enable/disable soqemussh. allow for pw to be set

pillar/top.sls

@@ -26,6 +26,11 @@ base:
     - nginx.soc_nginx
     - nginx.adv_nginx
 
+  'salt-cloud:driver:libvirt':
+    - match: grain
+    - vm.soc_vm
+    - vm.adv_vm
+
   '*_manager or *_managersearch or *_managerhype':
     - match: compound
     - node_data.ips

salt/_runners/setup_hypervisor.py

@@ -10,8 +10,6 @@
 #    software that is protected by the license key."
 
 """
-TODO: Remove passwd hash prior to release. used for development
-
 This runner performs the initial setup required for hypervisor hosts in the Security Onion environment.
 It handles downloading the Oracle Linux KVM image, setting up SSH keys for secure communication,
 and creating virtual machines with cloud-init configuration.
@@ -715,6 +713,24 @@ def create_vm(vm_name: str, disk_size: str = '220G'):
             log.error("CREATEVM: Failed to read SSH public key: %s", str(e))
             return {'success': False, 'error': 'Failed to read SSH public key'}
 
+        # Read pillar data for soqemussh password hash
+        pillar_path = '/opt/so/saltstack/local/pillar/vm/soc_vm.sls'
+        password_hash = None
+        passwd_line = ""  # Default to empty if no hash found
+        try:
+            if os.path.exists(pillar_path):
+                with salt.utils.files.fopen(pillar_path, 'r') as f:
+                    pillar_data = yaml.safe_load(f)
+                    if pillar_data:
+                        password_hash = pillar_data.get('vm', {}).get('user', {}).get('soqemussh', {}).get('passwordHash')
+            if password_hash:
+                passwd_line = f"      passwd: {password_hash}\n"
+                log.info("CREATEVM: Found soqemussh password hash in pillar.")
+            else:
+                log.info("CREATEVM: No soqemussh password hash found in pillar, omitting passwd line.")
+        except Exception as e:
+            log.warning(f"CREATEVM: Error reading or parsing pillar file {pillar_path}: {str(e)}. Omitting passwd line.")
+
         # Read and encode GPG keys
         keys_dir = '/opt/so/saltstack/default/salt/repo/client/files/oracle/keys'
         oracle_key = _read_and_encode_key(os.path.join(keys_dir, 'RPM-GPG-KEY-oracle'))
@@ -752,8 +768,7 @@ users:
       shell: /bin/bash
       sudo: ALL=(ALL) NOPASSWD:ALL
       lock_passwd: false
-      passwd: $6$THWuTZMZhIVMGaaw$w9kozn7z7i0Y9LRVGZwN6mcZag4vMpE3hW6eCtKNHlFpL1XLcOdiIr29JyDxx3MLBXNedIqnqcj4psqCjv58d.
+{passwd_line}      ssh_authorized_keys:
-      ssh_authorized_keys:
         - {ssh_pub_key}
 
 # Configure where output will go
@@ -796,6 +811,10 @@ write_files:
     content: |
       {securityonion_key}
 
+# Run on every boot - this will only run *after* the first boot and successful cloud-init run
+bootcmd:
+  - if [ -f /var/lib/cloud/instance/boot-finished ]; then touch /etc/cloud/cloud-init.disabled; fi
+
 runcmd:
   # Import GPG keys and remove repo files except securityonion.repo
   - rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
@@ -811,7 +830,6 @@ runcmd:
   - pvresize /dev/vda2
   - lvextend -l +100%FREE /dev/vg_main/lv_root
   - xfs_growfs /dev/vg_main/lv_root
-  - touch /etc/cloud/cloud-init.disabled
   - rm -f /etc/sysconfig/network-scripts/ifcfg-eth0
 
 power_state:
@@ -819,6 +837,7 @@ power_state:
   mode: poweroff
   timeout: 30
   condition: True
+  message: Cloud-init completed, powering off
 """
         user_data_path = os.path.join(vm_dir, 'user-data')
         with salt.utils.files.fopen(user_data_path, 'w') as f:

salt/top.sls

@@ -11,7 +11,8 @@ base:
   'salt-cloud:driver:libvirt':
     - match: grain
     - storage
-    - vm_status
+    - vm.status
+    - vm.user
 
   '*':
     - cron.running

salt/vm/defaults.yaml

@@ -0,0 +1,5 @@
+vm:
+  user:
+    soqemussh:
+      enabled: False
+      passwordHash:

salt/vm/map.jinja

@@ -0,0 +1,25 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. 
+   
+   Note: Per the Elastic License 2.0, the second limitation states:
+
+    "You may not move, change, disable, or circumvent the license key functionality
+     in the software, and you may not remove or obscure any functionality in the
+     software that is protected by the license key." #}
+
+{% if 'vrt' in salt['pillar.get']('features', []) %}
+
+{%   import_yaml 'vm/defaults.yaml' as VMDEFAULTS %}
+{%   set VMMERGED = salt['pillar.get']('vm', VMDEFAULTS.vm, merge=True) %}
+
+{% else %}
+
+{% do salt.log.error(
+  'Hypervisor nodes are a feature supported only for customers with a valid license.'
+  'Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com'
+  'for more information about purchasing a license to enable this feature.'
+) %}
+
+{% endif %}

salt/vm/soc_vm.yaml

@@ -0,0 +1,10 @@
+vm:
+  user:
+    soqemussh:
+      enabled:
+        description: Enable or disable the soqemussh user.
+        forcedType: bool
+      passwordHash:
+        description: 'Enter a SHA-512 password hash to set the soqemussh user password. Generate this hash by running the following command on the manager: `openssl passwd -6`'
+        forcedType: string
+        global: True

salt/vm/user/init.sls

@@ -0,0 +1,56 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+{% if 'vrt' in salt['pillar.get']('features', []) %}
+
+{%   from 'vm/map.jinja' import VMMERGED %}
+
+{%   if VMMERGED.user.soqemussh.enabled %}
+
+vm_user_soqemussh:
+  user.present:
+    - name: soqemussh
+    - shell: /bin/bash
+    - home: /home/soqemussh
+{%     if VMMERGED.user.soqemussh.passwordHash %}
+    - password: '{{ VMMERGED.user.soqemussh.passwordHash }}'
+{%     endif %}
+
+vm_user_soqemussh_home_directory:
+  file.directory:
+    - name: /home/soqemussh
+    - user: soqemussh
+    - group: soqemussh
+    - mode: 700
+    - recurse:
+      - user
+      - group
+
+{%   else %}
+
+vm_user_soqemussh:
+  user.absent:
+    - name: soqemussh
+    - force: True
+
+{%   endif %}
+
+{% else %}
+
+{{sls}}_no_license_detected:
+  test.fail_without_changes:
+    - name: {{sls}}_no_license_detected
+    - comment:
+      - "Hypervisor nodes are a feature supported only for customers with a valid license.
+      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
+      for more information about purchasing a license to enable this feature."
+
+{% endif %}