{# this list of services is used to loop through and add fw rules if the service is enabled #}
{# smb is not in this list since it does not need any ports open #}
{% set IDH_SERVICES = [
     'ftp',
     'git',
     'http',
     'httpproxy',
     'mssql',
     'mysql',
     'ntp',
     'redis',
     'sip',
     'snmp',
     'ssh',
     'telnet',
     'tftp',
     'vnc'
] %}

{% set IDH_PORTGROUPS = {} %}

{% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %}
{% set IDHMERGED = salt['pillar.get']('idh', IDHCONFIG.idh, merge=True) %}
{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %}
{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
{# update skinlist to skin.list to avoid issues with SOC UI config #}
{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http_x_skinlist') %}
{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %}
{% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %}
{% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %}

{% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}

{% for service in IDH_SERVICES %}
  {% if service in ["smnp","ntp", "tftp"] %}
    {% set proto = 'udp' %}
  {% else %}
    {% set proto = 'tcp' %}
  {% endif %}
  {% if OPENCANARYCONFIG[service ~ '_x_enabled'] %}
    {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '_x_port']]}}) %}
  {% endif %}
{% endfor %}

{% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %}

{% do OPENCANARYCONFIG.update({'device.node_id': grains.host}) %}