From 7ca23132554557daf79bbf1ec47ad4a949e3c870 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 3 Jun 2026 09:05:23 -0400
Subject: [PATCH] move to securityonion db

---
 salt/manager/tools/sbin/soup   | 24 ------------------------
 salt/postgres/files/init-db.sh |  7 +------
 salt/soc/defaults.yaml         |  5 +++--
 salt/soc/merged.map.jinja      |  3 ++-
 salt/soc/soc_soc.yaml          | 14 +++++++++++++-
 5 files changed, 19 insertions(+), 34 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 135c51276..cd5f47e35 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -746,35 +746,11 @@ post_to_3.1.0() {
 
 ### 3.2.0 Scripts ###
 
-bootstrap_so_soc_database() {
-  # init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh
-  # and runs automatically only on a fresh data directory. Hosts upgrading from
-  # 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block
-  # added in 3.2 never fires. Re-run the script explicitly; it's idempotent.
-  echo "Bootstrapping so_soc database via init-db.sh."
-  # The postgres image has no USER directive, so `docker exec` defaults to
-  # root, and the container env intentionally omits POSTGRES_USER (the upstream
-  # entrypoint defaults it transiently during first-init only). Recreate both
-  # so psql inside init-db.sh resolves the connect user correctly.
-  local exec_cmd="docker exec -u postgres -e POSTGRES_USER=postgres so-postgres bash /docker-entrypoint-initdb.d/init-db.sh"
-  if ! /usr/sbin/so-postgres-wait; then
-    FINAL_MESSAGE_QUEUE+=("WARNING: so-postgres was not ready during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd")
-    return 0
-  fi
-  if ! $exec_cmd; then
-    FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd")
-    return 0
-  fi
-  echo "so_soc bootstrap complete."
-}
-
 up_to_3.2.0() {
   INSTALLEDVERSION=3.2.0
 }
 
 post_to_3.2.0() {
-  bootstrap_so_soc_database
-
   POSTVERSION=3.2.0
 }
 
diff --git a/salt/postgres/files/init-db.sh b/salt/postgres/files/init-db.sh
index 03e6d08dd..2187585da 100644
--- a/salt/postgres/files/init-db.sh
+++ b/salt/postgres/files/init-db.sh
@@ -31,9 +31,4 @@ EOSQL
 # only ensures the shared database exists on first initialization.
 if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_telegraf'" | grep -q 1; then
     psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_telegraf"
-fi
-
-# Bootstrap the SOC database.
-if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_soc'" | grep -q 1; then
-    psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_soc"
-fi
+fi
\ No newline at end of file
diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 62b451bec..05cad494e 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1523,8 +1523,9 @@ soc:
           saltstackDir: /opt/so/saltstack
           bypassEnabled: false
         postgres:
-          host:
-          password:
+          database: securityonion
+          host: ""
+          password: ""
         salt:
           queueDir: /opt/sensoroni/queue
           timeoutMs: 45000
diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index b34efb11d..cfc0fafbd 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -20,7 +20,8 @@
 {%   do SOCMERGED.config.server.modules.postgres.update({'host': GLOBALS.manager}) %}
 {% endif %}
 {% if not SOCMERGED.config.server.modules.postgres.password %}
-{%   do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('secrets:postgres_pass', '')}) %}
+{%   do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', '')}) %}
+{%   do SOCMERGED.config.server.modules.postgres.update({'user': salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres')}) %}
 {% endif %}
 
 {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index 3cb244eed..ad34c3bbf 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -468,8 +468,20 @@ soc:
             description: Hostname or IP address of the PostgreSQL server used by SOC. Defaults to the manager hostname.
             global: True
             advanced: True
+          port:
+            description: Port of the PostgreSQL server used by SOC.
+            global: True
+            advanced: True
+          user:
+            description: Username used by SOC to authenticate to the PostgreSQL server.
+            global: True
+            advanced: True
+          database:
+            description: Database used by SOC to authenticate to the PostgreSQL server.
+            global: True
+            advanced: True
           password:
-            description: Password used by SOC to authenticate to the PostgreSQL server. Defaults to the postgres superuser password seeded in the secrets pillar.
+            description: Password used by SOC to authenticate to the PostgreSQL server.
             global: True
             sensitive: True
             advanced: True