diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -2857,6 +2857,21 @@
     - http://esnode2.internal.softwareheritage.org:9200
     - http://esnode3.internal.softwareheritage.org:9200
 
+elasticsearch::jvm_options:
+  - "-Xms%{lookup('elasticsearch::jvm_options::heap_size')}"
+  - "-Xmx%{lookup('elasticsearch::jvm_options::heap_size')}"
+
+elasticsearch::config::path::data: /srv/elasticsearch
+elasticsearch::config::path::logs: /var/log/elasticsearch
+
+elasticsearch::config:
+  cluster.name: "%{alias('elasticsearch::config::cluster::name')}"
+  node.name: "%{::hostname}"
+  discovery.seed_hosts: "%{alias('elasticsearch::config::discovery::seed_hosts')}"
+  cluster.initial_master_nodes: "%{alias('elasticsearch::config::cluster::initial_master_nodes')}"
+  path.data: "%{alias('elasticsearch::config::path::data')}"
+  path.logs: "%{alias('elasticsearch::config::path::logs')}"
+
 logstash::listen_network: "%{lookup('internal_network')}"
 logstash::elasticsearch::hosts: "%{alias('elasticsearch::hosts')}"
 
diff --git a/data/deployments/production/common.yaml b/data/deployments/production/common.yaml
--- a/data/deployments/production/common.yaml
+++ b/data/deployments/production/common.yaml
@@ -1,3 +1,19 @@
 swh::deploy::deposit::reverse_proxy::backend_http_host: "::1"
 swh::deploy::webapp::reverse_proxy::backend_http_host: "::1"
 
+elasticsearch::config::cluster::name: swh-logging-prod
+elasticsearch::config::discovery::seed_hosts:
+  - esnode1.internal.softwareheritage.org
+  - esnode2.internal.softwareheritage.org
+  - esnode3.internal.softwareheritage.org
+elasticsearch::config::cluster::initial_master_nodes:
+  - esnode1
+  - esnode2
+  - esnode3
+
+elasticsearch::config::extras:
+  indices.memory.index_buffer_size: 50%
+  index.store.type: hybridfs
+
+elasticsearch::jvm_options::heap_size: 16g
+
diff --git a/data/deployments/production/vagrant.yaml b/data/deployments/production/vagrant.yaml
new file mode 100644
--- /dev/null
+++ b/data/deployments/production/vagrant.yaml
@@ -0,0 +1 @@
+elasticsearch::jvm_options::heap_size: 512m
diff --git a/data/deployments/staging/common.yaml b/data/deployments/staging/common.yaml
--- a/data/deployments/staging/common.yaml
+++ b/data/deployments/staging/common.yaml
@@ -244,3 +244,16 @@
 apache::http_port: 9080
 # Disable default vhost on port 80
 apache::default_vhost: false
+
+# Elasticsearch
+
+elastic::elk_version: '7.9.3'
+
+elasticsearch::config::cluster::name: swh-search
+
+elasticsearch::config::discovery::seed_hosts:
+  - search-esnode0.internal.staging.swh.network
+elasticsearch::config::cluster::initial_master_nodes:
+  - search-esnode0
+
+elasticsearch::jvm_options::heap_size: 8g
diff --git a/data/deployments/staging/vagrant.yaml b/data/deployments/staging/vagrant.yaml
--- a/data/deployments/staging/vagrant.yaml
+++ b/data/deployments/staging/vagrant.yaml
@@ -2,3 +2,5 @@
 swh::postgresql::shared_buffers: 128MB
 
 kafka::broker::heap_opts: "-Xmx512m -Xms512m"
+
+elasticsearch::jvm_options::heap_size: 512m
diff --git a/data/hostname/search-esnode0.internal.staging.swh.network.yaml b/data/hostname/search-esnode0.internal.staging.swh.network.yaml
new file mode 100644
--- /dev/null
+++ b/data/hostname/search-esnode0.internal.staging.swh.network.yaml
@@ -0,0 +1,5 @@
+networks:
+  eth0:
+    address: 192.168.130.80
+    netmask: 255.255.255.0
+    gateway: 192.168.130.1
diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -47,9 +47,9 @@
 netbox::admin::email: sysop+vagrant@softwareheritage.org
 
 static_hostnames:
-  10.168.100.18: 
+  10.168.100.18:
     host: banco.internal.softwareheritage.org
-    aliases: 
+    aliases:
       - backup.internal.softwareheritage.org
       - kibana.internal.softwareheritage.org
   10.168.100.19:
@@ -58,7 +58,7 @@
       - logstash.internal.softwareheritage.org
   10.168.100.29:
     host: pergamon.internal.softwareheritage.org
-    aliases: 
+    aliases:
       - icinga.internal.softwareheritage.org
       - grafana.softwareheritage.org
       - stats.export.softwareheritage
@@ -71,7 +71,7 @@
       - deposit.internal.softwareheritage.org
   10.168.100.52:
     host: riverside.internal.softwareheritage.org
-    aliases: 
+    aliases:
       - sentry.softwareheritage.org
   10.168.100.61:
     host: esnode1.internal.softwareheritage.org
@@ -81,7 +81,7 @@
     host: esnode3.internal.softwareheritage.org
   10.168.100.104:
     host: saatchi.internal.softwareheritage.org
-    aliases: 
+    aliases:
       - rabbitmq.internal.softwareheritage.org
   10.168.100.106:
     host: kelvingrove.internal.softwareheritage.org
@@ -89,6 +89,12 @@
       - auth.softwareheritage.org
   10.168.100.109:
     host: saam.internal.softwareheritage.org
+  10.168.100.131:
+    host: zookeeper1.internal.softwareheritage.org
+  10.168.100.132:
+    host: zookeeper2.internal.softwareheritage.org
+  10.168.100.133:
+    host: zookeeper3.internal.softwareheritage.org
   10.168.100.210:
     host: belvedere.internal.softwareheritage.org
     aliases:
@@ -111,3 +117,5 @@
     host: vault.internal.staging.swh.network
   10.168.130.70:
     host: journal0.internal.staging.swh.network
+  10.168.130.80:
+    host: search-esnode0.internal.staging.swh.network
diff --git a/manifests/site.pp b/manifests/site.pp
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -39,7 +39,7 @@
 }
 
