diff --git a/templates/template05-elasticsearch/Readme.md b/templates/template05-elasticsearch/Readme.md index 7fb0bca..4eae3b4 100644 --- a/templates/template05-elasticsearch/Readme.md +++ b/templates/template05-elasticsearch/Readme.md @@ -1,6 +1,6 @@ ### ElasticSearch server -| :zap: As of March 2023, Nextcloud Full Text Search requires ElasticSearch 7, it's not compatible with ElasticSearch 8| +| :zap: As of August 2023, Full Text Search on Nextcloud 26+ is compatible with ElasticSearch 8. Previous versions are only compatible with ElasticSearch 7| |----------------------------------------------------------------------------------------------------| @@ -15,9 +15,12 @@ |File name | Description| | --- | --- | -| `elasticsearch-${ELASTICSEARCH_VERSION}-amd64.deb` | Debian archive for version 7.17.X to be downloaded from [here](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/deb.html#install-deb) | +| `elasticsearch-${ELASTICSEARCH_VERSION}-amd64.deb` | Debian archive for version 8.X.Y to be downloaded from [here](https://www.elastic.co/guide/en/elasticsearch/reference/8.9.0/deb.html#install-deb) | | `memory.options` | Limit the total memory assigned to the JVM | | `elasticsearch.yml` | ElasticSearch core configuration file | +| `rootCA.pem` | The rootCA previously created in your host machine | +| `rootCA-key.pem` | The rootCA key previously created in your host machine | + * Open `Vagrantfile` and assign a value to the following variables and parameters: diff --git a/templates/template05-elasticsearch/artifacts/elasticsearch.yml b/templates/template05-elasticsearch/artifacts/elasticsearch.yml index 70750aa..539c472 100644 --- a/templates/template05-elasticsearch/artifacts/elasticsearch.yml +++ b/templates/template05-elasticsearch/artifacts/elasticsearch.yml @@ -81,3 +81,24 @@ # Require explicit names when deleting indices: # #action.destructive_requires_name: true + +xpack.security.http.ssl.enabled: true + +xpack.security.transport.ssl.enabled: true + +xpack.security.http.ssl.keystore.path: certs/http.p12 + +xpack.security.transport.ssl.keystore.path: certs/http.p12 + +xpack.security.authc: + + anonymous: + + username: anonymous_user + + roles: superuser + + authz_exception: true + + + diff --git a/templates/template05-elasticsearch/provision.sh b/templates/template05-elasticsearch/provision.sh index 968b087..12235fd 100644 --- a/templates/template05-elasticsearch/provision.sh +++ b/templates/template05-elasticsearch/provision.sh @@ -30,13 +30,33 @@ cp /vagrant/artifacts/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml +apt update + +apt install -y curl mkcert + +export CAROOT=/vagrant/artifacts/ + +mkcert -install + +mkcert --cert-file /etc/elasticsearch/certs/"${MACHINE_HOSTNAME}".pem --key-file /etc/elasticsearch/certs/"${MACHINE_HOSTNAME}"-key.pem "${MACHINE_HOSTNAME}" + +KEYSTORE_PWD=123 + +## Reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html + +openssl pkcs12 -export -out /etc/elasticsearch/certs/http.p12 -in /etc/elasticsearch/certs/"${MACHINE_HOSTNAME}".pem -inkey /etc/elasticsearch/certs/"${MACHINE_HOSTNAME}"-key.pem -passout pass:${KEYSTORE_PWD} + +echo "${KEYSTORE_PWD}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password --stdin --force + +echo "${KEYSTORE_PWD}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password --stdin --force + + + source_str="#MACHINE_HOSTNAME#" target_str="${MACHINE_HOSTNAME}" - -sed -i "s/$source_str/$target_str/g" /etc/elasticsearch/elasticsearch.yml -/usr/share/elasticsearch/bin/elasticsearch-plugin install --batch ingest-attachment +sed -i "s/$source_str/$target_str/g" /etc/elasticsearch/elasticsearch.yml systemctl daemon-reload @@ -46,9 +66,11 @@ systemctl status elasticsearch.service -apt install -y curl +elastic_password=`/usr/share/elasticsearch/bin/elasticsearch-reset-password --url https://es-server01.localenv.com:9200 --username elastic --batch --silent --force` -curl -X GET "localhost:9200/?pretty" +echo "automatically generated password for user elastic: ${elastic_password}" + +curl -X GET "https://elastic:${elastic_password}@${MACHINE_HOSTNAME}:9200/?pretty" end_time=`date` @@ -56,7 +78,7 @@ echo "If you add this IP to the hostname (${MACHINE_HOSTNAME}) in your hosts file or you configure the LXD nameserver," -echo "you can validate ElasticSearch connectivity with 'curl -X GET "${MACHINE_HOSTNAME}:9200/?pretty"'" +echo "you can validate ElasticSearch connectivity with: curl -X GET https://elastic:${elastic_password}@${MACHINE_HOSTNAME}:9200/?pretty" echo "provisioning started: ${start_time}"