X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/a68415b8f2bf106b6ea5948b0605c897b516ef4f..41bdac8f1d96696cd28642ef0247a07ed59cfae8:/cookbooks/kibana/recipes/default.rb

diff --git a/cookbooks/kibana/recipes/default.rb b/cookbooks/kibana/recipes/default.rb
index e4dd05c9f..1a8c7712a 100644
--- a/cookbooks/kibana/recipes/default.rb
+++ b/cookbooks/kibana/recipes/default.rb
@@ -1,15 +1,14 @@
-# coding: utf-8
 #
-# Cookbook Name:: kibana
+# Cookbook:: kibana
 # Recipe:: default
 #
-# Copyright 2015, OpenStreetMap Foundation
+# Copyright:: 2015, OpenStreetMap Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,21 +19,22 @@
 
 require "yaml"
 
-include_recipe "apache::ssl"
+include_recipe "accounts"
+include_recipe "apache"
 
 apache_module "proxy_http"
 
 version = node[:kibana][:version]
 
 remote_file "#{Chef::Config[:file_cache_path]}/kibana-#{version}.tar.gz" do
-  source "https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz"
-  not_if { File.exist?("/opt/kibana-#{version}/bin/kibana") }
+  source "https://download.elastic.co/kibana/kibana/kibana-#{version}-linux-x64.tar.gz"
+  not_if { ::File.exist?("/opt/kibana-#{version}/bin/kibana") }
 end
 
 directory "/opt/kibana-#{version}" do
   owner "root"
   group "root"
-  mode 0o755
+  mode "755"
 end
 
 execute "unzip-kibana-#{version}" do
@@ -42,25 +42,25 @@ execute "unzip-kibana-#{version}" do
   cwd "/opt/kibana-#{version}"
   user "root"
   group "root"
-  not_if { File.exist?("/opt/kibana-#{version}/bin/kibana") }
+  not_if { ::File.exist?("/opt/kibana-#{version}/bin/kibana") }
 end
 
 directory "/etc/kibana" do
   owner "root"
   group "root"
-  mode 0o755
+  mode "755"
 end
 
 directory "/var/run/kibana" do
   owner "kibana"
   group "kibana"
-  mode 0o755
+  mode "755"
 end
 
 directory "/var/log/kibana" do
   owner "kibana"
   group "kibana"
-  mode 0o755
+  mode "755"
 end
 
 systemd_service "kibana@" do
@@ -68,27 +68,38 @@ systemd_service "kibana@" do
   after "network.target"
   user "kibana"
   exec_start "/opt/kibana-#{version}/bin/kibana -c /etc/kibana/%i.yml"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
 node[:kibana][:sites].each do |name, details|
   file "/etc/kibana/#{name}.yml" do
-    content YAML.dump(YAML.load(File.read("/opt/kibana-#{version}/config/kibana.yml")).merge(
+    content YAML.dump(YAML.safe_load(File.read("/opt/kibana-#{version}/config/kibana.yml")).merge(
                         "port" => details[:port],
                         "host" => "127.0.0.1",
                         "elasticsearch_url" => details[:elasticsearch_url],
                         "pid_file" => "/var/run/kibana/#{name}.pid",
                         "log_file" => "/var/log/kibana/#{name}.log"
-    ))
+                      ))
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     notifies :restart, "service[kibana@#{name}]"
   end
 
   service "kibana@#{name}" do
     action [:enable, :start]
     supports :status => true, :restart => true, :reload => false
+    subscribes :restart, "systemd_service[kibana@]"
+  end
+
+  ssl_certificate details[:site] do
+    domains details[:site]
+    notifies :reload, "service[apache2]"
   end
 
   apache_site details[:site] do