Vendor Galaxy Roles and Collections

ansible_collections/debops/debops/roles/elasticsearch/COPYRIGHT

@@ -0,0 +1,21 @@
+debops.elasticsearch - Install and manage Elasticsearch database clusters
+
+Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.

ansible_collections/debops/debops/roles/elasticsearch/meta/main.yml

@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Nick Janetakis, Maciej Delmanowski'
+  description: 'Install and manage Elasticsearch database clusters'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - clustering
+    - database
+    - nosql
+    - elasticsearch

ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication.yml

@@ -0,0 +1,52 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check status of built-in users via Elasticsearch API
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/elastic" }}'
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+    method: 'GET'
+    status_code: [ '200', '401' ]
+  register: elasticsearch__register_api_builtin_users
+  until: elasticsearch__register_api_builtin_users.status in [200, 401]
+  retries: 10
+  delay: 5
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Initialize built-in users in Elasticsearch
+  ansible.builtin.shell: "set -o nounset -o pipefail -o errexit &&
+          bin/elasticsearch-setup-passwords auto --batch | awk '$1 ~ /^PASSWORD/ {print $2, $4}'"
+  args:
+    executable: 'bash'
+    chdir: '/usr/share/elasticsearch'
+  register: elasticsearch__register_builtin_users
+  changed_when: False
+  when: ((not (ansible_local.elasticsearch.configured | d()) | bool) or
+         elasticsearch__register_api_builtin_users.status == 401)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create required directories on Ansible Controller
+  ansible.builtin.file:
+    path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_users.stdout_lines | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save generated user passwords on Ansible Controller
+  ansible.builtin.copy:
+    content: '{{ item.split()[1] }}'
+    dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] + "/password" }}'
+    mode: '0644'
+  loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_users.stdout_lines | d()
+  no_log: '{{ debops__no_log | d(True) }}'

ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication_v8.yml

@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check status of built-in users via Elasticsearch API
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/elastic" }}'
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+    method: 'GET'
+    status_code: [ '200', '401' ]
+  register: elasticsearch__register_api_builtin_users
+  until: elasticsearch__register_api_builtin_users.status in [200, 401]
+  retries: 10
+  delay: 5
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Set passwords for built-in Elasticsearch user accounts
+  ansible.builtin.include_tasks: 'reset_password.yml'
+  loop:
+    - 'elastic'
+    - 'kibana_system'
+    - 'logstash_system'
+    - 'beats_system'
+    - 'apm_system'
+    - 'remote_monitoring_user'
+  when: ((not (ansible_local.elasticsearch.configured | d()) | bool) or
+         elasticsearch__register_api_builtin_users.status == 401)

