From 9240d376f3588d4029b14ff93400c2031bde9cf7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 12 Apr 2021 14:31:41 -0400 Subject: [PATCH] combine client repo management into 1 state --- salt/airgap/init.sls | 71 ---------------- salt/common/init.sls | 83 ------------------- .../client/files/centos/airgap}/yum.conf | 0 .../client/files/centos}/keys/GPG-KEY-WAZUH | 0 .../files/centos}/keys/RPM-GPG-KEY-EPEL-7 | 0 .../files/centos}/keys/SALTSTACK-GPG-KEY.pub | 0 .../client/files/centos}/keys/docker.pub | 0 .../files/centos}/keys/securityonion.pub | 0 .../client/files/centos}/securityonion.repo | 0 .../files/centos}/securityonioncache.repo | 0 .../client/files/centos}/yum.conf.jinja | 0 salt/repo/client/init.sls | 77 +++++++++++++++++ salt/repo/client/map.jinja | 25 ++++++ salt/top.sls | 11 +-- salt/yum/init.sls | 17 ---- 15 files changed, 104 insertions(+), 180 deletions(-) delete mode 100644 salt/airgap/init.sls rename salt/{airgap/files => repo/client/files/centos/airgap}/yum.conf (100%) rename salt/{common => repo/client/files/centos}/keys/GPG-KEY-WAZUH (100%) rename salt/{common => repo/client/files/centos}/keys/RPM-GPG-KEY-EPEL-7 (100%) rename salt/{common => repo/client/files/centos}/keys/SALTSTACK-GPG-KEY.pub (100%) rename salt/{common => repo/client/files/centos}/keys/docker.pub (100%) rename salt/{common => repo/client/files/centos}/keys/securityonion.pub (100%) rename salt/{common/yum_repos => repo/client/files/centos}/securityonion.repo (100%) rename salt/{common/yum_repos => repo/client/files/centos}/securityonioncache.repo (100%) rename salt/{yum/etc => repo/client/files/centos}/yum.conf.jinja (100%) create mode 100644 salt/repo/client/init.sls create mode 100644 salt/repo/client/map.jinja delete mode 100644 salt/yum/init.sls diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls deleted file mode 100644 index 4ff401099..000000000 --- a/salt/airgap/init.sls +++ /dev/null @@ -1,71 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set MANAGER = salt['grains.get']('master') %} -airgapyum: - file.managed: - - name: /etc/yum/yum.conf - - source: salt://airgap/files/yum.conf - -airgap_repo: - pkgrepo.managed: - - humanname: Airgap Repo - - baseurl: https://{{ MANAGER }}/repo - - gpgcheck: 1 - - sslverify: 0 - -agbase: - file.absent: - - name: /etc/yum.repos.d/CentOS-Base.repo - -agcr: - file.absent: - - name: /etc/yum.repos.d/CentOS-CR.repo - -agdebug: - file.absent: - - name: /etc/yum.repos.d/CentOS-Debuginfo.repo - -agfasttrack: - file.absent: - - name: /etc/yum.repos.d/CentOS-fasttrack.repo - -agmedia: - file.absent: - - name: /etc/yum.repos.d/CentOS-Media.repo - -agsources: - file.absent: - - name: /etc/yum.repos.d/CentOS-Sources.repo - -agvault: - file.absent: - - name: /etc/yum.repos.d/CentOS-Vault.repo - -agkernel: - file.absent: - - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo - -agepel: - file.absent: - - name: /etc/yum.repos.d/epel.repo - -agtesting: - file.absent: - - name: /etc/yum.repos.d/epel-testing.repo - -agssrepo: - file.absent: - - name: /etc/yum.repos.d/saltstack.repo - -agwazrepo: - file.absent: - - name: /etc/yum.repos.d/wazuh.repo - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index b630891f5..0492b6535 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,8 +2,6 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} -{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: @@ -66,87 +64,6 @@ salttmp: - group: 939 - makedirs: True -# Remove default Repos -{% if grains['os'] == 'CentOS' %} -repair_yumdb: - cmd.run: - - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' - - onlyif: - - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' - -crsynckeys: - file.recurse: - - name: /etc/pki/rpm_gpg - - source: salt://common/keys/ - - -crbase: - file.absent: - - name: /etc/yum.repos.d/CentOS-Base.repo - -crcr: - file.absent: - - name: /etc/yum.repos.d/CentOS-CR.repo - -crdebug: - file.absent: - - name: /etc/yum.repos.d/CentOS-Debuginfo.repo - -crdockerce: - file.absent: - - name: /etc/yum.repos.d/docker-ce.repo - -crfasttrack: - file.absent: - - name: /etc/yum.repos.d/CentOS-fasttrack.repo - -crmedia: - file.absent: - - name: /etc/yum.repos.d/CentOS-Media.repo - -crsources: - file.absent: - - name: /etc/yum.repos.d/CentOS-Sources.repo - -crvault: - file.absent: - - name: /etc/yum.repos.d/CentOS-Vault.repo - -crkernel: - file.absent: - - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo - -crepel: - file.absent: - - name: /etc/yum.repos.d/epel.repo - -crtesting: - file.absent: - - name: /etc/yum.repos.d/epel-testing.repo - -crssrepo: - file.absent: - - name: /etc/yum.repos.d/saltstack.repo - -crwazrepo: - file.absent: - - name: /etc/yum.repos.d/wazuh.repo - -{% if not ISAIRGAP %} -crsecurityonionrepo: - file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos.d/securityonion.repo - - source: salt://common/yum_repos/securityonion.repo - {% else %} - - name: /etc/yum.repos.d/securityonioncache.repo - - source: salt://common/yum_repos/securityonioncache.repo - {% endif %} - - mode: 644 - -{% endif %} -{% endif %} - # Install common packages {% if grains['os'] != 'CentOS' %} commonpkgs: diff --git a/salt/airgap/files/yum.conf b/salt/repo/client/files/centos/airgap/yum.conf similarity index 100% rename from salt/airgap/files/yum.conf rename to salt/repo/client/files/centos/airgap/yum.conf diff --git a/salt/common/keys/GPG-KEY-WAZUH b/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH similarity index 100% rename from salt/common/keys/GPG-KEY-WAZUH rename to salt/repo/client/files/centos/keys/GPG-KEY-WAZUH diff --git a/salt/common/keys/RPM-GPG-KEY-EPEL-7 b/salt/repo/client/files/centos/keys/RPM-GPG-KEY-EPEL-7 similarity index 100% rename from salt/common/keys/RPM-GPG-KEY-EPEL-7 rename to salt/repo/client/files/centos/keys/RPM-GPG-KEY-EPEL-7 diff --git a/salt/common/keys/SALTSTACK-GPG-KEY.pub b/salt/repo/client/files/centos/keys/SALTSTACK-GPG-KEY.pub similarity index 100% rename from salt/common/keys/SALTSTACK-GPG-KEY.pub rename to salt/repo/client/files/centos/keys/SALTSTACK-GPG-KEY.pub diff --git a/salt/common/keys/docker.pub b/salt/repo/client/files/centos/keys/docker.pub similarity index 100% rename from salt/common/keys/docker.pub rename to salt/repo/client/files/centos/keys/docker.pub diff --git a/salt/common/keys/securityonion.pub b/salt/repo/client/files/centos/keys/securityonion.pub similarity index 100% rename from salt/common/keys/securityonion.pub rename to salt/repo/client/files/centos/keys/securityonion.pub diff --git a/salt/common/yum_repos/securityonion.repo b/salt/repo/client/files/centos/securityonion.repo similarity index 100% rename from salt/common/yum_repos/securityonion.repo rename to salt/repo/client/files/centos/securityonion.repo diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/repo/client/files/centos/securityonioncache.repo similarity index 100% rename from salt/common/yum_repos/securityonioncache.repo rename to salt/repo/client/files/centos/securityonioncache.repo diff --git a/salt/yum/etc/yum.conf.jinja b/salt/repo/client/files/centos/yum.conf.jinja similarity index 100% rename from salt/yum/etc/yum.conf.jinja rename to salt/repo/client/files/centos/yum.conf.jinja diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls new file mode 100644 index 000000000..60353426f --- /dev/null +++ b/salt/repo/client/init.sls @@ -0,0 +1,77 @@ +{% from 'repo/client/map.jinja' import ABSENTFILES with context %} +{% from 