstash rpms
yum:
name: logstash
state: present
become: true
- name: Copy logstash filter configuration
template:
src=logstash.conf.j2
dest=/etc/logstash/conf.d/logstash.conf
owner=logstash
group=logstash
mode=0644
become: true
# workaround, sometimes they forget to package this
# https://github.com/elastic/logstash/issues/1130
- name: Ensure logstash systemd unit file is present
copy:
src=logstash.service
dest=/etc/systemd/system/logstash.service
owner=root
group=root
mode=0644
force=no
register: logstash_unit_copied
become: true
- name: Reload Systemd if we copied in logstash.service unit file
command: systemctl daemon-reload
when: logstash_unit_copied != 0
become: true
# we need a workaround for netty wanting to use /tmp
# on most systems this is mounted via noexec for security reasons
# https://discuss.elastic.co/t/problem-with-cipher-in-beat-input/67841/5
- name: Create tmpdir for logstash netty
file:
path: /usr/share/logstash/tmpfile
state: directory
owner: logstash
group: logstash
mode: 0755
- name: Apply logstash netty tmpdir workaround
lineinfile:
path=/etc/logstash/jvm.options
line='-Dio.netty.native.workdir=/usr/share/logstash/tmpfile/'
become: true
- name: Load OpenSSL CA Extended Configuration
template:
src=openssl_extras.cnf.j2
dest=/etc/pki/tls/openssl_extras.cnf
owner=root
group=root
mode=0644
become: true
- name: Check OpenSSL SANs (SubjectAltName) entry for CA
shell: grep "{{ ansible_default_ipv4.address }}" /etc/pki/tls/openssl.cnf | wc -l
ignore_errors: true
register: subjectAltName_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to understand if an entry exists
- skip_ansible_lint
become: true
- name: Add OpenSSL SANs (SubjectAltName) entry for CA
lineinfile:
dest: /etc/pki/tls/openssl.cnf
line: 'subjectAltName = "IP: {{ ansible_default_ipv4.address }}"'
regexp: '^ Extensions for a typical CA'
insertbefore: '# Extensions for a typical CA'
backup: yes
when: subjectAltName_exists.stdout|int == 0
become: true
- name: Load filebeat JSON index template
uri:
url: http://localhost:9200/_template/filebeat?pretty
method: POST
body: "{{ lookup('file', 'filebeat-index-template.json') }}"
body_format: json
return_content: yes
register: filebeatJSON_output
until: '"json" in filebeatJSON_output and filebeatJSON_output.json.acknowledged == true'
retries: 30
delay: 10
become: true
when: not install_elasticsearch_xpack or not install_logstash_xpack or not install_kibana_xpack
## Disable IPv6 because logstash/udp syslog has issues with it.
# https://github.com/logstash-plugins/logstash-input-syslog/issues/42
- name: Disable IPv6 with sysctl
sysctl: name={{ item }} value=1 state=present
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
ignore_errors: true
- name: Determine if ipv6 is a loadable module
command: /sbin/lsmod | grep ipv6 | grep -v nf
register: ipv6loadable
ignore_errors: true
- name: Disable IPv6 via rmmod
lineinfile: "dest=/etc/modprobe.conf line='install ipv6 /bin/true' create=yes"
notify:
- rmmodipv6
when: ansible_os_family == 'RedHat' and ipv6loadable.rc != 1
ignore_errors: true
- include: ipv6-grub-disable.yml
- name: Disabling IPv6 via sysconfig/network
lineinfile:
dest: /etc/sysconfig/network
regexp: "^{{ item.regexp }}"
line: "{{ item.line }}"
backup: yes
create: yes
with_items:
- { regexp: 'NETWORKING_IPV6=.*', line: 'NETWORKING_IPV6=NO' }
- { regexp: 'IPV6INIT=.*', line: 'IPV6INIT=no' }
notify:
- restart Network
- restart NetworkManager
when: ansible_os_family == 'RedHat'
ignore_errors: true
# X-Pack requires additional authentication
- name: Load filebeat JSON index template (X-Pack enabled)
uri:
url: http://localhost:9200/_template/filebeat?pretty
method: POST
user: elastic
password: "{{xpack_elastic_user_password}}"
body: "{{ lookup('file', 'filebeat-index-template.json') }}"
body_format: json
return_content: yes
register: filebeatJSON_output
until: '"json" in filebeatJSON_output and filebeatJSON_output.json.acknowledged == true'
retries: 30
delay: 10
become: true
when: install_elasticsearch_xpack|bool