ansible_collections/debops/debops/roles/elasticsearch/tasks/main.yml

@@ -0,0 +1,204 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Elasticsearch packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (elasticsearch__base_packages
+                              + elasticsearch__packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: elasticsearch__register_packages
+  until: elasticsearch__register_packages is succeeded
+
+- name: Add Elasticsearch UNIX account to selected groups
+  ansible.builtin.user:
+    name: '{{ elasticsearch__user }}'
+    groups: '{{ elasticsearch__additional_groups }}'
+    append: True
+  when: elasticsearch__additional_groups | d()
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Elasticsearch local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/elasticsearch.fact.j2'
+    dest: '/etc/ansible/facts.d/elasticsearch.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Check if the dependent config file exists
+  ansible.builtin.stat:
+    path: '{{ secret + "/elasticsearch/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: elasticsearch__register_dependent_config_file
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local.elasticsearch.installed | d())
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Load the dependent configuration from Ansible Controller
+  ansible.builtin.slurp:
+    src: '{{ secret + "/elasticsearch/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: elasticsearch__register_dependent_config
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local.elasticsearch.installed | d() and
+         elasticsearch__register_dependent_config_file.stat.exists | bool)
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Divert original configuration files
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  loop:
+    - '/etc/elasticsearch/elasticsearch.yml'
+    - '/etc/elasticsearch/jvm.options'
+    - '/usr/lib/sysctl.d/elasticsearch.conf'
+    - '/usr/share/elasticsearch/jdk/conf/security/java.policy'
+  notify: [ 'Start elasticsearch' ]
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Create systemd configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/system/elasticsearch.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Generate systemd configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/system/elasticsearch.service.d/ansible.conf.j2'
+    dest: '/etc/systemd/system/elasticsearch.service.d/ansible.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload service manager' ]
+
+- name: Generate Elasticsearch configuration
+  ansible.builtin.template:
+    src: 'etc/elasticsearch/elasticsearch.yml.j2'
+    dest: '/etc/elasticsearch/elasticsearch.yml'
+    owner: 'root'
+    group: '{{ elasticsearch__group }}'
+    mode: '0660'
+  notify: [ 'Restart elasticsearch' ]
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Generate Elasticsearch JVM configuration
+  ansible.builtin.template:
+    src: 'etc/elasticsearch/jvm.options.j2'
+    dest: '/etc/elasticsearch/jvm.options'
+    owner: 'root'
+    group: '{{ elasticsearch__group }}'
+    mode: '0660'
+  notify: [ 'Restart elasticsearch' ]
+  when: elasticsearch__version is version("5.0.0", ">=")
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Generate Java Policy configuration file
+  ansible.builtin.template:
+    src: 'usr/share/elasticsearch/jdk/conf/security/java.policy.j2'
+    dest: '/usr/share/elasticsearch/jdk/conf/security/java.policy'
+    mode: '0644'
+  notify: [ 'Restart elasticsearch' ]
+  when: elasticsearch__version is version("7.0.0", ">=")
+
+- name: Manage data paths
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ elasticsearch__user }}'
+    group: '{{ elasticsearch__group }}'
+    mode: '0750'
+  loop: '{{ q("flattened", elasticsearch__path_data) }}'
+
+- name: Reload systemd daemons
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Check state of installed Elasticsearch plugins
+  ansible.builtin.command: bin/elasticsearch-plugin list
+  args:
+    chdir: '/usr/share/elasticsearch'
+  register: elasticsearch__register_plugins
+  changed_when: False
+  check_mode: False
+
+- name: Install Elasticsearch plugins
+  ansible.builtin.command: bin/elasticsearch-plugin install {{ item.url | d(item.name) }} --batch
+  args:
+    chdir: '/usr/share/elasticsearch'
+  notify: [ 'Restart elasticsearch' ]
+  loop: '{{ q("flattened", elasticsearch__combined_plugins) }}'
+  register: elasticsearch__register_plugin_install
+  changed_when: elasticsearch__register_plugin_install.changed | bool
+  when: (item.name | d() and item.state | d('present') != 'absent' and
+         (item.name if ':' not in item.name else item.name.split(':')[1])
+         not in elasticsearch__register_plugins.stdout_lines)
+
+- name: Remove Elasticsearch plugins
+  ansible.builtin.command: bin/elasticsearch-plugin remove {{ item.name }}
+  args:
+    chdir: '/usr/share/elasticsearch'
+  notify: [ 'Restart elasticsearch' ]
+  loop: '{{ q("flattened", elasticsearch__combined_plugins) }}'
+  register: elasticsearch__register_plugin_remove
+  changed_when: elasticsearch__register_plugin_remove.changed | bool
+  when: (item.name | d() and item.state | d('present') == 'absent' and
+         (item.name if ':' not in item.name else item.name.split(':')[1])
+         in elasticsearch__register_plugins.stdout_lines)
+
+- name: Save Elasticsearch dependent configuration on Ansible Controller
+  ansible.builtin.template:
+    src: 'secret/elasticsearch/dependent_config/config.json.j2'
+    dest: '{{ secret + "/elasticsearch/dependent_config/" + inventory_hostname + "/config.json" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Ensure that Elasticsearch is restarted
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Manage Elasticsearch authentication (old)
+  ansible.builtin.import_tasks: 'authentication.yml'
+  run_once: True
+  when: elasticsearch__version is version("8.0", "<") and
+        elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
+
+- name: Manage Elasticsearch authentication (new)
+  ansible.builtin.import_tasks: 'authentication_v8.yml'
+  run_once: True
+  when: elasticsearch__version is version("8.0", ">=") and
+        elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
+
+- name: Manage Elasticsearch roles and users
+  ansible.builtin.import_tasks: 'roles_users.yml'
+  run_once: True
+  when: elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool

ansible_collections/debops/debops/roles/elasticsearch/tasks/main_env.yml

@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare debops.elasticsearch environment
+  ansible.builtin.set_fact:
+    elasticsearch__secret__directories: '{{ lookup("template", "lookup/elasticsearch__secret__directories.j2")
+                                            | from_yaml }}'

