{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at https://securityonion.net/license; you may not use this file except in compliance with the Elastic License 2.0. #} {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} {% set saltversion = saltversion.salt.minion.version %} {# Define common state groups to reduce redundancy #} {% set base_states = [ 'common', 'patch.os.schedule', 'motd', 'salt.minion-check', 'sensoroni', 'salt.lasthighstate', 'salt.minion' ] %} {% set ssl_states = [ 'ssl', 'telegraf', 'firewall', 'schedule', 'docker_clean' ] %} {% set manager_states = [ 'salt.master', 'ca', 'registry', 'manager', 'nginx', 'influxdb', 'soc', 'kratos', 'hydra', 'elasticfleet', 'elastic-fleet-package-registry', 'idstools', 'suricata.manager', 'utility' ] %} {% set sensor_states = [ 'pcap', 'suricata', 'healthcheck', 'tcpreplay', 'zeek', 'strelka' ] %} {% set kafka_states = [ 'kafka' ] %} {% set stig_states = [ 'stig' ] %} {% set elastic_stack_states = [ 'elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'elastalert', 'logstash', 'redis' ] %} {# Initialize the allowed_states list #} {% set allowed_states = [] %} {% if grains.saltversion | string == saltversion | string %} {# Map role-specific states #} {% set role_states = { 'so-eval': ( ssl_states + manager_states + sensor_states + elastic_stack_states | reject('equalto', 'logstash') | list ), 'so-heavynode': ( ssl_states + sensor_states + ['elasticagent', 'elasticsearch', 'logstash', 'redis', 'nginx'] ), 'so-idh': ( ssl_states + ['idh'] ), 'so-import': ( ssl_states + manager_states + sensor_states | reject('equalto', 'strelka') | reject('equalto', 'healthcheck') | list + ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'strelka.manager'] ), 'so-manager': ( ssl_states + manager_states + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] + stig_states + kafka_states + elastic_stack_states ), 'so-managerhype': ( ssl_states + manager_states + ['salt.cloud', 'strelka.manager', 'hypervisor', 'libvirt'] + stig_states + kafka_states + elastic_stack_states ), 'so-managersearch': ( ssl_states + manager_states + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] + stig_states + kafka_states + elastic_stack_states ), 'so-searchnode': ( ssl_states + ['kafka.ca', 'kafka.ssl', 'elasticsearch', 'logstash', 'nginx'] + stig_states ), 'so-standalone': ( ssl_states + manager_states + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users'] + sensor_states + stig_states + kafka_states + elastic_stack_states ), 'so-sensor': ( ssl_states + sensor_states + ['nginx'] + stig_states ), 'so-fleet': ( ssl_states + stig_states + ['logstash', 'nginx', 'healthcheck', 'elasticfleet'] ), 'so-receiver': ( ssl_states + kafka_states + stig_states + ['logstash', 'redis'] ), 'so-hypervisor': ( ssl_states + stig_states + ['hypervisor', 'libvirt'] ), 'so-desktop': ( ['ssl', 'docker_clean', 'telegraf'] + stig_states ) } %} {# Get states for the current role #} {% if grains.role in role_states %} {% set allowed_states = role_states[grains.role] %} {% endif %} {# Add base states that apply to all roles #} {% for state in base_states %} {% do allowed_states.append(state) %} {% endfor %} {% endif %} {# Add airgap state if needed #} {% if ISAIRGAP %} {% do allowed_states.append('airgap') %} {% endif %}