Add so-postgres Salt states and integration wiring

Phase 1 of the PostgreSQL central data platform: - Salt states: init, enabled, disabled, config, ssl, auth, sostatus - TLS via SO CA-signed certs with postgresql.conf template - Two-tier auth: postgres superuser + so_postgres application user - Firewall restricts port 5432 to manager-only (HA-ready) - Wired into top.sls, pillar/top.sls, allowed_states, firewall containers map, docker defaults, CA signing policies, and setup scripts for all manager-type roles
2026-04-11 23:32:02 +02:00 · 2026-04-08 10:58:52 -04:00
parent 88de246ce3
commit 868cd11874
20 changed files with 422 additions and 2 deletions
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -821,6 +821,7 @@ create_manager_pillars() {
 	soc_pillar
 	idh_pillar
 	influxdb_pillar
+	postgres_pillar
 	logrotate_pillar
 	patch_pillar
 	nginx_pillar
@@ -1053,6 +1054,7 @@ generate_passwords(){
  HYDRAKEY=$(get_random_value)
  HYDRASALT=$(get_random_value)
  REDISPASS=$(get_random_value)
+  POSTGRESPASS=$(get_random_value)
  SOCSRVKEY=$(get_random_value 64)
  IMPORTPASS=$(get_random_value)
 }
@@ -1355,6 +1357,12 @@ influxdb_pillar() {
 		"  token: $INFLUXTOKEN" > $local_salt_dir/pillar/influxdb/token.sls
 }

+postgres_pillar() {
+	title "Create the postgres pillar file"
+	touch $adv_postgres_pillar_file
+	touch $postgres_pillar_file
+}
+
 make_some_dirs() {
 	mkdir -p /nsm
 	mkdir -p "$default_salt_dir"
@@ -1364,7 +1372,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports

-	for THEDIR in bpf elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do
+	for THEDIR in bpf elasticsearch ntp firewall redis backup influxdb postgres strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls
@@ -1832,7 +1840,8 @@ secrets_pillar(){
 	printf '%s\n'\
 		"secrets:"\
 		"  import_pass: $IMPORTPASS"\
-		"  influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls
+		"  influx_pass: $INFLUXPASS"\
+		"  postgres_pass: $POSTGRESPASS" > $local_salt_dir/pillar/secrets.sls
  fi
 }

--- a/setup/so-variables
+++ b/setup/so-variables
@@ -202,6 +202,12 @@ export influxdb_pillar_file
 adv_influxdb_pillar_file="$local_salt_dir/pillar/influxdb/adv_influxdb.sls"
 export adv_influxdb_pillar_file

+postgres_pillar_file="$local_salt_dir/pillar/postgres/soc_postgres.sls"
+export postgres_pillar_file
+
+adv_postgres_pillar_file="$local_salt_dir/pillar/postgres/adv_postgres.sls"
+export adv_postgres_pillar_file
+
 logrotate_pillar_file="$local_salt_dir/pillar/logrotate/soc_logrotate.sls"
 export logrotate_pillar_file