connect work

pillar/top.sls

@@ -47,6 +47,8 @@ base:
     - kibana.adv_kibana
     - kratos.soc_kratos
     - kratos.adv_kratos
+    - hydra.soc_hydra
+    - hydra.adv_hydra
     - redis.nodes
     - redis.soc_redis
     - redis.adv_redis
@@ -96,6 +98,7 @@ base:
     - kibana.secrets
     {% endif %}
     - kratos.soc_kratos
+    - kratos.adv_kratos
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
     - elasticfleet.soc_elasticfleet
@@ -113,8 +116,8 @@ base:
     - kibana.adv_kibana
     - strelka.soc_strelka
     - strelka.adv_strelka
-    - kratos.soc_kratos
+    - hydra.soc_hydra
-    - kratos.adv_kratos
+    - hydra.adv_hydra
     - redis.soc_redis
     - redis.adv_redis
     - influxdb.soc_influxdb
@@ -149,6 +152,8 @@ base:
     - idstools.adv_idstools
     - kratos.soc_kratos
     - kratos.adv_kratos
+    - hydra.soc_hydra
+    - hydra.adv_hydra
     - redis.nodes
     - redis.soc_redis
     - redis.adv_redis
@@ -262,6 +267,7 @@ base:
     - kibana.secrets
     {% endif %}
     - kratos.soc_kratos
+    - kratos.adv_kratos
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
     - elasticfleet.soc_elasticfleet
@@ -277,8 +283,8 @@ base:
     - kibana.adv_kibana
     - backup.soc_backup
     - backup.adv_backup
-    - kratos.soc_kratos
+    - hydra.soc_hydra
-    - kratos.adv_kratos
+    - hydra.adv_hydra
     - redis.soc_redis
     - redis.adv_redis
     - influxdb.soc_influxdb

salt/allowed_states.map.jinja

@@ -24,6 +24,7 @@
           'influxdb',
           'soc',
           'kratos',
+          'hydra',
           'elasticfleet',
           'elastic-fleet-package-registry',
           'firewall',
@@ -68,6 +69,7 @@
           'strelka.manager',
           'soc',
           'kratos',
+          'hydra',
           'influxdb',
           'telegraf',
           'firewall',
@@ -95,6 +97,7 @@
           'strelka.manager',
           'soc',
           'kratos',
+          'hydra',
           'elasticfleet',
           'elastic-fleet-package-registry',
           'firewall',
@@ -117,6 +120,7 @@
           'strelka.manager',
           'soc',
           'kratos',
+          'hydra',
           'elastic-fleet-package-registry',
           'elasticfleet',
           'firewall',
@@ -151,6 +155,7 @@
           'influxdb',
           'soc',
           'kratos',
+          'hydra',
           'elastic-fleet-package-registry',
           'elasticfleet',
           'firewall',

salt/backup/defaults.yaml

@@ -4,4 +4,5 @@ backup:
     - /etc/pki
     - /etc/salt
     - /nsm/kratos
+    - /nsm/hydra
   destination: "/nsm/backup"

salt/common/tools/sbin/so-image-common

@@ -29,6 +29,7 @@ container_list() {
       "so-influxdb"
       "so-kibana"
       "so-kratos"
+      "so-hydra"
       "so-nginx"
       "so-pcaptools"
       "so-soc"
@@ -53,6 +54,7 @@ container_list() {
       "so-kafka"
       "so-kibana"
       "so-kratos"
+      "so-hydra"
       "so-logstash"
       "so-nginx"
       "so-pcaptools"

salt/docker/defaults.yaml

@@ -51,6 +51,14 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+    'so-hydra':
+      final_octet: 28
+      port_bindings:
+        - 0.0.0.0:4444:4444
+        - 0.0.0.0:4454:4445
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-logstash':
       final_octet: 29
       port_bindings:

salt/docker/soc_docker.yaml

@@ -45,6 +45,7 @@ docker:
     so-influxdb: *dockerOptions
     so-kibana: *dockerOptions
     so-kratos: *dockerOptions
+    so-hydra: *dockerOptions
     so-logstash: *dockerOptions
     so-nginx: *dockerOptions
     so-nginx-fleet-node: *dockerOptions

salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json

@@ -0,0 +1,30 @@
+{
+  "package": {
+    "name": "log",
+    "version": ""
+  },
+  "name": "hydra-logs",
+  "namespace": "so",
+  "description": "Hydra logs",
+  "policy_id": "so-grid-nodes_general",
+  "inputs": {
+    "logs-logfile": {
+      "enabled": true,
+      "streams": {
+        "log.logs": {
+          "enabled": true,
+          "vars": {
+            "paths": [
+              "/opt/so/log/hydra/hydra.log"
+            ],
+            "data_stream.dataset": "hydra",
+            "tags": ["so-hydra"],
+            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: hydra",
+            "custom": "pipeline: hydra"
+          }
+        }
+      }
+    }
+  },
+  "force": true
+}

salt/elasticsearch/defaults.yaml

@@ -794,6 +794,116 @@ elasticsearch:
                 priority: 50
             min_age: 30d
       warm: 7
+    so-hydra:
+      close: 30
+      delete: 365
+      index_sorting: false
+      index_template:
+        composed_of:
+        - agent-mappings
+        - dtc-agent-mappings
+        - base-mappings
+        - dtc-base-mappings
+        - client-mappings
+        - dtc-client-mappings
+        - container-mappings
+        - destination-mappings
+        - dtc-destination-mappings
+        - pb-override-destination-mappings
+        - dll-mappings
+        - dns-mappings
+        - dtc-dns-mappings
+        - ecs-mappings
+        - dtc-ecs-mappings
+        - error-mappings
+        - event-mappings
+        - dtc-event-mappings
+        - file-mappings
+        - dtc-file-mappings
+        - group-mappings
+        - host-mappings
+        - dtc-host-mappings
+        - http-mappings
+        - dtc-http-mappings
+        - log-mappings
+        - network-mappings
+        - dtc-network-mappings
+        - observer-mappings
+        - dtc-observer-mappings
+        - organization-mappings
+        - package-mappings
+        - process-mappings
+        - dtc-process-mappings
+        - related-mappings
+        - rule-mappings
+        - dtc-rule-mappings
+        - server-mappings
+        - service-mappings
+        - dtc-service-mappings
+        - source-mappings
+        - dtc-source-mappings
+        - pb-override-source-mappings
+        - threat-mappings
+        - tls-mappings
+        - url-mappings
+        - user_agent-mappings
+        - dtc-user_agent-mappings
+        - common-settings
+        - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
+        ignore_missing_component_templates: []
+        index_patterns:
+        - logs-hydra-so*
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              lifecycle:
+                name: so-hydra-logs
+              mapping:
+                total_fields:
+                  limit: 5000
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 30s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 60d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
+      warm: 7
     so-lists:
       index_sorting: false
       index_template:

salt/elasticsearch/files/ingest/hydra

@@ -0,0 +1,9 @@
+{
+  "description" : "hydra",
+  "processors" : [
+    {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}},
+    {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"hydra.{{{audience}}}","media_type":"text/plain"}},
+    {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg"    }},
+    { "pipeline":    { "name": "common" } }
+  ]
+}

salt/elasticsearch/soc_elasticsearch.yaml

@@ -539,6 +539,7 @@ elasticsearch:
     so-suricata_x_alerts: *indexSettings
     so-import: *indexSettings
     so-kratos: *indexSettings
+    so-hydra: *indexSettings
     so-kismet: *indexSettings
     so-logstash: *indexSettings
     so-redis: *indexSettings

salt/firewall/containers.map.jinja

@@ -9,6 +9,7 @@
      'so-influxdb',
      'so-kibana',
      'so-kratos',
+     'so-hydra',
      'so-nginx',
      'so-redis',
      'so-soc',
@@ -30,6 +31,7 @@
      'so-kafka',
      'so-kibana',
      'so-kratos',
+     'so-hydra',
      'so-logstash',
      'so-nginx',
      'so-redis',
@@ -73,6 +75,7 @@
      'so-influxdb',
      'so-kibana',
      'so-kratos',
+     'so-hydra',
      'so-nginx',
      'so-soc'
 ] %}

