more requires

2025-12-06 09:12:45 +01:00 · 2021-10-22 16:46:45 -04:00
parent 283f7296bc
commit d7e5377a44
14 changed files with 113 additions and 34 deletions
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -60,8 +60,7 @@ aptcacherlogdir:
    - group: 939
    - makedirs: true
-# Copy the config
+acngconf:
 acngcopyconf:
  file.managed:
    - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
    - source: salt://manager/files/acng/acng.conf
@@ -80,6 +79,8 @@ so-aptcacherng:
      - /opt/so/conf/aptcacher-ng/cache:/var/cache/apt-cacher-ng:rw
      - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
      - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro
    - require:
      - file: acngconf
 append_so-aptcacherng_so-status.conf:
  file.append:
--- a/salt/minio/init.sls
+++ b/salt/minio/init.sls
@@ -21,6 +21,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 include:
 - ssl
 # Minio Setup
 minioconfdir:
  file.directory:
@@ -59,6 +62,9 @@ so-minio:
      - /etc/pki/minio.key:/.minio/certs/private.key:ro
      - /etc/pki/minio.crt:/.minio/certs/public.crt:ro
    - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data"
    - require:
      - file: minio_key
      - file: minio_crt
 append_so-minio_so-status.conf:
  file.append:
@@ -71,4 +77,4 @@ append_so-minio_so-status.conf:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
-{% endif %}
+{% endif %}
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -45,13 +45,14 @@ mysqlpiddir:
    - group: 939
    - makedirs: True
-mysqletcsync:
+mysqletc:
  file.recurse:
    - name: /opt/so/conf/mysql/etc
    - source: salt://mysql/etc
    - user: 939
    - group: 939
    - template: jinja
    - mode: 640
 mysqllogdir:
  file.directory:
@@ -88,12 +89,13 @@ so-mysql:
      - MYSQL_ROOT_HOST={{ MAINIP }}
      - MYSQL_ROOT_PASSWORD=/etc/mypass
    - binds:
-      - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro
+      - /opt/so/conf/mysql/etc/:/etc/:ro
      - /opt/so/conf/mysql/etc/mypass:/etc/mypass
      - /nsm/mysql:/var/lib/mysql:rw
      - /opt/so/log/mysql:/var/log/mysql:rw
    - watch:
      - /opt/so/conf/mysql/etc
    - require:
      - file: mysqletc
  cmd.run:
    - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
    - timeout: 600
@@ -118,4 +120,4 @@ append_so-mysql_so-status.conf:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
-{% endif %}
+{% endif %}
--- a/salt/nginx/init.sls
+++ b/salt/nginx/init.sls
@@ -8,6 +8,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap') %}
 include:
  - ssl
 # Drop the correct nginx config based on role
 nginxconfdir:
  file.directory:
@@ -95,6 +98,12 @@ so-nginx:
    - watch:
      - file: nginxconf
      - file: nginxconfdir
    - require:
      - file: nginxconf
      - x509: managerssl_key
      - x509: managerssl_crt
      - file: navigatorconfig
      - file: navigatordefaultlayer
 append_so-nginx_so-status.conf:
  file.append:
@@ -107,4 +116,4 @@ append_so-nginx_so-status.conf:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
-{% endif %}
+{% endif %}
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -127,7 +127,9 @@ so-steno:
      - /nsm/pcaptmp:/tmp:rw
      - /opt/so/log/stenographer:/var/log/stenographer:rw
    - watch:
-      - file: /opt/so/conf/steno/config
+      - file: stenoconf
    - require:
      - file: stenoconf
  {% else %} {# if stenographer isn't enabled, then stop and remove the container #}
    - force: True
  {% endif %}
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -19,6 +19,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 include:
  - ssl
 # Redis Setup
 redisconfdir:
  file.directory:
@@ -41,10 +44,10 @@ redislogdir:
    - group: 939
    - makedirs: True
-redisconfsync:
+redisconf:
-  file.recurse:
+  file.managed:
-    - name: /opt/so/conf/redis/etc
+    - name: /opt/so/conf/redis/etc/redis.conf
-    - source: salt://redis/etc
+    - source: salt://redis/etc/redis.conf
    - user: 939
    - group: 939
    - template: jinja
@@ -67,6 +70,11 @@ so-redis:
