Initial port of KNELServerBuild to FetchApply framework

- Created base FetchApply directory structure with classes, initializers, modules, roles, and variables
- Ported SetupNewSystem.sh functionality to modular FetchApply structure
- Created server classes: physical, virtual, librenms, database, webserver, dev-workstation
- Implemented initializers for system-setup, packages, ssh-keys, and user-configuration
- Created modules for oam, system-config, ssh-hardening, and librenms-agent
- Defined security and monitoring roles
- Copied configuration templates from KNELServerBuild
- Updated README with comprehensive FetchApply usage instructions

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>

README.md

@@ -1,3 +1,165 @@
-# KNELConfigMgmt-FetchApply
+# KNEL Configuration Management - FetchApply
 
-KNEL Configuration Management Collection - FetchApply
+This repository contains the KNEL server configuration management system implemented with the FetchApply framework.
+
+## Overview
+
+The KNEL FetchApply system provides automated server provisioning, configuration, and security hardening for Linux servers. It uses the FetchApply framework to apply configurations based on server classes and hostnames.
+
+## Repository Structure
+
+```
+.
+├── classes/          # Server classifications
+│   ├── physical/     # Physical Dell servers
+│   ├── virtual/      # Virtual machines
+│   ├── librenms/     # LibreNMS monitoring servers
+│   ├── database/     # Database servers
+│   ├── webserver/    # Web servers
+│   └── dev-workstation/ # Development workstations
+├── initializers/     # One-time setup scripts
+├── modules/          # Recurring maintenance modules
+├── roles/           # Groups of related modules
+└── variables         # Global configuration variables
+```
+
+## Installation
+
+### Prerequisites
+
+- Linux server (Ubuntu 18.04+ or Debian 10+ recommended)
+- Root or sudo access
+- Internet connectivity for package downloads
+
+### Install FetchApply
+
+First, install FetchApply on your system:
+
+```bash
+curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
+sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git
+```
+
+### Usage
+
+Once installed, FetchApply will automatically:
+
+1. Detect the server type based on hostname and hardware characteristics
+2. Apply the appropriate configuration modules and initializers
+3. Maintain the system configuration with regular runs
+
+You can also run FetchApply manually:
+
+```bash
+sudo fa
+```
+
+## Server Classes
+
+Servers are automatically classified based on their characteristics:
+
+### Physical Servers (`physical`)
+
+**Criteria:** Dell physical hardware detected via dmidecode
+
+**Applied Modules:**
+- System setup and package installation
+- SSH hardening
+- Security hardening
+- OAM monitoring
+
+### Virtual Machines (`virtual`)
+
+**Criteria:** KVM/Hyper-V guests detected via virt-what
+
+**Applied Modules:**
+- System setup and package installation
+- SSH hardening
+- Security hardening (virtual-optimized)
+- OAM monitoring
+
+### LibreNMS Servers (`librenms`)
+
+**Criteria:** Hostname contains "tsys-librenms"
+
+**Applied Modules:**
+- Standard server configuration
+- LibreNMS monitoring setup
+- Security hardening
+
+### Development Workstations (`dev-workstation`)
+
+**Criteria:** Hostname matches "subopi-dev" or "CharlesDevServer"
+
+**Applied Modules:**
+- Development tools and packages
+- Less restrictive SSH configuration
+- Security monitoring
+
+## Security Features
+
+The system includes comprehensive security hardening:
+
+- SSH key-based authentication only
+- 2FA support via Google Authenticator
+- Wazuh security monitoring
+- SCAP/STIG compliance hardening
+- Automated security updates
+
+## Monitoring and Management
+
+- LibreNMS network monitoring integration
+- Cockpit web-based management interface
+- Comprehensive logging and audit trails
+- SNMP monitoring configuration
+- Performance monitoring tools
+
+## Configuration Templates
+
+Configuration files are managed using mustache templates (via `mo`) to allow for:
+- Environment-specific customizations
+- Dynamic variable substitution
+- Class-based configuration variations
+
+## Maintenance
+
+The system is designed to be idempotent and can be safely re-run to:
+- Restore configuration drift
+- Apply security updates
+- Add new servers to the fleet
+- Standardize configurations across environments
+
+## Troubleshooting
+
+For detailed status information:
+
+```bash
+sudo fa status
+```
+
+To run specific modules:
+
+```bash
+sudo fa run <module-name>
+```
+
+To pause automatic runs during maintenance:
+
+```bash
+sudo fa pause
+```
+
+To resume automatic runs:
+
+```bash
+sudo fa resume
+```
+
+## Repository Information
+
+**Issues:** https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline  
+**Discussion:** https://community.turnsys.com/c/chieftechnologyandproductofficer/26
+
+## License
+
+This project is licensed under the terms specified in the LICENSE file.

