Initial port of KNELServerBuild to FetchApply framework

- Created base FetchApply directory structure with classes, initializers, modules, roles, and variables - Ported SetupNewSystem.sh functionality to modular FetchApply structure - Created server classes: physical, virtual, librenms, database, webserver, dev-workstation - Implemented initializers for system-setup, packages, ssh-keys, and user-configuration - Created modules for oam, system-config, ssh-hardening, and librenms-agent - Defined security and monitoring roles - Copied configuration templates from KNELServerBuild - Updated README with comprehensive FetchApply usage instructions 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 11:05:17 -05:00
parent c82ab1b7db
commit 09d93e37cd
45 changed files with 928 additions and 2 deletions
--- a/modules/ssh-hardening/apply
+++ b/modules/ssh-hardening/apply
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# KNEL SSH Hardening Module
+# Applies SSH security hardening configurations
+
+set -euo pipefail
+
+echo "Running SSH hardening module..."
+
+# Create SSH directories
+mkdir -p $ROOT_SSH_DIR
+
+# Setup root SSH keys
+if [[ -f ./configs/root-ssh-authorized-keys ]]; then
+    cp ./configs/root-ssh-authorized-keys $ROOT_SSH_DIR/authorized_keys
+    chmod 400 $ROOT_SSH_DIR/authorized_keys
+    chown root: $ROOT_SSH_DIR/authorized_keys
+fi
+
+# Setup localuser SSH keys
+if [[ $LOCALUSER_CHECK -gt 0 ]]; then
+    mkdir -p $LOCALUSER_SSH_DIR
+    
+    if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
+        cp ./configs/localuser-ssh-authorized-keys $LOCALUSER_SSH_DIR/authorized_keys
+        chmod 400 $LOCALUSER_SSH_DIR/authorized_keys
+        chown localuser $LOCALUSER_SSH_DIR/authorized_keys
+    fi
+fi
+
+# Setup subodev SSH keys
+if [[ $SUBODEV_CHECK -gt 0 ]]; then
+    mkdir -p $SUBODEV_SSH_DIR
+    
+    if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
+        cp ./configs/localuser-ssh-authorized-keys $SUBODEV_SSH_DIR/authorized_keys
+        chmod 400 $SUBODEV_SSH_DIR/authorized_keys
+        chown subodev: $SUBODEV_SSH_DIR/authorized_keys
+    fi
+fi
+
+# Deploy SSH configuration based on environment
+if [[ $DEV_WORKSTATION_CHECK -eq 0 ]]; then
+    # Production SSH configuration
+    if [[ -f ./configs/sshd-config ]]; then
+        cp ./configs/sshd-config /etc/ssh/sshd_config
+    fi
+else
+    # Development workstation - more permissive settings
+    if [[ -f ./configs/sshd-dev-config ]]; then
+        cp ./configs/sshd-dev-config /etc/ssh/sshd_config
+    fi
+fi
+
+# Additional SSH hardening for non-Ubuntu systems
+if [[ $UBUNTU_CHECK -ne 1 ]] && [[ -f ./configs/ssh-audit-hardening.conf ]]; then
+    mkdir -p /etc/ssh/sshd_config.d
+    cp ./configs/ssh-audit-hardening.conf /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
+    chmod og-rwx /etc/ssh/sshd_config.d/*
+fi
+
+# Secure SSH configuration permissions
+chmod og-rwx /etc/ssh/sshd_config
+
+echo "SSH hardening module completed"
--- a/modules/ssh-hardening/configs/localuser-ssh-authorized-keys
+++ b/modules/ssh-hardening/configs/localuser-ssh-authorized-keys
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control
--- a/modules/ssh-hardening/configs/root-ssh-authorized-keys
+++ b/modules/ssh-hardening/configs/root-ssh-authorized-keys
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control
--- a/modules/ssh-hardening/configs/ssh-audit-hardening.conf
+++ b/modules/ssh-hardening/configs/ssh-audit-hardening.conf
@@ -0,0 +1,19 @@
+# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
+# hardening guide.
+ KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
+HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+RequiredRSASize 3072
+
+CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
+
+HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+
+PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
--- a/modules/ssh-hardening/configs/tsys-sshd-config
+++ b/modules/ssh-hardening/configs/tsys-sshd-config
@@ -0,0 +1,20 @@
+Include /etc/ssh/sshd_config.d/*.conf
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+KbdInteractiveAuthentication no
+PrintMotd no
+PasswordAuthentication no
+AllowTcpForwarding no
+X11Forwarding no
+ChallengeResponseAuthentication no
+AcceptEnv LANG LC_*
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+UsePAM yes
+Banner /etc/issue.net
+MaxAuthTries 2
+MaxStartups 10:30:100
+PermitRootLogin prohibit-password
+ClientAliveInterval 300
+ClientAliveCountMax 3
+AllowUsers root localuser subodev
+LoginGraceTime 60