From 4599b95ae7d5b53d1ab047cc0540a9c268df0c7f Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Mon, 22 Sep 2025 16:37:16 -0400
Subject: [PATCH] separate salt-minion service file

---
 salt/libvirt/bridge.sls           |  25 ++----
 salt/salt/mine_functions.sls      |   2 +-
 salt/salt/minion.sls              | 124 ------------------------------
 salt/salt/minion/service_file.sls |  26 +++++++
 4 files changed, 35 insertions(+), 142 deletions(-)
 delete mode 100644 salt/salt/minion.sls
 create mode 100644 salt/salt/minion/service_file.sls

diff --git a/salt/libvirt/bridge.sls b/salt/libvirt/bridge.sls
index b8f720993..ed405584e 100644
--- a/salt/libvirt/bridge.sls
+++ b/salt/libvirt/bridge.sls
@@ -4,6 +4,9 @@
 # Elastic License 2.0.
 
 # We do not import GLOBALS in this state because it is called during setup
+include:
+  - salt.mine_functions
+  - salt.minion.service_file
 
 down_original_mgmt_interface:
   cmd.run:
@@ -28,29 +31,17 @@ wait_for_br0_ip:
     - timeout: 95
     - onchanges:
       - cmd: down_original_mgmt_interface
+    - onchanges_in:
+      - file: salt_minion_service_unit_file
+      - file: mine_functions
 
-{% if grains.role == 'so-hypervisor' %}
-
-update_mine_functions:
-  file.managed:
-    - name: /etc/salt/minion.d/mine_functions.conf
-    - contents: |
-        mine_interval: 25
-        mine_functions:
-          network.ip_addrs:
-            - interface: br0
-        {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %}
-          x509.get_pem_entries:
-            - glob_path: '/etc/pki/ca.crt'
-        {% endif %}
-    - onchanges:
-      - cmd: wait_for_br0_ip
+{% if grains.role in ['so-hypervisor', 'so-managerhype'] %}
 
 restart_salt_minion_service:
   service.running:
     - name: salt-minion
     - enable: True
     - listen:
-      - file: update_mine_functions
+      - file: mine_functions
 
 {% endif %}
diff --git a/salt/salt/mine_functions.sls b/salt/salt/mine_functions.sls
index ed786e997..ae3df1ce9 100644
--- a/salt/salt/mine_functions.sls
+++ b/salt/salt/mine_functions.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-# this state was seperated from salt.minion state since it is called during setup
+# this state was separated from salt.minion state since it is called during setup
 # GLOBALS are imported in the salt.minion state and that is not available at that point in setup
 # this state is included in the salt.minion state
 
diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls
deleted file mode 100644
index b85fad1c0..000000000
--- a/salt/salt/minion.sls
+++ /dev/null
@@ -1,124 +0,0 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'salt/map.jinja' import UPGRADECOMMAND with context %}
-{% from 'salt/map.jinja' import SALTVERSION %}
-{% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
-{% from 'salt/map.jinja' import SALTPACKAGES %}
-{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
-{% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
-
-include:
-  - salt.python_modules
-  - salt.patch.x509_v2
-  - salt
-  - systemd.reload
-  - repo.client
-  - salt.mine_functions
-{% if GLOBALS.role in GLOBALS.manager_roles %}
-  - ca
-{% endif %}
-
-{% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
-
-{# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #}
-{%   if salt['pkg.version_cmp'](GLOBALS.so_version, '2.4.120') == -1 %}
-{%     set saltrepofile = '/etc/yum.repos.d/salt.repo' %}
-{%     if grains.os_family == 'Debian' %}
-{%       set saltrepofile = '/etc/apt/sources.list.d/salt.list' %}
-{%     endif %}
-remove_saltproject_io_repo_minion:
-  file.absent:
-    - name: {{ saltrepofile }}
-{%   endif %}
-
-unhold_salt_packages:
-  pkg.unheld:
-    - pkgs:
-{% for package in SALTPACKAGES %}
-      - {{ package }}
-{% endfor %}
-
-install_salt_minion:
-  cmd.run:
-    - name: /bin/sh -c '{{ UPGRADECOMMAND }}'
-
-# minion service is in failed state after upgrade. this command will start it after the state run for the upgrade completes
-start_minion_post_upgrade:
-  cmd.run:
-    - name: |
-        exec 0>&- # close stdin
-        exec 1>&- # close stdout
-        exec 2>&- # close stderr
-        nohup /bin/sh -c 'sleep 30; systemctl start salt-minion' &
-    - require:
-      - cmd: install_salt_minion
-    - watch:
-      - cmd: install_salt_minion
-    - order: last
-
-{% endif %}
-
-{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
-
-{% for package in SALTPACKAGES %}
-# only hold the package if it is already installed
-{%   if salt['pkg.version'](package) %}
-hold_{{ package }}_package:
-  pkg.held:
-    - name: {{ package }}
-    - version: {{SALTVERSION}}-0.*
-{%   endif %}
-{% endfor %}
-
-remove_error_log_level_logfile:
-  file.line:
-    - name: /etc/salt/minion
-    - match: "log_level_logfile: error"
-    - mode: delete
-
-remove_error_log_level:
-  file.line:
-    - name: /etc/salt/minion
-    - match: "log_level: error"
-    - mode: delete
-
-set_log_levels:
-  file.append:
-    - name: /etc/salt/minion
-    - text:
-      - "log_level: info"
-      - "log_level_logfile: info"
-
-enable_startup_states:
-  file.uncomment:
-    - name: /etc/salt/minion
-    - regex: '^startup_states: highstate$'
-    - unless: pgrep so-setup
-
-# prior to 2.4.30 this managed file would restart the salt-minion service when updated
-# since this file is currently only adding a delay service start
-# it is not required to restart the service
-salt_minion_service_unit_file:
-  file.managed:
-    - name: {{ SYSTEMD_UNIT_FILE }}
-    - source: salt://salt/service/salt-minion.service.jinja
-    - template: jinja
-    - onchanges_in:
-      - module: systemd_reload
-
-{% endif %}
-
-# this has to be outside the if statement above since there are <requisite>_in calls to this state
-salt_minion_service:
-  service.running:
-    - name: salt-minion
-    - enable: True
-    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
-    - listen:
-      - file: mine_functions
-{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
-      - file: set_log_levels
-{% endif %}
-{% if GLOBALS.role in GLOBALS.manager_roles %}
-      - file: /etc/salt/minion.d/signing_policies.conf
-{% endif %}
-    - order: last
diff --git a/salt/salt/minion/service_file.sls b/salt/salt/minion/service_file.sls
new file mode 100644
index 000000000..8aded2d60
--- /dev/null
+++ b/salt/salt/minion/service_file.sls
@@ -0,0 +1,26 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'salt/map.jinja' import SALTVERSION %}
+{% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
+{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
+
+include:
+  - systemd.reload
+
+{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
+
+# prior to 2.4.30 this managed file would restart the salt-minion service when updated
+# since this file is currently only adding a delay service start
+# it is not required to restart the service
+salt_minion_service_unit_file:
+  file.managed:
+    - name: {{ SYSTEMD_UNIT_FILE }}
+    - source: salt://salt/service/salt-minion.service.jinja
+    - template: jinja
+    - onchanges_in:
+      - module: systemd_reload
+
+{% endif %}