salt/hydra/config.sls

@@ -0,0 +1,50 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from "hydra/map.jinja" import hydraMERGED %}
+
+hydradir:
+  file.directory:
+    - name: /nsm/hydra
+    - user: 928
+    - group: 928
+    - mode: 700
+    - makedirs: True
+
+hydradbdir:
+  file.directory:
+    - name: /nsm/hydra/db
+    - user: 928
+    - group: 928
+    - mode: 700
+    - makedirs: True
+
+hydralogdir:
+  file.directory:
+    - name: /opt/so/log/hydra
+    - user: 928
+    - group: 928
+    - makedirs: True
+
+hydraconfig:
+  file.managed:
+    - name: /opt/so/conf/hydra/hydra.yaml
+    - source: salt://hydra/files/hydra.yaml.jinja
+    - user: 928
+    - group: 928
+    - mode: 600
+    - template: jinja
+    - defaults:
+        hydraMERGED: {{ hydraMERGED }}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/hydra/defaults.yaml

@@ -0,0 +1,37 @@
+hydra:
+  enabled: False
+  config:
+    serve:
+      cookies:
+        same_site_mode: Lax
+
+    public:
+      port: 4444
+    admin:
+      port: 4445
+    urls:
+      self:
+        issuer: https://URL_BASE/connect
+        public: https://URL_BASE/connect
+        admin: http://localhost:4445
+      login: https://URL_BASE/login
+      logout: https://URL_BASE/logout
+      identity_provider:
+        url: http://127.0.0.1:4434/admin
+        publicUrl: https://URL_BASE/auth
+        headers:
+          Authorization: Bearer some-token
+          
+    secrets:
+      system: []
+
+    oidc:
+      subject_identifiers:
+        supported_types:
+          - pairwise
+          - public
+        pairwise:
+          salt: ""
+
+    sqa:
+      opt_out: true

salt/hydra/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - hydra.sostatus
+  
+so-hydra:
+  docker_container.absent:
+    - force: True
+
+so-hydra_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-hydra$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/hydra/enabled.sls

@@ -0,0 +1,105 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   if 'api' in salt['pillar.get']('features', []) %}
+
+include:
+  - hydra.config
+  - hydra.sostatus
+
+so-hydra:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-hydra:{{ GLOBALS.so_version }}
+    - hostname: hydra
+    - name: so-hydra
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
+    - binds:
+      - /opt/so/conf/hydra/:/hydra-conf:ro
+      - /opt/so/log/hydra/:/hydra-log:rw
+      - /nsm/hydra/db:/hydra-data:rw
+      {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
+      - {{ BIND }}
+        {% endfor %}
+      {% endif %}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+    {% if DOCKER.containers['so-hydra'].extra_hosts %}
+    - extra_hosts:
+      {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
+      - {{ XTRAHOST }}
+      {% endfor %}
+    {% endif %}
+    {% if DOCKER.containers['so-hydra'].extra_env %}
+    - environment:
+      {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
+      - {{ XTRAENV }}
+      {% endfor %}
+    {% endif %}
+    - restart_policy: unless-stopped
+    - watch:
+      - file: hydraschema
+      - file: hydraconfig
+    - require:
+      - file: hydraschema
+      - file: hydraconfig
+      - file: hydralogdir
+      - file: hydradir
+
+delete_so-hydra_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-hydra$
+
+wait_for_hydra:
+  http.wait_for_successful_query:
+    - name: 'http://{{ GLOBALS.manager }}:4444/'
+    - ssl: True
+    - verify_ssl: False
+    - status:
+      - 200
+      - 301
+      - 302
+      - 404
+    - status_type: list
+    - wait_for: 300
+    - request_interval: 10
+    - require:
+      -  docker_container: so-hydra
+
+{%   else %}
+
+{{sls}}_no_license_detected:
+  test.fail_without_changes:
+    - name: {{sls}}_no_license_detected
+    - comment:
+      - "This is a feature supported only for customers with a valid license.
+      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
+      for more information about purchasing a license to enable this feature."
+include:
+  - hydra.disabled
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/hydra/files/hydra.yaml.jinja