 node /^esnode\d+.(internal.)?softwareheritage.org$/ {
-  include role::swh_elasticsearch
+  include role::swh_elasticsearch_broker
 }
 
 node /^zookeeper\d+.(internal.)?softwareheritage.org$/ {
@@ -160,6 +160,10 @@
   include role::swh_worker_inria
 }
 
+node /^search-esnode\d\.internal\.staging\.swh\.network$/ {
+  include role::swh_elasticsearch
+}
+
 node 'webapp.internal.staging.swh.network' {
   include role::swh_webapp
 }
diff --git a/site-modules/profile/manifests/elasticsearch.pp b/site-modules/profile/manifests/elasticsearch.pp
--- a/site-modules/profile/manifests/elasticsearch.pp
+++ b/site-modules/profile/manifests/elasticsearch.pp
@@ -2,48 +2,80 @@
 
 class profile::elasticsearch {
 
-  user { 'elasticsearch':
-    ensure => 'present',
-    uid    => '114',
-    gid    => '119',
-    home   => '/home/elasticsearch',
-    shell  => '/bin/false',
-  }
-
-  package { 'openjdk-8-jre-headless':
-    ensure => 'present',
-  }
-
   include ::profile::elastic::apt_config
 
+  $elasticsearch_config = lookup('elasticsearch::config')
+  $elasticsearch_extra_config = lookup('elasticsearch::config::extras', {default_value => {}})
   $version = lookup('elastic::elk_version')
 
-  package { 'elasticsearch':
-    ensure => $version,
-  }
+  $path_data = lookup('elasticsearch::config::path::data')
+  $jvm_options = lookup('elasticsearch::jvm_options')
+
 
   apt::pin { 'elasticsearch':
     packages => 'elasticsearch elasticsearch-oss',
-    version => $version,
+    version  => $version,
     priority => 1001,
+  } -> package { 'elasticsearch':
+    ensure  => $version,
+    require => [
+      Class['::profile::elastic::apt_config']
+    ]
+  }
+
+  file { $path_data:
+    ensure  => 'directory',
+    owner   => 'elasticsearch',
+    group   => 'elasticsearch',
+    mode    => '2755',
+    require => Package['elasticsearch']
+  }
+
+  $config = $elasticsearch_config + $elasticsearch_extra_config + {
+    'network.host' => ip_for_network(lookup('internal_network'))
+  }
+
+  file { '/etc/elasticsearch/elasticsearch.yml':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => inline_yaml($config),
+    require => Package['elasticsearch'],
+    notify  => Service['elasticsearch'],
+  }
+
+  concat {'es_jvm_options':
+    ensure         => present,
+    path           => '/etc/elasticsearch/jvm.options.d/jvm.options',
+    owner          => 'root',
+    group          => 'root',
+    mode           => '0644',
+    ensure_newline => true,
+    require        => Package['elasticsearch'],
+    notify         => Service['elasticsearch'],
   }
 
-  # hybridfs is the best of both worlds between niofs and mmapfs. It's the ES
-  # 7.x default.
-  file_line { 'elasticsearch store type':
-    ensure => present,
-    line   => 'index.store.type: hybridfs',
-    match  => '^(#\s*)?index\.store\.type:',
-    path   => '/etc/elasticsearch/elasticsearch.yml',
+  $jvm_options.each |$index, $option| {
+    concat::fragment {"${index}_es_jvm_option":
+      target  => 'es_jvm_options',
+      content => $option,
+      order   => '00',
+    }
   }
 
   systemd::dropin_file { 'elasticsearch.conf':
-    unit   => 'elasticsearch.service',
-    content  => template('profile/swh/elasticsearch.conf.erb'),
+    unit    => 'elasticsearch.service',
+    content => template('profile/swh/elasticsearch.conf.erb'),
+    notify  => Service['elasticsearch'],
   }
 
   service { 'elasticsearch':
-    ensure => running,
-    enable => true,
+    ensure  => running,
+    enable  => true,
+    require => [
+      Package['elasticsearch'],
+      File[$path_data],
+    ],
   }
 }
diff --git a/site-modules/role/manifests/swh_elasticsearch.pp b/site-modules/role/manifests/swh_elasticsearch.pp
--- a/site-modules/role/manifests/swh_elasticsearch.pp
+++ b/site-modules/role/manifests/swh_elasticsearch.pp
@@ -1,5 +1,3 @@
 class role::swh_elasticsearch inherits role::swh_base {
   include profile::elasticsearch
-
-  include profile::kafka::broker
 }
diff --git a/site-modules/role/manifests/swh_elasticsearch_broker.pp b/site-modules/role/manifests/swh_elasticsearch_broker.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/role/manifests/swh_elasticsearch_broker.pp
@@ -0,0 +1,3 @@
+class role::swh_elasticsearch_broker inherits role::swh_elasticsearch {
+  include profile::kafka::broker
+}