diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 52f850909..f58fff158 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -662,7 +662,7 @@ role: - {{ portgroups.ssh }} {% set idh_services = salt['pillar.get']('idh:services', []) %} {% for service in idh_services %} - - {{ portgroups.service }} + - {{ portgroups['idh_'~service] }} {% endfor %} dockernet: portgroups: diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 5fe08db08..ae258daa6 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -1,3 +1,8 @@ +{% if grains.role == 'so-idh' %} + {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} + {% set idh_services = salt['pillar.get']('idh:services', []) %} +{% endif %} + firewall: aliases: ports: @@ -48,15 +53,6 @@ firewall: fleet_webui: tcp: - 443 - ftp: - tcp: - - 21 - git: - tcp: - - 9418 - http: - tcp: - - 80 influxdb: tcp: - 8086 @@ -115,3 +111,11 @@ firewall: yum: tcp: - 443 + +{% if idh_services is defined %} + {% for service in idh_services %} + idh_{{service}}: + tcp: + - {{ OPENCANARYCONFIG[service~'.port'] }} + {% endfor %} +{% endif %} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 03b31b469..b88e9b227 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -37,4 +37,8 @@ so-idh: - network_mode: host - binds: - /nsm/idh:/var/tmp:rw - - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro \ No newline at end of file + - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro + - watch: + - file: opencanary_config + - require: + - file: opencanary_config \ No newline at end of file