@@ -0,0 +1 @@
+{{ HYDRAMERGED.config | yaml(false) }}

salt/hydra/init.sls

@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'hydra/map.jinja' import HYDRAMERGED %}
+
+include:
+{% if HYDRAMERGED.enabled %}
+  - hydra.enabled
+{% else %}
+  - hydra.disabled
+{% endif %}

salt/hydra/map.jinja

@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% import_yaml 'hydra/defaults.yaml' as HYDRADEFAULTS %}

salt/hydra/soc_hydra.yaml

@@ -0,0 +1,4 @@
+hydra:
+  enabled:
+    description: Enables or disables the API authentication system, used for service account authentication.
+    helpLink: api.html

salt/hydra/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-hydra_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-hydra
+    - unless: grep -q so-hydra /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/logrotate/defaults.yaml

@@ -40,6 +40,16 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
+    /opt/so/log/hydra/*_x_log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
     /opt/so/log/kibana/*_x_log:
       - daily
       - rotate 14

salt/logrotate/soc_logrotate.yaml

@@ -28,6 +28,13 @@ logrotate:
       multiline: True
       global: True
       forcedType: "[]string"
+    "/opt/so/log/hydra/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/hydra/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
     "/opt/so/log/kibana/*_x_log":
       description: List of logrotate options for this file.
       title: /opt/so/log/kibana/*.log

salt/manager/tools/sbin/so-minion

@@ -368,6 +368,13 @@ function add_kratos_to_minion() {
 	"  " >> $PILLARFILE
 }
 
+function add_hydra_to_minion() {
+    printf '%s\n'\
+    "hydra:"\
+    "  enabled: True"\
+	"  " >> $PILLARFILE
+}
+
 function add_idstools_to_minion() {
     printf '%s\n'\
     "idstools:"\
@@ -448,6 +455,7 @@ function createEVAL() {
 	add_soc_to_minion
 	add_registry_to_minion
 	add_kratos_to_minion
+	add_hydra_to_minion
 	add_idstools_to_minion
 	add_elastic_fleet_package_registry_to_minion
 }
@@ -468,6 +476,7 @@ function createSTANDALONE() {
 	add_soc_to_minion
 	add_registry_to_minion
 	add_kratos_to_minion
+	add_hydra_to_minion
 	add_idstools_to_minion
 	add_elastic_fleet_package_registry_to_minion
 }
@@ -484,6 +493,7 @@ function createMANAGER() {
 	add_soc_to_minion
 	add_registry_to_minion
 	add_kratos_to_minion
+	add_hydra_to_minion
 	add_idstools_to_minion
 	add_elastic_fleet_package_registry_to_minion
 }
@@ -500,6 +510,7 @@ function createMANAGERSEARCH() {
 	add_soc_to_minion
 	add_registry_to_minion
 	add_kratos_to_minion
+	add_hydra_to_minion
 	add_idstools_to_minion
 	add_elastic_fleet_package_registry_to_minion
 }
@@ -514,6 +525,7 @@ function createIMPORT() {
 	add_soc_to_minion
 	add_registry_to_minion
 	add_kratos_to_minion
+	add_hydra_to_minion
 	add_idstools_to_minion
 	add_elastic_fleet_package_registry_to_minion
 }

salt/nginx/etc/nginx.conf

@@ -219,6 +219,7 @@ http {
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}
 
