diff --git a/salt/common/init.sls b/salt/common/init.sls index df3e1bcc3..e9f5c2dd8 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,8 +1,3 @@ -{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %} -{% set MASTER = salt['grains.get']('master') %} -{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} -{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %} -{% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %} # Add socore Group socoregroup: group.present: @@ -18,34 +13,15 @@ socore: - createhome: True - shell: /bin/bash -# Create a state directory - -statedir: - file.directory: - - name: /opt/so/state - - user: 939 - - group: 939 - - makedirs: True - -salttmp: - file.directory: - - name: /opt/so/tmp - - user: 939 - - group: 939 - - makedirs: True # Install packages needed for the sensor - sensorpkgs: pkg.installed: - skip_suggestions: False - pkgs: - - docker-ce - wget - jq {% if grains['os'] != 'CentOS' %} - - python-docker - - python-m2crypto - apache2-utils {% else %} - net-tools @@ -64,7 +40,6 @@ alwaysupdated: - skip_suggestions: True # Set time to UTC - Etc/UTC: timezone.system @@ -76,340 +51,4 @@ utilsyncscripts: - group: 0 - file_mode: 755 - template: jinja - - source: salt://common/tools/sbin - -# Make sure Docker is running! -docker: - service.running: - - enable: True - -# Drop the correct nginx config based on role - -nginxconfdir: - file.directory: - - name: /opt/so/conf/nginx - - user: 939 - - group: 939 - - makedirs: True - -nginxconf: - file.managed: - - name: /opt/so/conf/nginx/nginx.conf - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/nginx/nginx.conf.{{ grains.role }} - -nginxlogdir: - file.directory: - - name: /opt/so/log/nginx/ - - user: 939 - - group: 939 - - makedirs: True - -nginxtmp: - file.directory: - - name: /opt/so/tmp/nginx/tmp - - user: 939 - - group: 939 - - makedirs: True - -so-core: - docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }} - - hostname: so-core - - user: socore - - binds: - - /opt/so:/opt/so:rw - - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - - /opt/so/log/nginx/:/var/log/nginx:rw - - /opt/so/tmp/nginx/:/var/lib/nginx:rw - - /opt/so/tmp/nginx/:/run:rw - - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro - - /opt/so/conf/fleet/packages:/opt/socore/html/packages - - cap_add: NET_BIND_SERVICE - - port_bindings: - - 80:80 - - 443:443 - {%- if FLEETMASTER or FLEETNODE %} - - 8090:8090 - {%- endif %} - - watch: - - file: /opt/so/conf/nginx/nginx.conf - -# Add Telegraf to monitor all the things. -tgraflogdir: - file.directory: - - name: /opt/so/log/telegraf - - makedirs: True - -tgrafetcdir: - file.directory: - - name: /opt/so/conf/telegraf/etc - - makedirs: True - -tgrafetsdir: - file.directory: - - name: /opt/so/conf/telegraf/scripts - - makedirs: True - -tgrafsyncscripts: - file.recurse: - - name: /opt/so/conf/telegraf/scripts - - user: 939 - - group: 939 - - file_mode: 755 - - template: jinja - - source: salt://common/telegraf/scripts - -tgrafconf: - file.managed: - - name: /opt/so/conf/telegraf/etc/telegraf.conf - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/telegraf/etc/telegraf.conf - -so-telegraf: - docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }} - - environment: - - HOST_PROC=/host/proc - - HOST_ETC=/host/etc - - HOST_SYS=/host/sys - - HOST_MOUNT_PREFIX=/host - - network_mode: host - - port_bindings: - - 127.0.0.1:8094:8094 - - binds: - - /opt/so/log/telegraf:/var/log/telegraf:rw - - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro - - /var/run/utmp:/var/run/utmp:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - - /:/host/root:ro - - /sys:/host/sys:ro - - /proc:/host/proc:ro - - /nsm:/host/nsm:ro - - /etc:/host/etc:ro - {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %} - - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro - {% else %} - - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro - {% endif %} - - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro - - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro - - /opt/so/conf/telegraf/scripts:/scripts:ro - - /opt/so/log/stenographer:/var/log/stenographer:ro - - /opt/so/log/suricata:/var/log/suricata:ro - - watch: - - /opt/so/conf/telegraf/etc/telegraf.conf - - /opt/so/conf/telegraf/scripts - -# If its a master or eval lets install the back end for now -{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %} - -# Influx DB -influxconfdir: - file.directory: - - name: /opt/so/conf/influxdb/etc - - makedirs: True - -influxdbdir: - file.directory: - - name: /nsm/influxdb - - makedirs: True - -influxdbconf: - file.managed: - - name: /opt/so/conf/influxdb/etc/influxdb.conf - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/influxdb/etc/influxdb.conf - -so-influxdb: - docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }} - - hostname: influxdb - - environment: - - INFLUXDB_HTTP_LOG_ENABLED=false - - binds: - - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro - - /nsm/influxdb:/var/lib/influxdb:rw - - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro - - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro - - port_bindings: - - 0.0.0.0:8086:8086 - - watch: - - file: /opt/so/conf/influxdb/etc/influxdb.conf - -# Grafana all the things -grafanadir: - file.directory: - - name: /nsm/grafana - - user: 939 - - group: 939 - - makedirs: True - -grafanaconfdir: - file.directory: - - name: /opt/so/conf/grafana/etc - - user: 939 - - group: 939 - - makedirs: True - -grafanadashdir: - file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards - - user: 939 - - group: 939 - - makedirs: True - -grafanadashmdir: - file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/master - - user: 939 - - group: 939 - - makedirs: True - -grafanadashevaldir: - file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/eval - - user: 939 - - group: 939 - - makedirs: True - -grafanadashfndir: - file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes - - user: 939 - - group: 939 - - makedirs: True - -grafanadashsndir: - file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes - - user: 939 - - group: 939 - - makedirs: True - -grafanaconf: - file.recurse: - - name: /opt/so/conf/grafana/etc - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/grafana/etc - -{% if salt['pillar.get']('mastertab', False) %} -{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %} -{% set NODETYPE = SN.split('_')|last %} -{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboard-master: - file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/grafana/grafana_dashboards/master/master.json - - defaults: - SERVERNAME: {{ SN }} - MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.manint }} - CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} - ROOTFS: {{ SNDATA.rootfs }} - NSMFS: {{ SNDATA.nsmfs }} - -{% endfor %} -{% endif %} - -{% if salt['pillar.get']('sensorstab', False) %} -{% for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %} -{% set NODETYPE = SN.split('_')|last %} -{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboard-{{ SN }}: - file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes/{{ SN }}-Sensor.json - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/grafana/grafana_dashboards/sensor_nodes/sensor.json - - defaults: - SERVERNAME: {{ SN }} - MONINT: {{ SNDATA.monint }} - MANINT: {{ SNDATA.manint }} - CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} - ROOTFS: {{ SNDATA.rootfs }} - NSMFS: {{ SNDATA.nsmfs }} - -{% endfor %} -{% endif %} - -{% if salt['pillar.get']('nodestab', False) %} -{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -{% set NODETYPE = SN.split('_')|last %} -{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboardsearch-{{ SN }}: - file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json - - defaults: - SERVERNAME: {{ SN }} - MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.manint }} - CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} - ROOTFS: {{ SNDATA.rootfs }} - NSMFS: {{ SNDATA.nsmfs }} - -{% endfor %} -{% endif %} - -{% if salt['pillar.get']('evaltab', False) %} -{% for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %} -{% set NODETYPE = SN.split('_')|last %} -{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboard-{{ SN }}: - file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json - - user: 939 - - group: 939 - - template: jinja - - source: salt://common/grafana/grafana_dashboards/eval/eval.json - - defaults: - SERVERNAME: {{ SN }} - MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.monint }} - CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} - ROOTFS: {{ SNDATA.rootfs }} - NSMFS: {{ SNDATA.nsmfs }} - -{% endfor %} -{% endif %} - -so-grafana: - docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }} - - hostname: grafana - - user: socore - - binds: - - /nsm/grafana:/var/lib/grafana:rw - - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro - - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw - - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw - - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw - - environment: - - GF_SECURITY_ADMIN_PASSWORD=augusta - - port_bindings: - - 0.0.0.0:3000:3000 - - watch: - - file: /opt/so/conf/grafana/* - -{% endif %} + - source: salt://common/tools/sbin \ No newline at end of file diff --git a/salt/docker/init.sls b/salt/docker/init.sls new file mode 100644 index 000000000..3021552ab --- /dev/null +++ b/salt/docker/init.sls @@ -0,0 +1,8 @@ +installdocker: + pkg.installed: + - name: docker-ce + +# Make sure Docker is running! +docker: + service.running: + - enable: True \ No newline at end of file diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/grafana/dashboards/eval/eval.json similarity index 100% rename from salt/common/grafana/grafana_dashboards/eval/eval.json rename to salt/grafana/dashboards/eval/eval.json diff --git a/salt/common/grafana/grafana_dashboards/master/master.json b/salt/grafana/dashboards/master/master.json similarity index 100% rename from salt/common/grafana/grafana_dashboards/master/master.json rename to salt/grafana/dashboards/master/master.json diff --git a/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json b/salt/grafana/dashboards/search_nodes/searchnode.json similarity index 100% rename from salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json rename to salt/grafana/dashboards/search_nodes/searchnode.json diff --git a/salt/common/grafana/grafana_dashboards/sensor_nodes/sensor.json b/salt/grafana/dashboards/sensor_nodes/sensor.json similarity index 100% rename from salt/common/grafana/grafana_dashboards/sensor_nodes/sensor.json rename to salt/grafana/dashboards/sensor_nodes/sensor.json diff --git a/salt/common/grafana/etc/dashboards/dashboard.yml b/salt/grafana/etc/dashboards/dashboard.yml similarity index 100% rename from salt/common/grafana/etc/dashboards/dashboard.yml rename to salt/grafana/etc/dashboards/dashboard.yml diff --git a/salt/common/grafana/etc/datasources/influxdb.yaml b/salt/grafana/etc/datasources/influxdb.yaml similarity index 100% rename from salt/common/grafana/etc/datasources/influxdb.yaml rename to salt/grafana/etc/datasources/influxdb.yaml diff --git a/salt/common/grafana/etc/grafana.ini b/salt/grafana/etc/grafana.ini similarity index 100% rename from salt/common/grafana/etc/grafana.ini rename to salt/grafana/etc/grafana.ini diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls new file mode 100644 index 000000000..666ce9caf --- /dev/null +++ b/salt/grafana/init.sls @@ -0,0 +1,175 @@ +{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} +{% set MASTER = salt['grains.get']('master') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %} + +{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %} + +# Grafana all the things +grafanadir: + file.directory: + - name: /nsm/grafana + - user: 939 + - group: 939 + - makedirs: True + +grafanaconfdir: + file.directory: + - name: /opt/so/conf/grafana/etc + - user: 939 + - group: 939 + - makedirs: True + +grafanadashdir: + file.directory: + - name: /opt/so/conf/grafana/grafana_dashboards + - user: 939 + - group: 939 + - makedirs: True + +grafanadashmdir: + file.directory: + - name: /opt/so/conf/grafana/grafana_dashboards/master + - user: 939 + - group: 939 + - makedirs: True + +grafanadashevaldir: + file.directory: + - name: /opt/so/conf/grafana/grafana_dashboards/eval + - user: 939 + - group: 939 + - makedirs: True + +grafanadashfndir: + file.directory: + - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes + - user: 939 + - group: 939 + - makedirs: True + +grafanadashsndir: + file.directory: + - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes + - user: 939 + - group: 939 + - makedirs: True + +grafanaconf: + file.recurse: + - name: /opt/so/conf/grafana/etc + - user: 939 + - group: 939 + - template: jinja + - source: salt://grafana/etc + +{% if salt['pillar.get']('mastertab', False) %} +{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %} +{% set NODETYPE = SN.split('_')|last %} +{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} +dashboard-master: + file.managed: + - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json + - user: 939 + - group: 939 + - template: jinja + - source: salt://grafana/dashboards/master/master.json + - defaults: + SERVERNAME: {{ SN }} + MANINT: {{ SNDATA.manint }} + MONINT: {{ SNDATA.manint }} + CPUS: {{ SNDATA.totalcpus }} + UID: {{ SNDATA.guid }} + ROOTFS: {{ SNDATA.rootfs }} + NSMFS: {{ SNDATA.nsmfs }} + +{% endfor %} +{% endif %} + +{% if salt['pillar.get']('sensorstab', False) %} +{% for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %} +{% set NODETYPE = SN.split('_')|last %} +{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} +dashboard-{{ SN }}: + file.managed: + - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes/{{ SN }}-Sensor.json + - user: 939 + - group: 939 + - template: jinja + - source: salt://grafana/dashboards/sensor_nodes/sensor.json + - defaults: + SERVERNAME: {{ SN }} + MONINT: {{ SNDATA.monint }} + MANINT: {{ SNDATA.manint }} + CPUS: {{ SNDATA.totalcpus }} + UID: {{ SNDATA.guid }} + ROOTFS: {{ SNDATA.rootfs }} + NSMFS: {{ SNDATA.nsmfs }} + +{% endfor %} +{% endif %} + +{% if salt['pillar.get']('nodestab', False) %} +{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} +{% set NODETYPE = SN.split('_')|last %} +{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} +dashboardsearch-{{ SN }}: + file.managed: + - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json + - user: 939 + - group: 939 + - template: jinja + - source: salt://grafana/dashboards/search_nodes/searchnode.json + - defaults: + SERVERNAME: {{ SN }} + MANINT: {{ SNDATA.manint }} + MONINT: {{ SNDATA.manint }} + CPUS: {{ SNDATA.totalcpus }} + UID: {{ SNDATA.guid }} + ROOTFS: {{ SNDATA.rootfs }} + NSMFS: {{ SNDATA.nsmfs }} + +{% endfor %} +{% endif %} + +{% if salt['pillar.get']('evaltab', False) %} +{% for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %} +{% set NODETYPE = SN.split('_')|last %} +{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} +dashboard-{{ SN }}: + file.managed: + - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json + - user: 939 + - group: 939 + - template: jinja + - source: salt://grafana/dashboards/eval/eval.json + - defaults: + SERVERNAME: {{ SN }} + MANINT: {{ SNDATA.manint }} + MONINT: {{ SNDATA.monint }} + CPUS: {{ SNDATA.totalcpus }} + UID: {{ SNDATA.guid }} + ROOTFS: {{ SNDATA.rootfs }} + NSMFS: {{ SNDATA.nsmfs }} + +{% endfor %} +{% endif %} + +so-grafana: + docker_container.running: + - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }} + - hostname: grafana + - user: socore + - binds: + - /nsm/grafana:/var/lib/grafana:rw + - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro + - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw + - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw + - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw + - environment: + - GF_SECURITY_ADMIN_PASSWORD=augusta + - port_bindings: + - 0.0.0.0:3000:3000 + - watch: + - file: /opt/so/conf/grafana/* + +{% endif %} \ No newline at end of file diff --git a/salt/common/influxdb/etc/influxdb.conf b/salt/influxdb/etc/influxdb.conf similarity index 100% rename from salt/common/influxdb/etc/influxdb.conf rename to salt/influxdb/etc/influxdb.conf diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls new file mode 100644 index 000000000..d9305320d --- /dev/null +++ b/salt/influxdb/init.sls @@ -0,0 +1,43 @@ +{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} +{% set MASTER = salt['grains.get']('master') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %} + + +{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %} + +# Influx DB +influxconfdir: + file.directory: + - name: /opt/so/conf/influxdb/etc + - makedirs: True + +influxdbdir: + file.directory: + - name: /nsm/influxdb + - makedirs: True + +influxdbconf: + file.managed: + - name: /opt/so/conf/influxdb/etc/influxdb.conf + - user: 939 + - group: 939 + - template: jinja + - source: salt://influxdb/etc/influxdb.conf + +so-influxdb: + docker_container.running: + - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }} + - hostname: influxdb + - environment: + - INFLUXDB_HTTP_LOG_ENABLED=false + - binds: + - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro + - /nsm/influxdb:/var/lib/influxdb:rw + - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro + - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro + - port_bindings: + - 0.0.0.0:8086:8086 + - watch: + - file: influxdbconf + +{% endif %} \ No newline at end of file diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval similarity index 100% rename from salt/common/nginx/nginx.conf.so-eval rename to salt/nginx/etc/nginx.conf.so-eval diff --git a/salt/common/nginx/nginx.conf.so-fleet b/salt/nginx/etc/nginx.conf.so-fleet similarity index 100% rename from salt/common/nginx/nginx.conf.so-fleet rename to salt/nginx/etc/nginx.conf.so-fleet diff --git a/salt/common/nginx/nginx.conf.so-heavynode b/salt/nginx/etc/nginx.conf.so-heavynode similarity index 100% rename from salt/common/nginx/nginx.conf.so-heavynode rename to salt/nginx/etc/nginx.conf.so-heavynode diff --git a/salt/common/nginx/nginx.conf.so-helix b/salt/nginx/etc/nginx.conf.so-helix similarity index 100% rename from salt/common/nginx/nginx.conf.so-helix rename to salt/nginx/etc/nginx.conf.so-helix diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/nginx/etc/nginx.conf.so-master similarity index 100% rename from salt/common/nginx/nginx.conf.so-master rename to salt/nginx/etc/nginx.conf.so-master diff --git a/salt/common/nginx/nginx.conf.so-mastersearch b/salt/nginx/etc/nginx.conf.so-mastersearch similarity index 100% rename from salt/common/nginx/nginx.conf.so-mastersearch rename to salt/nginx/etc/nginx.conf.so-mastersearch diff --git a/salt/common/nginx/nginx.conf.so-node b/salt/nginx/etc/nginx.conf.so-node similarity index 100% rename from salt/common/nginx/nginx.conf.so-node rename to salt/nginx/etc/nginx.conf.so-node diff --git a/salt/common/nginx/nginx.conf.so-sensor b/salt/nginx/etc/nginx.conf.so-sensor similarity index 100% rename from salt/common/nginx/nginx.conf.so-sensor rename to salt/nginx/etc/nginx.conf.so-sensor diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls new file mode 100644 index 000000000..24bc86057 --- /dev/null +++ b/salt/nginx/init.sls @@ -0,0 +1,58 @@ +{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %} +{% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %} +{% set MASTER = salt['grains.get']('master') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %} + +# Drop the correct nginx config based on role +nginxconfdir: + file.directory: + - name: /opt/so/conf/nginx + - user: 939 + - group: 939 + - makedirs: True + +nginxconf: + file.managed: + - name: /opt/so/conf/nginx/nginx.conf + - user: 939 + - group: 939 + - template: jinja + - source: salt://nginx/etc/nginx.conf.{{ grains.role }} + +nginxlogdir: + file.directory: + - name: /opt/so/log/nginx/ + - user: 939 + - group: 939 + - makedirs: True + +nginxtmp: + file.directory: + - name: /opt/so/tmp/nginx/tmp + - user: 939 + - group: 939 + - makedirs: True + +so-core: + docker_container.running: + - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }} + - hostname: so-core + - user: socore + - binds: + - /opt/so:/opt/so:rw + - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - /opt/so/log/nginx/:/var/log/nginx:rw + - /opt/so/tmp/nginx/:/var/lib/nginx:rw + - /opt/so/tmp/nginx/:/run:rw + - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro + - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro + - /opt/so/conf/fleet/packages:/opt/socore/html/packages + - cap_add: NET_BIND_SERVICE + - port_bindings: + - 80:80 + - 443:443 + {%- if FLEETMASTER or FLEETNODE %} + - 8090:8090 + {%- endif %} + - watch: + - file: nginxconf \ No newline at end of file diff --git a/salt/salt/init.sls b/salt/salt/init.sls index 32aaaa47e..22ecddfb3 100644 --- a/salt/salt/init.sls +++ b/salt/salt/init.sls @@ -1,3 +1,28 @@ +# Create a state directory + +statedir: + file.directory: + - name: /opt/so/state + - user: 939 + - group: 939 + - makedirs: True + +salttmp: + file.directory: + - name: /opt/so/tmp + - user: 939 + - group: 939 + - makedirs: True + +{% if grains['os'] != 'CentOS' %} +saltpymodules: + pkg.installed: + - pkgs: + - python-docker + - python-m2crypto + {% endif %} + + salt_minion_service: service.running: - name: salt-minion diff --git a/salt/common/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf similarity index 100% rename from salt/common/telegraf/etc/telegraf.conf rename to salt/telegraf/etc/telegraf.conf diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls new file mode 100644 index 000000000..44a5686d9 --- /dev/null +++ b/salt/telegraf/init.sls @@ -0,0 +1,70 @@ +{% set MASTER = salt['grains.get']('master') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %} + +# Add Telegraf to monitor all the things. +tgraflogdir: + file.directory: + - name: /opt/so/log/telegraf + - makedirs: True + +tgrafetcdir: + file.directory: + - name: /opt/so/conf/telegraf/etc + - makedirs: True + +tgrafetsdir: + file.directory: + - name: /opt/so/conf/telegraf/scripts + - makedirs: True + +tgrafsyncscripts: + file.recurse: + - name: /opt/so/conf/telegraf/scripts + - user: 939 + - group: 939 + - file_mode: 755 + - template: jinja + - source: salt://telegraf/scripts + +tgrafconf: + file.managed: + - name: /opt/so/conf/telegraf/etc/telegraf.conf + - user: 939 + - group: 939 + - template: jinja + - source: salt://telegraf/etc/telegraf.conf + +so-telegraf: + docker_container.running: + - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }} + - environment: + - HOST_PROC=/host/proc + - HOST_ETC=/host/etc + - HOST_SYS=/host/sys + - HOST_MOUNT_PREFIX=/host + - network_mode: host + - port_bindings: + - 127.0.0.1:8094:8094 + - binds: + - /opt/so/log/telegraf:/var/log/telegraf:rw + - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro + - /var/run/utmp:/var/run/utmp:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - /:/host/root:ro + - /sys:/host/sys:ro + - /proc:/host/proc:ro + - /nsm:/host/nsm:ro + - /etc:/host/etc:ro + {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %} + - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro + {% else %} + - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro + {% endif %} + - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro + - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro + - /opt/so/conf/telegraf/scripts:/scripts:ro + - /opt/so/log/stenographer:/var/log/stenographer:ro + - /opt/so/log/suricata:/var/log/suricata:ro + - watch: + - file: tgrafconf + - file: tgrafsyncscripts \ No newline at end of file diff --git a/salt/common/telegraf/scripts/broloss.sh b/salt/telegraf/scripts/broloss.sh similarity index 100% rename from salt/common/telegraf/scripts/broloss.sh rename to salt/telegraf/scripts/broloss.sh diff --git a/salt/common/telegraf/scripts/checkfiles.sh b/salt/telegraf/scripts/checkfiles.sh similarity index 100% rename from salt/common/telegraf/scripts/checkfiles.sh rename to salt/telegraf/scripts/checkfiles.sh diff --git a/salt/common/telegraf/scripts/helixeps.sh b/salt/telegraf/scripts/helixeps.sh similarity index 100% rename from salt/common/telegraf/scripts/helixeps.sh rename to salt/telegraf/scripts/helixeps.sh diff --git a/salt/common/telegraf/scripts/influxdbsize.sh b/salt/telegraf/scripts/influxdbsize.sh similarity index 100% rename from salt/common/telegraf/scripts/influxdbsize.sh rename to salt/telegraf/scripts/influxdbsize.sh diff --git a/salt/common/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh similarity index 100% rename from salt/common/telegraf/scripts/oldpcap.sh rename to salt/telegraf/scripts/oldpcap.sh diff --git a/salt/common/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh similarity index 100% rename from salt/common/telegraf/scripts/redis.sh rename to salt/telegraf/scripts/redis.sh diff --git a/salt/common/telegraf/scripts/stenoloss.sh b/salt/telegraf/scripts/stenoloss.sh similarity index 100% rename from salt/common/telegraf/scripts/stenoloss.sh rename to salt/telegraf/scripts/stenoloss.sh diff --git a/salt/common/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh similarity index 100% rename from salt/common/telegraf/scripts/suriloss.sh rename to salt/telegraf/scripts/suriloss.sh diff --git a/salt/top.sls b/salt/top.sls index a03c2e1e2..3d0c70c53 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -11,15 +11,18 @@ base: '*': + - salt + - docker - patch.os.schedule - motd - - salt '*_helix': - ca - ssl - registry - common + - nginx + - telegraf - firewall - idstools - pcap @@ -34,6 +37,8 @@ base: - ca - ssl - common + - nginx + - telegraf - firewall - pcap - suricata @@ -57,6 +62,10 @@ base: - registry - master - common + - nginx + - telegraf + - influxdb + - grafana - soc - firewall - idstools @@ -105,6 +114,10 @@ base: - ssl - registry - common + - nginx + - telegraf + - influxdb + - grafana - soc - firewall - master @@ -179,6 +192,8 @@ base: - ca - ssl - common + - nginx + - telegraf - firewall {%- if WAZUH != 0 %} - wazuh @@ -194,6 +209,10 @@ base: '*_mastersensor': - common + - nginx + - telegraf + - influxdb + - grafana - firewall - sensor - master @@ -207,6 +226,10 @@ base: - ssl - registry - common + - nginx + - telegraf + - influxdb + - grafana - soc - firewall - master @@ -248,6 +271,8 @@ base: - ca - ssl - common + - nginx + - telegraf - firewall - redis {%- if WAZUH != 0 %} @@ -272,6 +297,8 @@ base: - ca - ssl - common + - nginx + - telegraf - firewall - mysql - redis