'repo/client/map.jinja' import REPOPATH with context %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} +{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %} +{% set role = grains.id.split('_') | last %} + +# from airgap state +{% if ISAIRGAP and grains.os == 'CentOS' %} +{% set MANAGER = salt['grains.get']('master') %} +airgapyum: + file.managed: + - name: /etc/yum/yum.conf + - source: salt://repo/client/files/centos/airgap/yum.conf + +airgap_repo: + pkgrepo.managed: + - humanname: Airgap Repo + - baseurl: https://{{ MANAGER }}/repo + - gpgcheck: 1 + - sslverify: 0 +{% endif %} + +# from airgap and common +{% if ABSENTFILES|length > 0%} + {% for file in ABSENTFILES %} +{{ file }}: + file.absent: + - name: {{ REPOPATH }}{{ file }} + - onchanges_in: cleanyum + {% endfor %} +{% endif %} + +# from common state +# Remove default Repos +{% if grains['os'] == 'CentOS' %} +repair_yumdb: + cmd.run: + - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' + - onlyif: + - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' + +crsynckeys: + file.recurse: + - name: /etc/pki/rpm_gpg + - source: salt://repo/client/files/centos/keys/ + +{% if not ISAIRGAP %} +crsecurityonionrepo: + file.managed: + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} + - name: /etc/yum.repos.d/securityonion.repo + - source: salt://repo/client/files/centos/securityonion.repo + {% else %} + - name: /etc/yum.repos.d/securityonioncache.repo + - source: salt://repo/client/files/centos/securityonioncache.repo + {% endif %} + - mode: 644 + +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt:/repo/client/files/centos/yum.conf.jinja + - mode: 644 + - template: jinja +{% endif %} + +cleanyum: + module.run: + - pkg.clean_metadata + - onchanges: + - file: airgapyum + - pkgrepo: airgap_repo + - file: crsecurityonionrepo + - file: yumconf + +{% endif %} + diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja new file mode 100644 index 000000000..ccfa1eae2 --- /dev/null +++ b/salt/repo/client/map.jinja @@ -0,0 +1,25 @@ +{% if grains.os == 'CentOS' %} + + {% set REPOPATH = '/etc/yum.repos.d/' %} + {% set ABSENTFILES = [ + 'CentOS-Base.repo', + 'CentOS-CR.repo', + 'CentOS-Debuginfo.repo', + 'CentOS-fasttrack.repo', + 'CentOS-Media.repo', + 'CentOS-Sources.repo', + 'CentOS-Vault.repo', + 'CentOS-x86_64-kernel.repo', + 'epel.repo', + 'epel-testing.repo', + 'saltstack.repo', + 'wazuh.repo' + ] + %} + +{% elif grains.os == 'Ubuntu' %} + + {% set REPOPATH = '/etc/apt/sources.list.d/' %} + {% set ABSENTFILES = [] %} + +{% endif %} \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index 6b522d03b..8a12aaa26 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -14,7 +14,6 @@ {% set CURATOR = salt['pillar.get']('curator:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} {% set saltversion = saltversion.salt.minion.version %} {% set INSTALLEDSALTVERSION = grains.saltversion %} @@ -24,18 +23,12 @@ base: 'not G@saltversion:{{saltversion}}': - match: compound - salt.minion-state-apply-test - {% if ISAIRGAP is sameas true %} - - airgap - {% endif %} + - repo.client - salt.minion 'G@os:CentOS and G@saltversion:{{saltversion}}': - match: compound - {% if ISAIRGAP is sameas true %} - - airgap - {% else %} - - yum - {% endif %} + - repo.client - yum.packages '* and G@saltversion:{{saltversion}}': diff --git a/salt/yum/init.sls b/salt/yum/init.sls deleted file mode 100644 index 339a6f2a7..000000000 --- a/salt/yum/init.sls +++ /dev/null @@ -1,17 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -yumconf: - file.managed: - - name: /etc/yum.conf - - source: salt://yum/etc/yum.conf.jinja - - mode: 644 - - template: jinja - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} \ No newline at end of file