classes/librenms/initializers

@@ -0,0 +1,13 @@
+# Initializers for LibreNMS servers
+system-setup
+packages
+
+# Modules for LibreNMS servers
+oam
+system-config
+ssh-hardening
+librenms-agent
+
+# Roles for LibreNMS servers
+security
+monitoring

classes/physical/initializers

@@ -0,0 +1,14 @@
+# Initializers for physical servers
+system-setup
+packages
+ssh-keys
+user-configuration
+
+# Modules for physical servers
+oam
+system-config
+ssh-hardening
+
+# Roles for physical servers
+security
+monitoring

classes/physical/modules

@@ -0,0 +1,5 @@
+# Modules for physical servers
+oam
+system-config
+ssh-hardening
+security-hardening

classes/virtual/modules

@@ -0,0 +1,5 @@
+# Modules for virtual servers
+oam
+system-config
+ssh-hardening
+security-hardening

classes/virtual/roles

@@ -0,0 +1,3 @@
+# Roles for virtual servers
+security
+monitoring

initializers/packages/apply

@@ -0,0 +1,125 @@
+#!/bin/bash
+
+# KNEL Package Installation
+# This initializer installs required packages
+
+set -euo pipefail
+
+echo "Installing required packages..."
+
+# Ensure apt is up to date
+apt-get update
+
+# Install basic tools first
+apt-get install -y git sudo dmidecode curl
+
+# Setup webmin repo (used for RBAC/2FA PAM)
+curl https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh >/tmp/webmin-setup.sh
+sh /tmp/webmin-setup.sh -f && rm -f /tmp/webmin-setup.sh
+
+# Setup tailscale
+curl -fsSL https://tailscale.com/install.sh | sh
+
+# Remove unwanted packages
+apt-get -y --purge remove \
+    systemd-timesyncd \
+    chrony \
+    telnet \
+    inetutils-telnet \
+    wpasupplicant \
+    modemmanager \
+    nano \
+    multipath-tools \
+    || true
+
+apt-get --purge autoremove
+
+# Install desired packages
+apt-get install -y \
+    virt-what \
+    auditd \
+    audispd-plugins \
+    cloud-guest-utils \
+    aide \
+    htop \
+    snmpd \
+    ncdu \
+    iftop \
+    iotop \
+    cockpit \
+    cockpit-bridge \
+    cockpit-doc \
+    cockpit-networkmanager \
+    cockpit-packagekit \
+    cockpit-pcp \
+    cockpit-sosreport \
+    cockpit-storaged \
+    cockpit-system \
+    cockpit-ws \
+    nethogs \
+    sysstat \
+    ngrep \
+    acct \
+    lsb-release \
+    screen \
+    tailscale \
+    tmux \
+    vim \
+    command-not-found \
+    lldpd \
+    ansible-core \
+    net-tools \
+    dos2unix \
+    gpg \
+    molly-guard \
+    lshw \
+    fzf \
+    ripgrep \
+    sudo \
+    mailutils \
+    clamav \
+    sl \
+    logwatch \
+    git \
+    net-tools \
+    tshark \
+    tcpdump \
+    lynis \
+    glances \
+    zsh \
+    zsh-autosuggestions \
+    zsh-syntax-highlighting \
+    fonts-powerline \
+    webmin \
+    usermin \
+    ntpsec \
+    ntpsec-ntpdate \
+    tuned \
+    iptables \
+    netfilter-persistent \
+    iptables-persistent \
+    pflogsumm \
+    postfix
+
+# Kali-specific packages
+if [[ $KALI_CHECK -eq 0 ]]; then
+    apt-get install -y \
+        latencytop \
+        cockpit-tests
+fi
+
+# KVM guest specific packages
+if [[ $IS_KVM_GUEST -eq 1 ]]; then
+    apt-get install -y qemu-guest-agent
+fi
+
+# Physical host specific packages
+if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
+    apt-get install -y \
+        i7z \
+        thermald \
+        cpufrequtils \
+        linux-cpupower
+fi
+
+echo "Package installation complete"

initializers/system-setup/apply

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# KNEL System Initialization
+# This initializer performs basic system detection and setup
+
+set -euo pipefail
+
+echo "Performing system initialization..."
+
+# Detect system characteristics
+export UBUNTU_CHECK="$(grep -c Ubuntu /etc/os-release 2>/dev/null || echo 0)"
+export IS_PHYSICAL_HOST="$(/usr/sbin/dmidecode -t System 2>/dev/null | grep -c Dell || echo 0)"
+export SUBODEV_CHECK="$(getent passwd | grep -c subodev || echo 0)"
+export LOCALUSER_CHECK="$(getent passwd | grep -c localuser || echo 0)"
+export KALI_CHECK="$(grep -c kali /etc/os-release 2>/dev/null || echo 0)"
+
+# Detect virtualization
+if command -v virt-what >/dev/null 2>&1; then
+    export VIRT_TYPE="$(virt-what 2>/dev/null || echo "")"
+    export IS_VIRT_GUEST="$(echo "$VIRT_TYPE" | grep -E -c 'hyperv|kvm' || echo 0)"
+    export IS_KVM_GUEST="$(echo "$VIRT_TYPE" | grep -c 'kvm' || echo 0)"
+else
+    export VIRT_TYPE=""
+    export IS_VIRT_GUEST="0"
+    export IS_KVM_GUEST="0"
+fi
+
+# Detect special host types
+export LIBRENMS_CHECK="$(hostname | grep -c tsys-librenms || echo 0)"
+export NTP_SERVER_CHECK="$(hostname | grep -E -c 'pfv-netboot|pfvsvrpi' || echo 0)"
+export DEV_WORKSTATION_CHECK="$(hostname | grep -E -c 'subopi-dev|CharlesDevServer' || echo 0)"
+
+# Raspberry Pi detection
+if command -v vcgencmd >/dev/null 2>&1; then
+    export IS_RASPI="1"
+else
+    export IS_RASPI="0"
+fi
+
+# Set current timestamp for logging
+export CURRENT_TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"
+
+echo "System initialization complete"
+echo "Ubuntu: $UBUNTU_CHECK, Physical: $IS_PHYSICAL_HOST, Virtual: $IS_VIRT_GUEST"

modules/librenms-agent/apply

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# KNEL LibreNMS Agent Module
+# Deploys and configures LibreNMS monitoring agent
+
+set -euo pipefail
+
+echo "Running LibreNMS agent module..."
+
+# Check if this is a LibreNMS server
+if [[ $LIBRENMS_CHECK -eq 1 ]]; then
+    echo "This is a LibreNMS server, skipping agent setup"
+    exit 0
+fi
+
+# Deploy LibreNMS agent configuration
+if [[ -f ./configs/librenms-agent.conf ]]; then
+    # Create agent directory if needed
+    mkdir -p /etc/librenms-agent
+    
+    # Copy agent configuration
+    cp ./configs/librenms-agent.conf /etc/librenms-agent/
+    
+    # Start the agent service if available
+    if systemctl list-unit-files | grep -q librenms-agent; then
+        systemctl enable librenms-agent
+        systemctl restart librenms-agent
+    fi
+fi
+
+echo "LibreNMS agent module completed"

