diff --git a/salt/profile/wikisearch/init.sls b/salt/profile/wikisearch/init.sls
index 533be1b..2738048 100644
--- a/salt/profile/wikisearch/init.sls
+++ b/salt/profile/wikisearch/init.sls
@@ -1,2 +1,19 @@
 include:
   - elasticsearch
+
+
+# enforce that elasticsearch only starts if the AppArmor profile is loaded
+/etc/systemd/system/elasticsearch.service.d:
+  file.directory
+
+/etc/systemd/system/elasticsearch.service.d/es-apparmor.conf:
+  file.managed:
+    - contents:
+      - '[service]'
+      - AppArmorProfile=elasticsearch
+    - require_in:
+      - elasticsearch
+  cmd.run:
+    - name: systemctl daemon-reload
+    - onchanges:
+      - file: /etc/systemd/system/elasticsearch.service.d/es-apparmor.conf