From 826254bc3dcc00a373f5b729529a16c5ba2c7291 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 19 Aug 2020 15:59:48 -0400
Subject: [PATCH 1/2] give redis key to heavy node too

---
 salt/ssl/init.sls | 73 ++++++++++++++++++++++++-----------------------
 1 file changed, 37 insertions(+), 36 deletions(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 82512068c..acf3c32da 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -72,8 +72,44 @@ influxkeyperms:
     - mode: 640
     - group: 939
 
-{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
+# Create a cert for Redis encryption
+/etc/pki/redis.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
+    - prereq:
+      - x509: /etc/pki/redis.crt
+    {%- endif %}
 
+/etc/pki/redis.crt:
+  x509.certificate_managed:
+    - ca_server: {{ ca_server }}
+    - signing_policy: registry
+    - public_key: /etc/pki/redis.key
+    - CN: {{ manager }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+
+rediskeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/redis.key
+    - mode: 640
+    - group: 939
+{% endif %}
+
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
 /etc/pki/filebeat.key:
   x509.private_key_managed:
     - CN: {{ manager }}
@@ -262,41 +298,6 @@ elasticp12perms:
     - mode: 640
     - group: 930
 
-# Create a cert for Redis encryption
-/etc/pki/redis.key:
-  x509.private_key_managed:
-    - CN: {{ manager }}
-    - bits: 4096
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
-    - prereq:
-      - x509: /etc/pki/redis.crt
-    {%- endif %}
-
-/etc/pki/redis.crt:
-  x509.certificate_managed:
-    - ca_server: {{ ca_server }}
-    - signing_policy: registry
-    - public_key: /etc/pki/redis.key
-    - CN: {{ manager }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - unless:
-      # https://github.com/saltstack/salt/issues/52167
-      # Will trigger 5 days (432000 sec) from cert expiration
-      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
-
-rediskeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/redis.key
-    - mode: 640
-    - group: 939
-
 /etc/pki/managerssl.key:
   x509.private_key_managed:
     - CN: {{ manager }}

From 961cc67e3f32ba76e11a16f3727aaf5f87721f45 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 19 Aug 2020 16:05:40 -0400
Subject: [PATCH 2/2] add nginx state to heavynode

---
 salt/top.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/top.sls b/salt/top.sls
index fdcbcab3e..19c1c77dc 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -352,6 +352,7 @@ base:
     - ca
     - ssl
     - common
+    - nginx
     - telegraf
     - firewall
     - minio