Using git for /opt/so/saltstack/local/salt/

[tomjones1977]

I've had an idea for managing IDS rules, ingest parsers etc with git to track changes and allow recovery in the event of catastrophic failure of the manager node. With SOv2 the idea is easier as all the custom config data is under a single folder - /opt/so/saltstack/local/salt/.

Is there any reason why storing this in a git repo is a bad idea or wouldn't work?

[dougburks]

You can certainly try it on a test box and see. Of course, you'll want to ensure that's a private git repo instead of public!

[jpvlsmv]

It can be done for some of the salt data, but others parts are harder.

For reference, #5054 also addresses this.

From my research, it is fairly easy to add the "pillar" portion of /opt/so/saltstack into git via the salt gitfs fileserver backend (see https://docs.saltproject.io/en/latest/ref/pillar/all/salt.pillar.git_pillar.html#git-pillar-configuration):

/etc/salt/master.d/local-repo.conf:

# Configure the salt master to pull state files from remote git
fileserver_backend:
  - gitfs
  - roots
gitfs_provider: pygit2
gitfs_remotes:
  - ssh://[email protected]/path:
    # repo has saltstack/local/pillar/global.sls for example
    - root: saltstack/local
    # salt "base" env -> git branch "main"
    - base: main
    - privkey: /root/.ssh/id_git
    - pubkey: /root/.ssh/id_git.pub

With this in place, I can put what I'd normally place in /opt/so/saltstack/local/pillar/thresholding/pillar.sls in the repo as saltstack/local/pillar/thresholding/pillar.sls and the salt master will fetch that file out of the main branch.

Unfortunately, this only works for pillar files, not for the salt state (according to something I read but can't find right now to cite). According to https://docs.saltproject.io/en/latest/topics/development/conventions/formulas.html it should be quite practical to move the security onion state files into a formula, but I haven't tried that yet.

If you make progress on this with your own testing, please share :)

--Joe