Merge branch 'gitlab-advanced-search' into 'master'

Setup OpenSearch server for GitLab's advanced search feature[1] Closes #159 See merge request archlinux/infrastructure!711

Merge branch 'gitlab-advanced-search' into 'master'
f04d7ef9 · Kristian Klausen · 04499f15 · ae53da35 · f04d7ef9 · f04d7ef9
Verified Commit f04d7ef9 authored 1 year ago by Kristian Klausen
--- a/host_vars/opensearch.archlinux.org/misc
+++ b/host_vars/opensearch.archlinux.org/misc
+filesystem: btrfs
+wireguard_address: 10.0.0.42
+wireguard_public_key: 2f19yTsYkrv5xp7V4kREsuisbFc7Wew3gxd7sS/LyXc=
--- a/host_vars/opensearch.archlinux.org/vault_wireguard.yml
+++ b/host_vars/opensearch.archlinux.org/vault_wireguard.yml
+$ANSIBLE_VAULT;1.1;AES256
+66386538386463623062666662656563383738343831326166383361333365383231663232383662
+6530633164346531613431343530373334376437373132650a383731653464626236346265346638
+35303861636134663839363236626335303035633730363339613331643535323938356436373065
+3266616166663330660a346338303830313136386338323135353563636539393261616562616262
+36326438353233316661383231613639393437616336653734613330376334376563386231346334
+62313733313265383963396665623566623232346363633566323439303466383835346134353432
+63323039643932643663323538383563623134313730653336623631383363346239613038633030
+31616365656634326339
--- a/hosts
+++ b/hosts
@@ -120,6 +120,7 @@ matrix.archlinux.org
 md.archlinux.org
 mirror.pkgbuild.com
 monitoring.archlinux.org
+opensearch.archlinux.org
 phrik.archlinux.org
 quassel.archlinux.org
 redirect.archlinux.org

--- a/playbooks/opensearch.archlinux.org.yml
+++ b/playbooks/opensearch.archlinux.org.yml
+- name: Setup opensearch.archlinux.org
+  hosts: opensearch.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: firewalld }
+    - { role: wireguard }
+    - { role: hardening }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: prometheus_exporters }
+    - { role: promtail }
+    - { role: opensearch }
--- a/roles/opensearch/handlers/main.yml
+++ b/roles/opensearch/handlers/main.yml
+- name: Restart opensearch
+  systemd: name=opensearch state=restarted
--- a/roles/opensearch/tasks/main.yml
+++ b/roles/opensearch/tasks/main.yml
+- name: Install opensearch
+  pacman: name=opensearch state=present
+
+- name: Create opensearch keystore
+  command: opensearch-keystore create
+  args:
+    creates: /etc/opensearch/opensearch.keystore
+
+- name: Listen on 0.0.0.0
+  lineinfile:
+    path: /etc/opensearch/opensearch.yml
+    regexp: '^#?network\.host: .*$'
+    line: 'network.host: 0.0.0.0'
+  notify: Restart opensearch
+
+- name: Run in single-node mode
+  lineinfile:
+    path: /etc/opensearch/opensearch.yml
+    line: 'discovery.type: single-node'
+  notify: Restart opensearch
+
+- name: Open opensearch ipv4 port for gitlab.archlinux.org
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars['gitlab.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9200 accept"
+  tags:
+    - firewall
+
+- name: Start and enable opensearch
+  systemd: name=opensearch.service enabled=yes state=started
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -118,6 +118,10 @@ locals {
      server_type = "cx31"
      domain      = "monitoring"
    }
+    "opensearch.archlinux.org" = {
+      server_type = "cx11"
+      domain      = "opensearch"
+    }
    "phrik.archlinux.org" = {
      server_type = "cx11"
      domain      = "phrik"