combine client repo management into 1 state

salt/airgap/init.sls

@@ -1,71 +0,0 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-
-{% set MANAGER = salt['grains.get']('master') %}
-airgapyum:
-  file.managed:
-    - name: /etc/yum/yum.conf
-    - source: salt://airgap/files/yum.conf
-
-airgap_repo:
-  pkgrepo.managed:
-    - humanname: Airgap Repo
-    - baseurl: https://{{ MANAGER }}/repo
-    - gpgcheck: 1
-    - sslverify: 0
-
-agbase:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Base.repo
-
-agcr:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-CR.repo
-
-agdebug:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Debuginfo.repo
-
-agfasttrack:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-fasttrack.repo
-
-agmedia:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Media.repo
-
-agsources:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Sources.repo
-
-agvault:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Vault.repo
-
-agkernel:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo
-
-agepel:
-  file.absent:
-    - name: /etc/yum.repos.d/epel.repo
-
-agtesting:
-  file.absent:
-    - name: /etc/yum.repos.d/epel-testing.repo
-
-agssrepo:
-  file.absent:
-    - name: /etc/yum.repos.d/saltstack.repo
-
-agwazrepo:
-  file.absent:
-    - name: /etc/yum.repos.d/wazuh.repo
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/common/init.sls

@@ -2,8 +2,6 @@
 {% if sls in allowed_states %}
 
 {% set role = grains.id.split('_') | last %}
-{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %}
-{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
 
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
@@ -66,87 +64,6 @@ salttmp:
     - group: 939
     - makedirs: True
 
-# Remove default Repos
-{% if grains['os'] == 'CentOS' %}
-repair_yumdb:
-  cmd.run:
-    - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all'
-    - onlyif:
-      - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"'
-
-crsynckeys:
-  file.recurse:
-    - name: /etc/pki/rpm_gpg
-    - source: salt://common/keys/
-
-
-crbase:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Base.repo
-
-crcr:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-CR.repo
-
-crdebug:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Debuginfo.repo
-
-crdockerce:
-  file.absent: 
-    - name: /etc/yum.repos.d/docker-ce.repo
-    
-crfasttrack:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-fasttrack.repo
-
-crmedia:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Media.repo
-
-crsources:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Sources.repo
-
-crvault:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-Vault.repo
-
-crkernel:
-  file.absent:
-    - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo
-
-crepel:
-  file.absent:
-    - name: /etc/yum.repos.d/epel.repo
-
-crtesting:
-  file.absent:
-    - name: /etc/yum.repos.d/epel-testing.repo
-
-crssrepo:
-  file.absent:
-    - name: /etc/yum.repos.d/saltstack.repo
-
-crwazrepo:
-  file.absent:
-    - name: /etc/yum.repos.d/wazuh.repo
-
-{% if not ISAIRGAP %}
-crsecurityonionrepo:
-  file.managed:
-    {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %}
-    - name: /etc/yum.repos.d/securityonion.repo
-    - source: salt://common/yum_repos/securityonion.repo
-    {% else %}
-    - name: /etc/yum.repos.d/securityonioncache.repo
-    - source: salt://common/yum_repos/securityonioncache.repo
-    {% endif %}
-    - mode: 644
-
-{% endif %}
-{% endif %}
-
 # Install common packages
 {% if grains['os'] != 'CentOS' %}     
 commonpkgs:

salt/repo/client/init.sls

@@ -0,0 +1,77 @@
+{% from 'repo/client/map.jinja' import ABSENTFILES with context %}
+{% from 'repo/client/map.jinja' import REPOPATH with context %}
+{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
+{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %}
+{% set role = grains.id.split('_') | last %}
+
+# from airgap state
+{% if ISAIRGAP and grains.os == 'CentOS' %}
+{% set MANAGER = salt['grains.get']('master') %}
+airgapyum:
+  file.managed:
+    - name: /etc/yum/yum.conf
+    - source: salt://repo/client/files/centos/airgap/yum.conf
+
+airgap_repo:
+  pkgrepo.managed:
+    - humanname: Airgap Repo
+    - baseurl: https://{{ MANAGER }}/repo
+    - gpgcheck: 1
+    - sslverify: 0
+{% endif %}
+
+# from airgap and common
+{% if ABSENTFILES|length > 0%}
+  {% for file in ABSENTFILES  %}
+{{ file }}:
+  file.absent:
+    - name: {{ REPOPATH }}{{ file }}
+    - onchanges_in: cleanyum
+  {% endfor %}
+{% endif %}
+
+# from common state
+# Remove default Repos
+{% if grains['os'] == 'CentOS' %}
+repair_yumdb:
+  cmd.run:
+    - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all'
+    - onlyif:
+      - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"'
+
+crsynckeys:
+  file.recurse:
+    - name: /etc/pki/rpm_gpg
+    - source: salt://repo/client/files/centos/keys/
+
+{% if not ISAIRGAP %}
+crsecurityonionrepo:
+  file.managed:
+    {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %}
+    - name: /etc/yum.repos.d/securityonion.repo
+    - source: salt://repo/client/files/centos/securityonion.repo
+    {% else %}
+    - name: /etc/yum.repos.d/securityonioncache.repo
+    - source: salt://repo/client/files/centos/securityonioncache.repo
+    {% endif %}
+    - mode: 644
+
+yumconf:
+  file.managed:
+    - name: /etc/yum.conf
+    - source: salt:/repo/client/files/centos/yum.conf.jinja
+    - mode: 644
+    - template: jinja
+{% endif %}
+
+cleanyum:
+  module.run:
+    - pkg.clean_metadata
+    - onchanges:
+      - file: airgapyum
+      - pkgrepo: airgap_repo
+      - file: crsecurityonionrepo
+      - file: yumconf
+
+{% endif %}
+

salt/repo/client/map.jinja

@@ -0,0 +1,25 @@
+{% if grains.os == 'CentOS' %}
+
+  {% set REPOPATH = '/etc/yum.repos.d/' %}
+  {% set ABSENTFILES = [
+         'CentOS-Base.repo',
+         'CentOS-CR.repo',
+         'CentOS-Debuginfo.repo',
+         'CentOS-fasttrack.repo',
+         'CentOS-Media.repo',
+         'CentOS-Sources.repo',
+         'CentOS-Vault.repo',
+         'CentOS-x86_64-kernel.repo',
+         'epel.repo',
+         'epel-testing.repo',
+         'saltstack.repo',
+         'wazuh.repo'
+       ]
+  %}
+
+{% elif grains.os == 'Ubuntu' %}
+
+  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
+  {% set ABSENTFILES = [] %}
+
+{% endif %}

salt/top.sls

@@ -14,7 +14,6 @@
 {% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
 {% set REDIS = salt['pillar.get']('redis:enabled', True) %}
 {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
-{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
 {% set saltversion = saltversion.salt.minion.version %}
 {% set INSTALLEDSALTVERSION = grains.saltversion %}
@@ -24,18 +23,12 @@ base:
   'not G@saltversion:{{saltversion}}':
     - match: compound
     - salt.minion-state-apply-test
-    {% if ISAIRGAP is sameas true %}
+    - repo.client
-    - airgap
-    {% endif %}
     - salt.minion
 
   'G@os:CentOS and G@saltversion:{{saltversion}}':
     - match: compound
-    {% if ISAIRGAP is sameas true %}
+    - repo.client
-    - airgap
-    {% else %}
-    - yum
-    {% endif %}
     - yum.packages
 
   '* and G@saltversion:{{saltversion}}':

salt/yum/init.sls

@@ -1,17 +0,0 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-
-yumconf:
-  file.managed:
-    - name: /etc/yum.conf
-    - source: salt://yum/etc/yum.conf.jinja
-    - mode: 644
-    - template: jinja
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}