diff --git a/host_vars/opensearch.archlinux.org/misc b/host_vars/opensearch.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..961fa4e60b7c35b3ac5dfdd004c916a4dfbf17c5
--- /dev/null
+++ b/host_vars/opensearch.archlinux.org/misc
@@ -0,0 +1,3 @@
+filesystem: btrfs
+wireguard_address: 10.0.0.42
+wireguard_public_key: 2f19yTsYkrv5xp7V4kREsuisbFc7Wew3gxd7sS/LyXc=
diff --git a/host_vars/opensearch.archlinux.org/vault_wireguard.yml b/host_vars/opensearch.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..074f8eddd947feb865025bc55ffc3d5d670e4045
--- /dev/null
+++ b/host_vars/opensearch.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+66386538386463623062666662656563383738343831326166383361333365383231663232383662
+6530633164346531613431343530373334376437373132650a383731653464626236346265346638
+35303861636134663839363236626335303035633730363339613331643535323938356436373065
+3266616166663330660a346338303830313136386338323135353563636539393261616562616262
+36326438353233316661383231613639393437616336653734613330376334376563386231346334
+62313733313265383963396665623566623232346363633566323439303466383835346134353432
+63323039643932643663323538383563623134313730653336623631383363346239613038633030
+31616365656634326339
diff --git a/hosts b/hosts
index e3508f19183df7b55c038f5c82be09783bcb548b..39252b8d988231e1ad8f3bb938938953c29335b3 100644
--- a/hosts
+++ b/hosts
@@ -120,6 +120,7 @@ matrix.archlinux.org
 md.archlinux.org
 mirror.pkgbuild.com
 monitoring.archlinux.org
+opensearch.archlinux.org
 phrik.archlinux.org
 quassel.archlinux.org
 redirect.archlinux.org
diff --git a/playbooks/opensearch.archlinux.org.yml b/playbooks/opensearch.archlinux.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6717aaeafecd64930deff8c715077a9ddb08d390
--- /dev/null
+++ b/playbooks/opensearch.archlinux.org.yml
@@ -0,0 +1,13 @@
+- name: Setup opensearch.archlinux.org
+  hosts: opensearch.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: firewalld }
+    - { role: wireguard }
+    - { role: hardening }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: prometheus_exporters }
+    - { role: promtail }
+    - { role: opensearch }
diff --git a/roles/opensearch/handlers/main.yml b/roles/opensearch/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2a0f9c48a86f3b27cbd726cc157a1421757f5ff0
--- /dev/null
+++ b/roles/opensearch/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Restart opensearch
+  systemd: name=opensearch state=restarted
diff --git a/roles/opensearch/tasks/main.yml b/roles/opensearch/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..97fda5bec2fc0f983a1621109426fe6968e53ddc
--- /dev/null
+++ b/roles/opensearch/tasks/main.yml
@@ -0,0 +1,29 @@
+- name: Install opensearch
+  pacman: name=opensearch state=present
+
+- name: Create opensearch keystore
+  command: opensearch-keystore create
+  args:
+    creates: /etc/opensearch/opensearch.keystore
+
+- name: Listen on 0.0.0.0
+  lineinfile:
+    path: /etc/opensearch/opensearch.yml
+    regexp: '^#?network\.host: .*$'
+    line: 'network.host: 0.0.0.0'
+  notify: Restart opensearch
+
+- name: Run in single-node mode
+  lineinfile:
+    path: /etc/opensearch/opensearch.yml
+    line: 'discovery.type: single-node'
+  notify: Restart opensearch
+
+- name: Open opensearch ipv4 port for gitlab.archlinux.org
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars['gitlab.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9200 accept"
+  tags:
+    - firewall
+
+- name: Start and enable opensearch
+  systemd: name=opensearch.service enabled=yes state=started
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 1dcce679e25bea7940eb9034f224e0bb838a0432..1bad7dc1763a9e0834b50d33d19baedfdaffa688 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -118,6 +118,10 @@ locals {
       server_type = "cx31"
       domain      = "monitoring"
     }
+    "opensearch.archlinux.org" = {
+      server_type = "cx11"
+      domain      = "opensearch"
+    }
     "phrik.archlinux.org" = {
       server_type = "cx11"
       domain      = "phrik"