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
      - file: /opt/so/conf/redis/etc
    - require:
      - file: redisconf
      - x509: redis_crt
      - x509: redis_key
      - x509: pki_public_ca_crt
 append_so-redis_so-status.conf:
  file.append:
@@ -79,4 +87,4 @@ append_so-redis_so-status.conf:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
-{% endif %}
+{% endif %}
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -47,6 +47,10 @@ so-dockerregistry:
    - retry:
        attempts: 5
        interval: 30
    - require:
      - file: dockerregistryconf
      - x509: registry_crt
      - x509: registry_key
 append_so-dockerregistry_so-status.conf:
  file.append:
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -38,8 +38,10 @@ so-sensoroni:
      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
    - watch:
      - file: /opt/so/conf/sensoroni/sensoroni.json
    - require:
      - file: sensoroniagentconf
 append_so-sensoroni_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-sensoroni
+    - text: so-sensoroni
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -8,6 +8,9 @@
 {% set MANAGER_IP = salt['pillar.get']('global:managerip', '') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 include:
  - nginx
 soctopusdir:
  file.directory:
    - name: /opt/so/conf/soctopus/sigma-import
@@ -71,6 +74,9 @@ so-soctopus:
      - 0.0.0.0:7000:7000
    - extra_hosts:
      - {{MANAGER_URL}}:{{MANAGER_IP}}
    - require:
      - file: soctopusconf
      - file: navigatordefaultlayer
 append_so-soctopus_so-status.conf:
  file.append:
@@ -83,4 +89,4 @@ append_so-soctopus_so-status.conf:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
-{% endif %}
+{% endif %}
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -117,8 +117,9 @@ influxkeyperms:
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet'] %}
 # Create a cert for Redis encryption
-/etc/pki/redis.key:
+redis_key:
  x509.private_key_managed:
    - name: /etc/pki/redis.key
    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
@@ -134,8 +135,9 @@ influxkeyperms:
        attempts: 5
        interval: 30
-/etc/pki/redis.crt:
+redis_crt:
  x509.certificate_managed:
    - name: /etc/pki/redis.crt
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/redis.key
@@ -244,8 +246,9 @@ fbcrtlink:
    - user: socore
    - group: socore
-/etc/pki/registry.key:
+registry_key:
  x509.private_key_managed:
    - name: /etc/pki/registry.key
    - CN: {{ manager }}
    - bits: 4096
    - days_remaining: 0
@@ -262,8 +265,9 @@ fbcrtlink:
        interval: 30
 # Create a cert for the docker registry
-/etc/pki/registry.crt:
+registry_crt:
  x509.certificate_managed:
    - name: /etc/pki/registry.crt
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/registry.key
@@ -287,8 +291,9 @@ regkeyperms:
    - mode: 640
    - group: 939
-/etc/pki/minio.key:
+minio_key:
  x509.private_key_managed:
    - name: /etc/pki/minio.key
    - CN: {{ manager }}
    - bits: 4096
    - days_remaining: 0
@@ -305,8 +310,9 @@ regkeyperms:
        interval: 30
 # Create a cert for minio
-/etc/pki/minio.crt:
+minio_crt:
  x509.certificate_managed:
    - name: /etc/pki/minio.crt
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/minio.key
@@ -386,8 +392,9 @@ elasticp12perms:
    - mode: 640
    - group: 930
-/etc/pki/managerssl.key:
+managerssl_key:
  x509.private_key_managed:
    - name: /etc/pki/managerssl.key
    - CN: {{ manager }}
    - bits: 4096
    - days_remaining: 0
@@ -404,8 +411,9 @@ elasticp12perms:
        interval: 30
 # Create a cert for the reverse proxy
-/etc/pki/managerssl.crt:
+managerssl_crt:
  x509.certificate_managed:
    - name: /etc/pki/managerssl.crt
    - ca_server: {{ ca_server }}
    - signing_policy: managerssl
    - public_key: /etc/pki/managerssl.key
@@ -548,8 +556,9 @@ chownfilebeatp8:
 {% if grains['role'] == 'so-fleet' %}
-/etc/pki/managerssl.key:
+managerssl_key:
  x509.private_key_managed:
    - name: /etc/pki/managerssl.key
    - CN: {{ manager }}
    - bits: 4096
