graylog: Use keystore to verify ldap connection

graylog/default-graylog-server

@@ -0,0 +1,22 @@
+# Path to a custom java executable. By default the java executable of the
+# bundled JVM is used.
+#JAVA=/usr/bin/java
+
+# Default Java options for heap and garbage collection.
+GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow"
+
+# Avoid endless loop with some TLSv1.3 implementations.
+GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true"
+
+# Fix for log4j CVE-2021-44228
+GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"
+
+# Use custom keystore for self signed certificate
+GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts"
+
+# Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
+GRAYLOG_SERVER_ARGS=""
+
+# Program that will be used to wrap the graylog-server command. Useful to
+# support programs like authbind.
+GRAYLOG_COMMAND_WRAPPER=""

graylog/init.sls

@@ -23,6 +23,7 @@ graylog-server:
     - pkgs:
       - graylog-server
       - python3-ldap
+      - ca-certificates-java
     - require:
       - pkgrepo: graylog-repo
       - service: mongodb
@@ -44,6 +45,13 @@ graylog-server:
     - require:
       - pkg: graylog-server
 
+/etc/default/graylog-server:
+  file.managed:
+    - source: salt://graylog/default-graylog-server
+    - mode: 644
+    - require:
+      - pkg: graylog-server
+
 # Default connection config for graylog api scripts
 /etc/graylog-api-scripts.conf:
   file.managed: