punktDe · medanthelinium · Nov 21, 2023 · Aug 23, 2024 · Aug 23, 2024 · Aug 23, 2024
diff --git a/defaults/main.yaml b/defaults/main.yaml
@@ -1,4 +1,5 @@
 kibana:
+  version: 7
   prefix:
     config: >-
       {%- if ansible_system == 'Linux' -%}
@@ -10,7 +11,7 @@ kibana:
     apt:
       key_url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
       repository: |
-        deb https://artifacts.elastic.co/packages/7.x/apt stable main
+        deb https://artifacts.elastic.co/packages/{{ vars.kibana.version }}.x/apt stable main
   domain:
   use_dehydrated: yes
   oauth2_proxy:

diff --git a/meta/main.yaml b/meta/main.yaml
@@ -1,2 +1,3 @@
 dependencies:
   - role: nginx
+  - role: elasticsearch
diff --git a/tasks/install.yaml b/tasks/install.yaml
@@ -1,4 +1,4 @@
-- when: ansible_distribution == 'Ubuntu'
+- when: ansible_os_family == 'Debian'
   block:
     - name: Add Elastic repository key
       apt_key:

diff --git a/tasks/kibana.yaml b/tasks/kibana.yaml
@@ -1,6 +1,6 @@
 - name: Template Kibana config
   loop:
-    - src: kibana/kibana.yml
+    - src: kibana/kibana.yml.j2
       dest: "{{ kibana.prefix.config }}/kibana.yml"
   loop_control:
     label: "{{ item.dest }}"

diff --git a/tasks/main.yaml b/tasks/main.yaml
@@ -1,3 +1,9 @@
+---
 - import_tasks: install.yaml
+
 - import_tasks: nginx.yaml
+
+- import_tasks: password.yaml
+  when: kibana.version is version('8', '>=')
+
 - import_tasks: kibana.yaml
diff --git a/tasks/password.yaml b/tasks/password.yaml
@@ -0,0 +1,28 @@
+---
+- name: Display an error about missing kibana_system password
+  when: not elasticsearch.users.builtin.kibana_system.password
+  ansible.builtin.fail:
+    msg: >-
+      [ERROR]: The password for built-in user 'kibana_system' is not defined.
+      Starting with ElasticSearch 8, security is enabled by default,
+      which means that the built-in users must be password-protected.
+      Please set the variable `elasticsearch.users.builtin.kibana_system.password`
+      to your desired password.
+
+- name: Check if the password for the kibana_system user is already defined
+  changed_when: kibana_system_password_already_set.status == 401
+  failed_when: kibana_system_password_already_set is failed and kibana_system_password_already_set.status != 401
+  register: kibana_system_password_already_set
+  ansible.builtin.uri:
+    url: http://localhost:9200
+    user: kibana_system
+    password: "{{ elasticsearch.users.builtin.kibana_system.password }}"
+    force_basic_auth: yes
+
+- name: Define a password for the kibana_password user
+  when: kibana_system_password_already_set is changed
+  changed_when: yes
+  ansible.builtin.shell:
+    cmd: >-
+      printf "{{ elasticsearch.users.builtin.kibana_system.password }}\n{{ elasticsearch.users.builtin.kibana_system.password }}" |
+      {{ elasticsearch.prefix.bin }}/elasticsearch-reset-password -b -u kibana_system -i
diff --git a/templates/kibana/kibana.yml b/templates/kibana/kibana.yml
diff --git a/templates/kibana/kibana.yml.j2 b/templates/kibana/kibana.yml.j2
@@ -0,0 +1,5 @@
+{% if kibana.version is not defined or kibana.version is version('8', '<') %}
+{{ kibana['kibana.yml'] | to_nice_yaml(indent=2) }}
+{% else %}
+{{ kibana['kibana.yml'] | ansible.utils.remove_keys(target=['apm', 'graph', 'ml', 'reporting', 'xpack']) | to_nice_yaml(indent=2) }}
+{% endif %}
diff --git a/templates/nginx/http.d/kibana.conf b/templates/nginx/http.d/kibana.conf
@@ -1,58 +1,90 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+{% if dehydrated | cert_exists(kibana.domain) and kibana.use_dehydrated %}
 server {
-    {% if dehydrated|cert_exists(kibana.domain) and kibana.use_dehydrated %}
-    listen 0.0.0.0:443 ssl http2;
-    listen [::]:443 ssl http2;
-    {% else %}
-    listen 0.0.0.0:80;
-    listen [::]:80;
-    {% endif %}
+  listen 0.0.0.0:80;
+  listen [::]:80;
+  {% if ansible_local.proserver|default(none) and ansible_local.proserver.routing.with_gate64 -%}
+  listen [::1]:87 proxy_protocol;
+  {%- endif %}
+
+  server_name {{ kibana.domain }};
+
+  root /var/null;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+
+  include {{ nginx.prefix.config }}/include/letsencrypt.conf;
+}
+
+server {
+  listen 0.0.0.0:443 ssl http2;
+  listen [::]:443 ssl http2;
 
-    server_name {{ kibana.domain }};
+  server_name {{ kibana.domain }};
 
-    include {{ nginx.prefix.config }}/include/security_headers.conf;
+  include {{ nginx.prefix.config }}/include/security_headers.conf;
 
+  {% if kibana.oauth2_proxy %}
+  location /proserver/iap {
+    proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Auth-Request-Redirect $request_uri;
+  }
+
+  location = /proserver/iap/auth {
+    proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header Content-Length "";
+    proxy_pass_request_body off;
+  }
+  {% endif %}
+
+  location / {
     {% if kibana.oauth2_proxy %}
-    location /proserver/iap {
-        proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header X-Auth-Request-Redirect $request_uri;
-    }
-
-    location = /proserver/iap/auth {
-        proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header Content-Length "";
-        proxy_pass_request_body off;
-    }
+    auth_request /proserver/iap/auth;
+    error_page 401 = /proserver/iap/sign_in;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $auth_cookie;
     {% endif %}
 
-    location / {
-        {% if kibana.oauth2_proxy %}
-        auth_request /proserver/iap/auth;
-        error_page 401 = /proserver/iap/sign_in;
-        auth_request_set $auth_cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $auth_cookie;
-        {% endif %}
-
-        proxy_pass http://127.0.0.1:5601;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_set_header Host $host;
-        proxy_cache_bypass $http_upgrade;
-    }
-
-    {% if dehydrated|cert_exists(kibana.domain) and kibana.use_dehydrated -%}
-    ############################################################################
-    # HTTPS
-    ############################################################################
-    ssl_certificate {{ dehydrated|cert_fullchain(kibana.domain) }};
-    ssl_certificate_key {{ dehydrated|cert_privkey(kibana.domain) }};
-    ssl_trusted_certificate {{ dehydrated|cert_chain(kibana.domain) }};
-    include {{ nginx.prefix.config }}/include/https_params.conf;
-    {% endif %}
+    proxy_pass http://127.0.0.1:5601;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_cache_bypass $http_upgrade;
+  }
+
+  ssl_certificate {{ dehydrated|cert_fullchain(kibana.domain) }};
+  ssl_certificate_key {{ dehydrated|cert_privkey(kibana.domain) }};
+  ssl_trusted_certificate {{ dehydrated|cert_chain(kibana.domain) }};
+  include {{ nginx.prefix.config }}/include/https_params.conf;
+}
+{% else %}
+
+server {
+  listen 0.0.0.0:80;
+  listen [::]:80;
+
+  server_name {{ kibana.domain }};
+
+  location / {
+    proxy_pass http://127.0.0.1:5601;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_cache_bypass $http_upgrade;
+  }
 }
+{% endif %}