ansible_collections/debops/debops/roles/elasticsearch/tasks/reset_password.yml

@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Initialize password for user account '{{ item }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    bin/elasticsearch-reset-password --username {{ item }} --batch --silent
+  args:
+    executable: 'bash'
+    chdir: '/usr/share/elasticsearch'
+  register: elasticsearch__register_builtin_password
+  changed_when: elasticsearch__register_builtin_password.stdout != ''
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create required directories on Ansible Controller
+  ansible.builtin.file:
+    path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item }}'
+    state: 'directory'
+    mode: '0755'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_password.stdout_lines | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save generated password of account '{{ item }}'
+  ansible.builtin.copy:
+    content: '{{ elasticsearch__register_builtin_password.stdout }}'
+    dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item + "/password" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_password.stdout | d()
+  no_log: '{{ debops__no_log | d(True) }}'

ansible_collections/debops/debops/roles/elasticsearch/tasks/roles_users.yml

@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage native roles in Elasticsearch
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/role/" + item.name }}'
+    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
+    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
+    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
+    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+  loop: '{{ elasticsearch__combined_native_roles | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage native users in Elasticsearch
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/" + item.name }}'
+    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
+    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
+    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
+    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+  loop: '{{ elasticsearch__combined_native_users | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'

ansible_collections/debops/debops/roles/elasticsearch/templates/etc/ansible/facts.d/elasticsearch.fact.j2

@@ -0,0 +1,34 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+import os
+
+output = {'installed': True, 'configured': False}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "elasticsearch"]).decode('utf-8')
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+
+marker = '/etc/elasticsearch/elasticsearch.yml.dpkg-divert'
+
+if (os.path.exists(marker) and os.path.isfile(marker)):
+    output['configured'] = True
+
+print(dumps(output, sort_keys=True, indent=4))

ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/elasticsearch.yml.j2

@@ -0,0 +1,271 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# ======================== Elasticsearch Configuration =========================
+#
+# NOTE: Elasticsearch comes with reasonable defaults for most settings.
+#       Before you set out to tweak and tune the configuration, make sure you
+#       understand what are you trying to accomplish and the consequences.
+#
+# The primary way of configuring a node is via this file. This template lists
+# the most important settings you may want to configure for a production cluster.
+#
+# Please consult the documentation for further information on configuration options:
+# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
+
+{% set elasticsearch__tpl_config = {} %}
+{% set elasticsearch__tpl_comment = {} %}
+{% for item in elasticsearch__combined_configuration | debops.debops.parse_kv_config %}
+{%   if item is mapping %}
+{%     if item.name | d() %}
+{%       if item.state | d('present') != 'absent' %}
+{%         if item.value is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.value } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): item.value }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{#           set _ = elasticsearch__tpl_config.update({ item.name: item.value }) #}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.options is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.options, 'options': item.options } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'options': item.options } }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.empty is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.empty, 'empty': item.empty } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'empty': item.empty } }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.raw is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.raw, 'raw': item.raw } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'raw': item.raw } }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         endif %}
+{%       elif item.state | d('present') == 'absent' %}
+{%         set name_exploded = item.name.split('.') %}
+{%         set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%         set _ = current_dict.pop(name_exploded[1:] | join('.'), None) %}
+{%         if current_dict.keys() | length > 0 %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%         else %}
+{%           set _ = elasticsearch__tpl_config.pop(name_exploded[0], None) %}
+{%         endif %}
+{#         set _ = elasticsearch__tpl_config.pop(item.name, None) #}
+{%       endif %}
+{%     else %}
+{%       for key, value in item.items() %}
+{%         set name_exploded = key.split('.') %}
+{%         set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%         set _ = current_dict.update({ name_exploded[1:] | join('.'): value }) %}
+{%         set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% macro print_config(config, key_prefix='') %}
+{%   for key, value in config.items() %}
+{%     if key | d() %}{# key is not empty #}
+{%       if (key_prefix + '.' + key) in elasticsearch__tpl_comment.keys() %}
+
+{{ elasticsearch__tpl_comment[key_prefix + '.' + key] | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       endif %}
+{%       if value | bool and value is not iterable %}
+{{ '%s: %s' | format(key_prefix + '.' + key, 'true') }}
+{%       elif not value | bool and value is not iterable %}
+{%         if value is not none %}
+{%           if value | int or value | string == '0' %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value) }}
+{%           else %}
+{{ '%s: %s' | format(key_prefix + '.' + key, 'false') }}
+{%           endif %}
+{%         endif %}
+{%       elif value is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + key, value) }}
+{%       elif value is number %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value) }}
+{%       elif value is mapping %}
+{%         if value.comment is defined %}
+{%           if value.comment | bool and value.comment is not iterable %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, 'true') }}
+{%           elif not value.comment | bool and value.comment is not iterable %}
+{%             if value.comment is not none %}
+{%               if value.comment | int or value.comment | string == '0' %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.comment) }}
+{%               else %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, 'false') }}
+{%               endif %}
+{%             endif %}
+{%           elif value.comment is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + key, value.comment) }}
+{%           elif value.comment is number %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.comment) }}
+{%           elif value.comment is mapping %}
+{%             if value.options | d() %}
+{%               if value.options is mapping %}
+{%                 for option_key, option_value in value.options.items() %}
+{%                   if option_value | bool and option_value is not iterable %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, 'true') }}
+{%                   elif not option_value | bool and option_value is not iterable %}
+{%                     if option_value is not none %}
+{%                       if option_value | int or option_value | string == '0' %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                       else %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, 'false') }}
+{%                       endif %}
+{%                     endif %}
+{%                   elif option_value is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   elif option_value is number %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   elif option_value is not string and option_value is not mapping %}
+{%                     if option_value | count <= 4 %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, '[ "' + option_value | join('", "') + '" ]') }}
+{%                     else %}
+# {{ key_prefix + '.' + option_key }}:
+{%                       for element in option_value %}
+#  - "{{ element }}"
+{%                       endfor %}
+
+{%                     endif %}
+{%                   endif %}
+{%                 endfor %}
+{%               endif %}
+{%             elif value.empty is defined %}
+{%               if value.empty is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + key, value.empty) }}
+{%               else %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.empty) }}
+{%               endif %}
+{%             elif value.raw | d() %}
+{{ value.raw | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%             endif %}
+{%           elif value.comment is not string and value.comment is not mapping %}
+{%             if value.comment | count <= 4 %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, '[ "' + value.comment | join('", "') + '" ]') }}
+{%             else %}
+# {{ key_prefix + '.' + key }}:
+{%               for element in value.comment %}
+#  - "{{ element }}"
+{%               endfor %}
+
+{%             endif %}
+{%           endif %}
+{%         elif value.options | d() %}
+{%           if value.options is mapping %}
+{%             for option_key, option_value in value.options.items() %}
+{%               if option_value | bool and option_value is not iterable %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, 'true') }}
+{%               elif not option_value | bool and option_value is not iterable %}
+{%                 if option_value is not none %}
+{%                   if option_value | int or option_value | string == '0' %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   else %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, 'false') }}
+{%                   endif %}
+{%                 endif %}
+{%               elif option_value is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + option_key, option_value) }}
+{%               elif option_value is number %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%               elif option_value is not string and option_value is not mapping %}
+{%                 if option_value | count <= 4 %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, '[ "' + option_value | join('", "') + '" ]') }}
+{%                 else %}
+{{ key_prefix + '.' + option_key }}:
+{%                  for element in option_value %}
+  - "{{ element }}"
+{%                  endfor %}
+
+{%                endif %}
+{%              endif %}
+{%             endfor %}
+{%           endif %}
+{%         elif value.empty is defined %}
+{%           if value.empty is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + key, value.empty) }}
+{%           else %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value.empty) }}
+{%           endif %}
+{%         elif value.raw | d() %}
+{{ value.raw }}
+{%         endif %}
+{%       elif value is not string and value is not mapping %}
+{%         if value | count <= 4 %}
+{{ '%s: %s' | format(key_prefix + '.' + key, '[ "' + value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join('", "') + '" ]') }}
+{%         else %}
+{{ key_prefix + '.' + key }}:
+{%           for element in value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+  - "{{ element }}"
+{%           endfor %}
+
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{% set elasticsearch__tpl_seen_sections = [] %}
+{% for section in elasticsearch__configuration_sections %}
+{%   if section.name | d() %}
+{%     if section.part | d() and ([ section.part ] if section.part is string else section.part) | intersect(elasticsearch__tpl_config.keys()) %}
+{{ "{:-^78}".format(' ' + section.name + ' ') | comment }}
+{%     elif section.parts | d() and ([ section.parts ] if section.parts is string else section.parts) | intersect(elasticsearch__tpl_config.keys()) %}
+{{ "{:-^78}".format(' ' + section.name + ' ') | comment }}
+{%     endif %}
+{%   endif %}
+{%   if section.part | d() and ([ section.part ] if section.part is string else section.part) | intersect(elasticsearch__tpl_config.keys()) %}
+{%     for element in ([ section.part ] if section.part is string else section.part) %}
+{%       if element in elasticsearch__tpl_config.keys() and element not in elasticsearch__tpl_seen_sections %}
+{{ print_config(elasticsearch__tpl_config[element], key_prefix=element) -}}
+{%         set _ = elasticsearch__tpl_seen_sections.append(element) %}
+{%       endif %}
+{%     endfor %}
+
+{%   elif section.parts | d() and ([ section.parts ] if section.parts is string else section.parts) | intersect(elasticsearch__tpl_config.keys()) %}
+{%     for element in ([ section.parts ] if section.parts is string else section.parts) %}
+{%       if element in elasticsearch__tpl_config.keys() and element not in elasticsearch__tpl_seen_sections %}
+{{ print_config(elasticsearch__tpl_config[element], key_prefix=element) -}}
+{%         set _ = elasticsearch__tpl_seen_sections.append(element) %}
+{%       endif %}
+{%     endfor %}
+
+{%   endif %}
+{% endfor %}
+{% if elasticsearch__tpl_config.keys() | difference(elasticsearch__tpl_seen_sections) %}
+{{ "{:-^78}".format(' Various ') | comment }}
+{%   for element in (elasticsearch__tpl_config.keys() | difference(elasticsearch__tpl_seen_sections)) %}
+{{ print_config(elasticsearch__tpl_config[element], key_prefix=element) -}}
+{%   endfor %}
+{% endif %}

ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/jvm.options.j2

@@ -0,0 +1,120 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+## JVM configuration
+
+################################################################
+## IMPORTANT: JVM heap size
+################################################################
+##
+## You should always set the min and max JVM heap
+## size to the same value. For example, to set
+## the heap to 4 GB, set:
+##
+## -Xms4g
+## -Xmx4g
+##
+## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+## for more information
+##
+################################################################
+
+# Xms represents the initial size of total heap space
+# Xmx represents the maximum size of total heap space
+
+-Xms{{ elasticsearch__jvm_memory_min_heap_size | d('2g') }}
+-Xmx{{ elasticsearch__jvm_memory_max_heap_size | d('2g') }}
+
+################################################################
+## Expert settings
+################################################################
+##
+## All settings below this section are considered
+## expert settings. Don't tamper with them unless
+## you understand what you are doing
+##
+################################################################
+
+## GC configuration
+8-13:-XX:+UseConcMarkSweepGC
+8-13:-XX:CMSInitiatingOccupancyFraction=75
+8-13:-XX:+UseCMSInitiatingOccupancyOnly
+
+## G1GC Configuration
+# NOTE: G1 GC is only supported on JDK version 10 or later
+# to use G1GC, uncomment the next two lines and update the version on the
+# following three lines to your version of the JDK
+# 10-13:-XX:-UseConcMarkSweepGC
+# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
+14-:-XX:+UseG1GC
+
+## JVM temporary directory
+-Djava.io.tmpdir=${ES_TMPDIR}
+
+## optimizations
+
+# disable calls to System#gc
+-XX:+DisableExplicitGC
+
+# pre-touch memory pages used by the JVM during initialization
+-XX:+AlwaysPreTouch
+
+## basic
+
+# force the server VM (remove on 32-bit client JVMs)
+-server
+
+# explicitly set the stack size (reduce to 320k on 32-bit client JVMs)
+-Xss1m
+
+# set to headless, just in case
+-Djava.awt.headless=true
+
+# ensure UTF-8 encoding by default (e.g. filenames)
+-Dfile.encoding=UTF-8
+
+# use our provided JNA always versus the system one
+-Djna.nosys=true
+
+# use old-style file permissions on JDK9
+-Djdk.io.permissionsUseCanonicalPath=true
+
+# flags to configure Netty
+-Dio.netty.noUnsafe=true
+-Dio.netty.noKeySetOptimization=true
+-Dio.netty.recycler.maxCapacityPerThread=0
+
+# log4j 2
+-Dlog4j.shutdownHookEnabled=false
+-Dlog4j2.disable.jmx=true
+-Dlog4j.skipJansi=true
+
+## heap dumps
+
+# generate a heap dump when an allocation from the Java heap fails
+# heap dumps are created in the working directory of the JVM
+-XX:+HeapDumpOnOutOfMemoryError
+
+# specify an alternative path for heap dumps
+# ensure the directory exists and has sufficient space
+-XX:HeapDumpPath=${heap.dump.path}
+
+## GC logging
+
+## JDK 8 GC logging
+8:-XX:+PrintGCDetails
+8:-XX:+PrintGCDateStamps
+8:-XX:+PrintTenuringDistribution
+8:-XX:+PrintGCApplicationStoppedTime
+8:-Xloggc:/var/log/elasticsearch/gc.log
+8:-XX:+UseGCLogFileRotation
+8:-XX:NumberOfGCLogFiles=32
+8:-XX:GCLogFileSize=64m
+
+# JDK 9+ GC logging
+9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m