    - days_remaining: 0
@@ -566,8 +575,9 @@ chownfilebeatp8:
        interval: 30
 # Create a cert for the reverse proxy
-/etc/pki/managerssl.crt:
+managerssl_crt:
  x509.certificate_managed:
    - name: /etc/pki/managerssl.crt
    - ca_server: {{ ca_server }}
    - signing_policy: managerssl
    - public_key: /etc/pki/managerssl.key
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -93,7 +93,7 @@ surilogscript:
    - month: '*'
    - dayweek: '*'
-suriconfigsync:
+suriconfig:
  file.managed:
    - name: /opt/so/conf/suricata/suricata.yaml
    - source: salt://suricata/files/suricata.yaml.jinja
@@ -155,10 +155,14 @@ so-suricata:
      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
    - network_mode: host
    - watch:
-      - file: /opt/so/conf/suricata/suricata.yaml
+      - file: suriconfig
      - file: surithresholding
      - file: /opt/so/conf/suricata/rules/
      - file: /opt/so/conf/suricata/bpf
    - require:
      - file: suriconfig
      - file: surithresholding
      - file: suribpf
  {% else %} {# if Suricata isn't enabled, then stop and remove the container #}
    - force: True
--- a/salt/telegraf/init.sls
+++ b/salt/telegraf/init.sls
@@ -88,7 +88,16 @@ so-telegraf:
      - file: tgrafconf
      - file: tgrafsyncscripts
      - file: node_config
-
+    - require: 
      - file: tgrafconf
      - file: node_config
      {% if grains['role'] == 'so-manager' or grains['role'] == 'so-eval' or grains['role'] == 'so-managersearch' %}
      - x509: pki_public_ca_crt
      {% else %}
      - x509: trusttheca
      {% endif %}
      - x509: influxdb_crt
      - x509: influxdb_key
 append_so-telegraf_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/thehive/init.sls
+++ b/salt/thehive/init.sls
@@ -83,8 +83,7 @@ so-thehive-es:
    - tty: True
    - binds:
      - /nsm/thehive/esdata:/usr/share/elasticsearch/data:rw
-      - /opt/so/conf/thehive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
+      - /opt/so/conf/thehive/etc/es/:/usr/share/elasticsearch/config/:ro
      - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
      - /opt/so/log/thehive:/var/log/elasticsearch:rw
    - environment:
      - ES_JAVA_OPTS=-Xms512m -Xmx512m
@@ -97,6 +96,14 @@ append_so-thehive-es_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-thehive-es
 cortex_application_conf:
  file.exists:
    - name: /opt/so/conf/thehive/etc/cortex-application.conf
 application_conf:
  file.exists:
    - name: /opt/so/conf/thehive/etc/application.conf
 # Install Cortex
 so-cortex:
  docker_container.running:
@@ -110,6 +117,8 @@ so-cortex:
      - /opt/so/conf/cortex/custom-responders:/custom-responders:ro
    - port_bindings:
      - 0.0.0.0:9001:9001
    - require:
      - file: cortex_application_conf
 append_so-cortex_so-status.conf:
  file.append:
@@ -135,6 +144,8 @@ so-thehive:
      - /opt/so/conf/thehive/etc/application.conf:/opt/thehive/conf/application.conf:ro
    - port_bindings:
      - 0.0.0.0:9000:9000
    - require:
      - file: application_conf
 append_so-thehive_so-status.conf:
  file.append:
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -116,7 +116,7 @@ zeekctlcfg:
        ZEEKCTL: {{ ZEEK.zeekctl | tojson }}
 # Sync node.cfg
-nodecfgsync:
+nodecfg:
  file.managed:
    - name: /opt/so/conf/zeek/node.cfg
    - source: salt://zeek/files/node.cfg
@@ -182,7 +182,7 @@ zeekbpf:
 {% endif %}
-localzeeksync:
+localzeek:
  file.managed:
    - name: /opt/so/conf/zeek/local.zeek
    - source: salt://zeek/files/local.zeek.jinja
@@ -219,6 +219,11 @@ so-zeek:
      - file: /opt/so/conf/zeek/zeekctl.cfg
      - file: /opt/so/conf/zeek/policy
      - file: /opt/so/conf/zeek/bpf
    - require:
      - file: localzeek
      - file: nodecfg
      - file: zeekctlcfg
      - file: zeekbpf
  {% else %} {# if Zeek isn't enabled, then stop and remove the container #}
    - force: True
  {% endif %}
@@ -247,4 +252,4 @@ delete_so-zeek_so-status.disabled:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
-{% endif %}
+{% endif %}