use global vars in states

salt/backup/config_backup.sls

@@ -0,0 +1,32 @@
+{% from 'backup/map.jinja' import BACKUP_MERGED %}
+
+# Lock permissions on the backup directory
+backupdir:
+  file.directory:
+    - name: /nsm/backup
+    - user: 0
+    - group: 0
+    - makedirs: True
+    - mode: 700
+
+config_backup_script:
+  file.managed:
+    - name: /usr/sbin/so-config-backup
+    - user: root
+    - group: root
+    - file_mode: 755
+    - template: jinja
+    - source: salt://backup/tools/sbin
+    - defaults:
+        BACKUPLOCATIONS: {{ BACKUP_MERGED.locations }}
+  
+# Add config backup
+so_config_backup:
+  cron.present:
+    - name: /usr/sbin/so-config-backup > /dev/null 2>&1
+    - user: root
+    - minute: '1'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'

salt/backup/defaults.yaml

@@ -0,0 +1,3 @@
+backup:
+  locations:
+    - /opt/so/saltstack/local

salt/backup/map.jinja

@@ -0,0 +1,2 @@
+{% import_yaml 'backup/defaults.yaml' as BACKUP_DEFAULTS %}
+{% set BACKUP_MERGED = salt['pillar.get']('backup', BACKUP_DEFAULTS, merge=true, merge_nested_lists=true) %}

salt/backup/tools/sbin/so-config-backup

@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+TODAY=$(date '+%Y_%m_%d')
+BACKUPFILE="/nsm/backup/so-config-backup-$TODAY.tar"
+MAXBACKUPS=7
+
+# Create backup dir if it does not exist
+mkdir -p /nsm/backup
+
+# If we haven't already written a backup file for today, let's do so
+if [ ! -f $BACKUPFILE ]; then
+
+  # Create empty backup file
+  tar -cf $BACKUPFILE -T /dev/null
+
+  # Loop through all paths defined in global.sls, and append them to backup file
+  {%- for LOCATION in BACKUPLOCATIONS %}
+  tar -rf $BACKUPFILE {{ LOCATION }}
+  {%- endfor %}
+  tar -rf $BACKUPFILE /etc/pki
+  tar -rf $BACKUPFILE /etc/salt
+  tar -rf $BACKUPFILE /opt/so/conf/kratos
+
+fi
+
+# Find oldest backup files and remove them
+NUMBACKUPS=$(find /nsm/backup/ -type f -name "so-config-backup*" | wc -l)
+while [ "$NUMBACKUPS" -gt "$MAXBACKUPS" ]; do
+  OLDESTBACKUP=$(find /nsm/backup/ -type f -name "so-config-backup*" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}')
+  rm -f $OLDESTBACKUP
+  NUMBACKUPS=$(find /nsm/backup/ -type f -name "so-config-backup*" | wc -l)
+done