ansible_collections/debops/debops/roles/elasticsearch/templates/etc/systemd/system/elasticsearch.service.d/ansible.conf.j2

@@ -0,0 +1,12 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Service]
+{% if elasticsearch__memory_lock | bool %}
+LimitMEMLOCK={{ elasticsearch__systemd_limit_memlock }}
+{% endif %}

ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__dependent_configuration_filter.j2

@@ -0,0 +1,22 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set elasticsearch__tpl_dependent_configuration = {} %}
+{% if (elasticsearch__register_dependent_config | d() and elasticsearch__register_dependent_config.content | d()) %}
+{%   set _ = elasticsearch__tpl_dependent_configuration.update(elasticsearch__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if elasticsearch__dependent_role | d() %}
+{%   if elasticsearch__dependent_state == 'present' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.update({elasticsearch__dependent_role: elasticsearch__dependent_configuration}) %}
+{%   elif elasticsearch__dependent_state == 'absent' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.pop(elasticsearch__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{% set elasticsearch__tpl_output = [] %}
+{% for key, value in elasticsearch__tpl_dependent_configuration.items() %}
+{%   set _ = elasticsearch__tpl_output.append(value) %}
+{% endfor %}
+{{ elasticsearch__tpl_output | to_yaml }}

ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__plugin_configuration.j2

@@ -0,0 +1,17 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set elasticsearch__tpl_output = [] %}
+{% for plugin in ([ elasticsearch__combined_plugins ] if elasticsearch__combined_plugins is mapping else elasticsearch__combined_plugins) %}
+{%   if plugin.state | d('present') != 'absent' %}
+{%     if plugin.configuration | d() %}
+{%       set _ = elasticsearch__tpl_output.append(plugin.configuration) %}
+{%     elif plugin.config | d() %}
+{%       set _ = elasticsearch__tpl_output.append(plugin.config) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ elasticsearch__tpl_output | to_yaml }}

ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__secret__directories.j2

@@ -0,0 +1,9 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'elasticsearch/dependent_config/{{ host }}'
+{% endfor %}

ansible_collections/debops/debops/roles/elasticsearch/templates/secret/elasticsearch/dependent_config/config.json.j2

@@ -0,0 +1,18 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set elasticsearch__tpl_dependent_configuration = {} %}
+{% if (elasticsearch__register_dependent_config | d() and elasticsearch__register_dependent_config.content | d()) %}
+{%   set _ = elasticsearch__tpl_dependent_configuration.update(elasticsearch__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if elasticsearch__dependent_role | d() %}
+{%   if elasticsearch__dependent_state == 'present' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.update({elasticsearch__dependent_role: elasticsearch__dependent_configuration}) %}
+{%   elif elasticsearch__dependent_state == 'absent' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.pop(elasticsearch__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{{ elasticsearch__tpl_dependent_configuration | to_nice_json }}

ansible_collections/debops/debops/roles/elasticsearch/templates/usr/share/elasticsearch/jdk/conf/security/java.policy.j2

@@ -0,0 +1,20 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+//
+// This system policy file grants a set of default permissions to all domains
+// and can be configured to grant additional permissions to modules and other
+// code sources. The code source URL scheme for modules linked into a
+// run-time image is "jrt".
+//
+// For example, to grant permission to read the "foo" property to the module
+// "com.greetings", the grant entry is:
+//
+// grant codeBase "jrt:/com.greetings" {
+//     permission java.util.PropertyPermission "foo", "read";
+// };
+//
+
+{{ elasticsearch__java_policy }}