+{%  if 'api' in salt['pillar.get']('features', []) %}
 		location /connect/token {
 			rewrite               /connect/token(.*) /oauth2/token$1 break;
 			limit_req             zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay;
@@ -247,6 +248,7 @@ http {
 			proxy_set_header      Proxy "";
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}
+{%-  endif %}
 
 		location /cyberchef/ {
 			auth_request          /auth/sessions/whoami;

salt/soc/defaults.yaml

@@ -119,6 +119,13 @@ soc:
         - identity_id
         - http_request.headers.user-agent
         - msg
+      ':kratos:':
+        - soc_timestamp
+        - event.dataset
+        - http_request.headers.x-real-ip
+        - identity_id
+        - http_request.headers.user-agent
+        - msg
       '::conn':
         - soc_timestamp
         - event.dataset

salt/top.sls

@@ -61,6 +61,7 @@ base:
     - influxdb
     - soc
     - kratos
+    - hydra
     - sensoroni
     - telegraf
     - firewall
@@ -90,6 +91,7 @@ base:
     - strelka.manager
     - soc
     - kratos
+    - hydra
     - firewall
     - manager
     - sensoroni
@@ -122,6 +124,7 @@ base:
     - influxdb
     - soc
     - kratos
+    - hydra
     - firewall
     - sensoroni
     - telegraf
@@ -168,6 +171,7 @@ base:
     - strelka.manager
     - soc
     - kratos
+    - hydra
     - firewall
     - manager
     - sensoroni
@@ -219,6 +223,7 @@ base:
     - strelka.manager
     - soc
     - kratos
+    - hydra
     - sensoroni
     - telegraf
     - firewall

setup/so-functions

@@ -791,6 +791,7 @@ create_manager_pillars() {
 	redis_pillar
 	idstools_pillar
 	kratos_pillar
+	hydra_pillar
 	soc_pillar
 	idh_pillar
 	influxdb_pillar
@@ -1108,6 +1109,7 @@ generate_passwords(){
   INFLUXTOKEN=$(head -c 64 /dev/urandom | base64 --wrap=0)
   SENSORONIKEY=$(get_random_value)
   KRATOSKEY=$(get_random_value)
+  HYDRAKEY=$(get_random_value)
   REDISPASS=$(get_random_value)
   SOCSRVKEY=$(get_random_value 64)
   IMPORTPASS=$(get_random_value)
@@ -1303,6 +1305,18 @@ kratos_pillar() {
 		"" > "$kratos_pillar_file"
 }
 
+hydra_pillar() {
+	title "Create the Hydra pillar file"
+	touch $adv_hydra_pillar_file
+	printf '%s\n'\
+		"hydra:"\
+		"  config:"\
+		"    secrets:"\
+		"      system:"\
+		"        - '$HYDRAKEY'"\
+		"" > "$hydra_pillar_file"
+}
+
 create_global() {
 	title "Creating the global.sls"
 	touch $adv_global_pillar_file
@@ -1404,10 +1418,10 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports
 
-	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka;do
+	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idstools idh elastalert stig global kafka;do
-	mkdir -p $local_salt_dir/pillar/$THEDIR
+		mkdir -p $local_salt_dir/pillar/$THEDIR
-	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
+		touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
-	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls
+		touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls
 	done
 }
 
@@ -1639,6 +1653,7 @@ reinstall_init() {
 		# Backup (and erase) directories in /nsm to prevent app errors
 		backup_dir /nsm/mysql "$date_string"
 		backup_dir /nsm/kratos "$date_string"
+		backup_dir /nsm/hydra "$date_string"
 		backup_dir /nsm/influxdb "$date_string"
 
 		# Uninstall local Elastic Agent, if installed

setup/so-variables

@@ -160,6 +160,12 @@ export kratos_pillar_file
 adv_kratos_pillar_file="$local_salt_dir/pillar/kratos/adv_kratos.sls"
 export adv_kratos_pillar_file
 
+hydra_pillar_file="$local_salt_dir/pillar/hydra/soc_hydra.sls"
+export hydra_pillar_file
+
+adv_hydra_pillar_file="$local_salt_dir/pillar/hydra/adv_hydra.sls"
+export adv_hydra_pillar_file
+
 idstools_pillar_file="$local_salt_dir/pillar/idstools/soc_idstools.sls"
 export idstools_pillar_file