Move setup-complete marker from /opt/so/conf to /opt/so/state

The setup-complete marker is a runtime-state file, not config, so move it
to /opt/so/state/setup-complete. Updates both writers (mark_setup_complete
in setup/so-functions and the upgrade-path state in minion/init.sls) and the
three readers (so-boot-highstate.service ConditionPathExists, boot_highstate.sls
enable gate, and the so-user_sync cron gate).

salt/manager/sync_es_users.sls

@@ -32,7 +32,7 @@ sync_es_users:
       - file: so-user.lock # require so-user.lock file to be missing
 
 # we dont want this added too early in setup, so the onlyif gates on the
-# /opt/so/conf/setup-complete marker. The marker is written by
+# /opt/so/state/setup-complete marker. The marker is written by
 # mark_setup_complete in setup/so-functions just before the final setup
 # highstate (and by an upgrade-path state for systems set up under the old gate).
 so-user_sync:
@@ -40,4 +40,4 @@ so-user_sync:
     - user: root
     - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
     - identifier: so-user_sync
-    - onlyif: "test -e /opt/so/conf/setup-complete"
+    - onlyif: "test -e /opt/so/state/setup-complete"

salt/salt/minion/boot_highstate.sls

@@ -25,7 +25,7 @@ so_boot_highstate_unit_file:
 so_boot_highstate_service:
   service.enabled:
     - name: so-boot-highstate.service
-    - onlyif: test -e /opt/so/conf/setup-complete
+    - onlyif: test -e /opt/so/state/setup-complete
     - require:
       - file: so_boot_highstate_unit_file
       - module: systemd_reload

salt/salt/minion/init.sls

@@ -94,14 +94,14 @@ remove_startup_states:
     - mode: delete
 
 # Upgrade-path bridge: systems that already passed setup under the old gate
-# (`grep -x 'startup_states: highstate' /etc/salt/minion`) get a setup-complete
+# (`grep -x 'startup_states: highstate' /etc/salt/minion`) get a /opt/so/state/setup-complete
 # marker so so-boot-highstate.service can be enabled and the so-user_sync cron
 # in sync_es_users.sls keeps installing. Setup-in-progress systems instead get
 # the marker from `mark_setup_complete` in setup/so-functions at the right
 # moment. `replace: false` means we never overwrite a marker once written.
 mark_setup_complete_for_upgrades:
   file.managed:
-    - name: /opt/so/conf/setup-complete
+    - name: /opt/so/state/setup-complete
     - replace: false
     - makedirs: True
     - onlyif: "grep -qx 'startup_states: highstate' /etc/salt/minion"

salt/salt/service/so-boot-highstate.service

@@ -3,7 +3,7 @@ Description=Security Onion boot-time highstate (runs once per boot)
 After=salt-minion.service network-online.target docker.service
 Wants=network-online.target docker.service
 Requires=salt-minion.service
-ConditionPathExists=/opt/so/conf/setup-complete
+ConditionPathExists=/opt/so/state/setup-complete
 
 [Service]
 Type=oneshot

setup/so-functions

@@ -547,7 +547,7 @@ mark_setup_complete() {
 	# Writes the setup-complete marker. Salt's so-boot-highstate.service
 	# (boot-time oneshot) and the so-user_sync cron gate in
 	# salt/manager/sync_es_users.sls both key off this file.
-	local marker=/opt/so/conf/setup-complete
+	local marker=/opt/so/state/setup-complete
 
 	info "Marking setup as complete"
 	mkdir -p "$(dirname "$marker")"