diff --git a/roles/opensearch/opensearch/config.sls b/roles/opensearch/opensearch/config.sls
--- a/roles/opensearch/opensearch/config.sls
+++ b/roles/opensearch/opensearch/config.sls
@@ -68,37 +68,3 @@
      - creates: /opt/opensearch/config/{{ certificate }}.pem
 
 {% endfor %}
-
-#   -------------------------------------------------------------
-#   Security plugin
-#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml:
-  file.managed:
-    - source: salt://roles/opensearch/opensearch/files/internal_users.yml.jinja
-    - user: opensearch
-    - group: opensearch
-    - template: jinja
-    - context:
-        users:
-          {% for user, credential in config['users'].items() %}
-          {{ user }}:
-            username: {{ salt['zr.get_username'](credential) }}
-            password: {{ salt['zr.get_password'](credential) }}
-          {% endfor %}
-
-opensearch_security_initialize:
-   cmd.run:
-     - name: >
-         bash /opt/opensearch/plugins/opensearch-security/tools/securityadmin.sh
-         -cacert /opt/opensearch/config/root-ca.pem
-         -cert /opt/opensearch/config/admin.pem
-         -key /opt/opensearch/config/admin.key
-         -f /opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
-         -nhnv -icl
-         -h {{ config['network_host'] }}
-
-         touch /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
-     - env:
-         JAVA_HOME: /opt/opensearch/jdk
-     - creates: /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
diff --git a/roles/opensearch/opensearch/files/security_initialize.sh b/roles/opensearch/opensearch/files/security_initialize.sh
new file mode 100755
--- /dev/null
+++ b/roles/opensearch/opensearch/files/security_initialize.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+OPENSEARCH_HOSTNAME=$1
+ROOT=/opt/opensearch
+
+# Wait a little bit to let OpenSearch start
+sleep 5
+
+bash $ROOT/plugins/opensearch-security/tools/securityadmin.sh \
+    -cacert $ROOT/config/root-ca.pem \
+    -cert $ROOT/config/admin.pem \
+    -key $ROOT/config/admin.key \
+    -f $ROOT/plugins/opensearch-security/securityconfig/internal_users.yml \
+    -nhnv -icl \
+    -h "$OPENSEARCH_HOSTNAME"
+
+touch $ROOT/plugins/opensearch-security/securityconfig/.initialized
diff --git a/roles/opensearch/opensearch/init.sls b/roles/opensearch/opensearch/init.sls
--- a/roles/opensearch/opensearch/init.sls
+++ b/roles/opensearch/opensearch/init.sls
@@ -10,4 +10,5 @@
   - .software
   - .config
   - .service
+  - .security
   - .wrapper
diff --git a/roles/opensearch/opensearch/security.sls b/roles/opensearch/opensearch/security.sls
new file mode 100644
--- /dev/null
+++ b/roles/opensearch/opensearch/security.sls
@@ -0,0 +1,34 @@
+#   -------------------------------------------------------------
+#   Salt — Provision OpenSearch
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+{% set config = salt['opensearch.get_config']() %}
+
+#   -------------------------------------------------------------
+#   Security plugin
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml:
+  file.managed:
+    - source: salt://roles/opensearch/opensearch/files/internal_users.yml.jinja
+    - user: opensearch
+    - group: opensearch
+    - template: jinja
+    - context:
+        users:
+          {% for user, credential in config['users'].items() %}
+          {{ user }}:
+            username: {{ salt['zr.get_username'](credential) }}
+            password: {{ salt['zr.get_password'](credential) }}
+          {% endfor %}
+
+opensearch_security_initialize:
+   cmd.script:
+     - source: salt://roles/opensearch/opensearch/files/security_initialize.sh
+     - args: {{ config['network_host'] }}
+     - env:
+         JAVA_HOME: /opt/opensearch/jdk
+     - creates: /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
diff --git a/roles/opensearch/opensearch/software.sls b/roles/opensearch/opensearch/software.sls
--- a/roles/opensearch/opensearch/software.sls
+++ b/roles/opensearch/opensearch/software.sls
@@ -53,15 +53,16 @@
     - source: /usr/local/dl/{{ distname }}.tar.gz
     - user: opensearch
     - group: opensearch
-    - overwrite: True
     - enforce_toplevel: False
     - options: --strip 1
-    - onchanges:
-       - file: /usr/local/dl/{{ distname }}.tar.gz
 
 {% endfor %}
 {% endif %}
 
+/opt/opensearch/plugins/opensearch-security/tools/hash.sh:
+  file.managed:
+    - mode: 0755
+
 #   -------------------------------------------------------------
 #   Cleanup legacy versions
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -