From 6985b0ab279e06397f9ed06fcfdd7277d8653b5e Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 14 Dec 2022 10:50:24 -0500
Subject: [PATCH 1/6] Move kratos DB to /nsm

---
 salt/common/tools/sbin/so-user |  2 +-
 salt/common/tools/sbin/soup    | 24 ++++++++++++++++++++++++
 salt/kratos/init.sls           | 13 +++++++++++--
 setup/so-functions             |  2 +-
 4 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 96059968c..90f62ed49 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -45,7 +45,7 @@ email=$2
 role=$3
 
 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434/admin}
-databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite}
+databasePath=${KRATOS_DB_PATH:-/nsm/kratos/db/db.sqlite}
 databaseTimeout=${KRATOS_DB_TIMEOUT:-5000}
 bcryptRounds=${BCRYPT_ROUNDS:-12}
 elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 31f5bb290..a7c007393 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -551,6 +551,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.180 ]] && up_to_2.3.181
     [[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
     [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
+    [[ "$INSTALLEDVERSION" == 2.3.190 ]] && up_to_2.3.200
     true
 }
 
@@ -574,6 +575,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.180 ]] && post_to_2.3.181
     [[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
     [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
+    [[ "$POSTVERSION" == 2.3.190 ]] && post_to_2.3.200
 
     true
 }
@@ -692,6 +694,11 @@ post_to_2.3.190() {
   POSTVERSION=2.3.190
 }
 
+post_to_2.3.200() {
+  echo "Nothing to do for .200"
+  POSTVERSION=2.3.200
+}
+
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
     set +e
@@ -1005,6 +1012,23 @@ up_to_2.3.190() {
   INSTALLEDVERSION=2.3.190
 }
 
+up_to_2.3.200() {
+  echo "Upgrading to 2.3.200"
+  if [ ! -d /nsm/kratos ]; then
+    mkdir /nsm/kratos
+    chown -R kratos:kratos /nsm/kratos
+    chmod 700 /nsm/kratos
+  fi
+  if [ ! -d /nsm/kratos/db ]; then
+    echo "Moving Kratos DB to /nsm partition..."
+    mv /opt/so/conf/kratos/db /nsm/kratos/
+    echo "Move completed successfully"
+  else
+    echo "WARNING: /nsm/kratos/db already exists. This is unexpected and could result in SOC users no longer being able to login."
+  fi
+  INSTALLEDVERSION=2.3.200
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then
diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls
index e44c09b63..7583779e2 100644
--- a/salt/kratos/init.sls
+++ b/salt/kratos/init.sls
@@ -20,9 +20,18 @@ kratos:
     
 kratosdir:
   file.directory:
-    - name: /opt/so/conf/kratos/db
+    - name: /nsm/kratos
     - user: 928
     - group: 928
+    - mode: 700
+    - makedirs: True
+
+kratosdbdir:
+  file.directory:
+    - name: /nsm/kratos/db
+    - user: 928
+    - group: 928
+    - mode 700
     - makedirs: True
 
 kratoslogdir:
@@ -58,7 +67,7 @@ so-kratos:
       - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro    
       - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
       - /opt/so/log/kratos/:/kratos-log:rw
-      - /opt/so/conf/kratos/db:/kratos-data:rw
+      - /nsm/kratos/db:/kratos-data:rw
     - port_bindings:
       - 0.0.0.0:4433:4433
       - 0.0.0.0:4434:4434
diff --git a/setup/so-functions b/setup/so-functions
index c992b3f76..ef2690d72 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -118,7 +118,7 @@ add_soremote_user_manager() {
 }
 
 add_web_user() {
-	wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5
+	wait_for_file /nsm/kratos/db/db.sqlite 30 5
 	{
 		echo "Attempting to add administrator user for web interface...";
 		export SKIP_STATE_APPLY=true

From 865ba4264b236a2eb65e5686208077d626e68143 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 14 Dec 2022 10:57:24 -0500
Subject: [PATCH 2/6] Stop backing up kratos since it now lives in /nsm. Ensure
 kratos is removed when re-installing.

---
 salt/common/tools/sbin/so-config-backup | 1 -
 setup/so-functions                      | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-config-backup b/salt/common/tools/sbin/so-config-backup
index fee7c4ffe..5c684e4e6 100755
--- a/salt/common/tools/sbin/so-config-backup
+++ b/salt/common/tools/sbin/so-config-backup
@@ -35,7 +35,6 @@ if [ ! -f $BACKUPFILE ]; then
   {%- endfor %}
   tar -rf $BACKUPFILE /etc/pki
   tar -rf $BACKUPFILE /etc/salt
-  tar -rf $BACKUPFILE /opt/so/conf/kratos
 
 fi
 
diff --git a/setup/so-functions b/setup/so-functions
index ef2690d72..19cfc241e 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2181,6 +2181,7 @@ reinstall_init() {
 		# Backup directories in /nsm to prevent app errors
 		backup_dir /nsm/mysql "$date_string"
 		backup_dir /nsm/wazuh "$date_string"
+		backup_dir /nsm/kratos "$date_string"
 
 		# Remove the old launcher package in case the config changes
 		remove_package launcher-final

From a7a15117f074d777db22bacbfd22e98b3904f8d7 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 14 Dec 2022 12:03:47 -0500
Subject: [PATCH 3/6] Improve soup wording when the script itself needs updated

---
 salt/common/tools/sbin/soup | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index a7c007393..3cd633d4c 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -1226,14 +1226,14 @@ verify_latest_update_script() {
   if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" ]]; then
     echo "This version of the soup script is up to date. Proceeding."
   else
-    echo "You are not running the latest soup version. Updating soup and its components. Might take multiple runs to complete"
+    echo "You are not running the latest soup version. Updating soup and its components. This might take multiple runs to complete."
     cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     cp $UPDATE_DIR/salt/common/tools/sbin/so-firewall $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     salt-call state.apply common.soup_scripts queue=True -linfo --file-root=$UPDATE_DIR/salt --local
     echo ""
-    echo "soup has been updated. Please run soup again."
+    echo "The soup script has been modified. Please run soup again to continue the upgrade."
     exit 0
   fi
 }

From e8a8f65ddc9ef41941056757f9698554c3c31897 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 14 Dec 2022 12:56:25 -0500
Subject: [PATCH 4/6] fix typo

---
 salt/kratos/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls
index 7583779e2..9d0387618 100644
--- a/salt/kratos/init.sls
+++ b/salt/kratos/init.sls
@@ -31,7 +31,7 @@ kratosdbdir:
     - name: /nsm/kratos/db
     - user: 928
     - group: 928
-    - mode 700
+    - mode: 700
     - makedirs: True
 
 kratoslogdir:

From e66c995b1ff6c748f5f9ed0156be9490c065151c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 14 Dec 2022 13:50:20 -0500
Subject: [PATCH 5/6] remove apparently unused reactor reference

---
 files/salt/master/master | 2 --
 1 file changed, 2 deletions(-)

diff --git a/files/salt/master/master b/files/salt/master/master
index 5db41fb90..cf4c7da32 100644
--- a/files/salt/master/master
+++ b/files/salt/master/master
@@ -67,7 +67,5 @@ peer:
 reactor:
   - 'so/fleet':
     - salt://reactor/fleet.sls
-  - 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db':
-    - salt://reactor/kratos.sls
 
 

From 87cebedc851bcef72569326845c08c88bee90cc9 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 14 Dec 2022 14:12:47 -0500
Subject: [PATCH 6/6] Backup the new Kratos location

---
 salt/common/tools/sbin/so-config-backup | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/common/tools/sbin/so-config-backup b/salt/common/tools/sbin/so-config-backup
index 5c684e4e6..62fc04467 100755
--- a/salt/common/tools/sbin/so-config-backup
+++ b/salt/common/tools/sbin/so-config-backup
@@ -35,6 +35,7 @@ if [ ! -f $BACKUPFILE ]; then
   {%- endfor %}
   tar -rf $BACKUPFILE /etc/pki
   tar -rf $BACKUPFILE /etc/salt
+  tar -rf $BACKUPFILE /nsm/kratos
 
 fi