modules/oam/apply

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# KNEL OAM Module
+# Operations and Maintenance Module
+
+set -euo pipefail
+
+echo "Running OAM module..."
+
+# Setup up2date script
+if [[ -f ./scripts/up2date.sh ]]; then
+    cp ./scripts/up2date.sh /usr/local/bin/up2date.sh
+    chmod +x /usr/local/bin/up2date.sh
+fi
+
+# Configure LibreNMS if this is not a LibreNMS server
+if [[ $LIBRENMS_CHECK -eq 0 ]]; then
+    # Install rsyslog if needed
+    apt-get update
+    apt-get install -y rsyslog
+    
+    # Restart rsyslog
+    systemctl stop rsyslog
+    systemctl start rsyslog
+fi
+
+echo "OAM module completed"

modules/ssh-hardening/apply

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# KNEL SSH Hardening Module
+# Applies SSH security hardening configurations
+
+set -euo pipefail
+
+echo "Running SSH hardening module..."
+
+# Create SSH directories
+mkdir -p $ROOT_SSH_DIR
+
+# Setup root SSH keys
+if [[ -f ./configs/root-ssh-authorized-keys ]]; then
+    cp ./configs/root-ssh-authorized-keys $ROOT_SSH_DIR/authorized_keys
+    chmod 400 $ROOT_SSH_DIR/authorized_keys
+    chown root: $ROOT_SSH_DIR/authorized_keys
+fi
+
+# Setup localuser SSH keys
+if [[ $LOCALUSER_CHECK -gt 0 ]]; then
+    mkdir -p $LOCALUSER_SSH_DIR
+    
+    if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
+        cp ./configs/localuser-ssh-authorized-keys $LOCALUSER_SSH_DIR/authorized_keys
+        chmod 400 $LOCALUSER_SSH_DIR/authorized_keys
+        chown localuser $LOCALUSER_SSH_DIR/authorized_keys
+    fi
+fi
+
+# Setup subodev SSH keys
+if [[ $SUBODEV_CHECK -gt 0 ]]; then
+    mkdir -p $SUBODEV_SSH_DIR
+    
+    if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
+        cp ./configs/localuser-ssh-authorized-keys $SUBODEV_SSH_DIR/authorized_keys
+        chmod 400 $SUBODEV_SSH_DIR/authorized_keys
+        chown subodev: $SUBODEV_SSH_DIR/authorized_keys
+    fi
+fi
+
+# Deploy SSH configuration based on environment
+if [[ $DEV_WORKSTATION_CHECK -eq 0 ]]; then
+    # Production SSH configuration
+    if [[ -f ./configs/sshd-config ]]; then
+        cp ./configs/sshd-config /etc/ssh/sshd_config
+    fi
+else
+    # Development workstation - more permissive settings
+    if [[ -f ./configs/sshd-dev-config ]]; then
+        cp ./configs/sshd-dev-config /etc/ssh/sshd_config
+    fi
+fi
+
+# Additional SSH hardening for non-Ubuntu systems
+if [[ $UBUNTU_CHECK -ne 1 ]] && [[ -f ./configs/ssh-audit-hardening.conf ]]; then
+    mkdir -p /etc/ssh/sshd_config.d
+    cp ./configs/ssh-audit-hardening.conf /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
+    chmod og-rwx /etc/ssh/sshd_config.d/*
+fi
+
+# Secure SSH configuration permissions
+chmod og-rwx /etc/ssh/sshd_config
+
+echo "SSH hardening module completed"

modules/ssh-hardening/configs/localuser-ssh-authorized-keys

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control

modules/ssh-hardening/configs/root-ssh-authorized-keys

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control

modules/ssh-hardening/configs/ssh-audit-hardening.conf

@@ -0,0 +1,19 @@
+# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
+# hardening guide.
+ KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
+HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+RequiredRSASize 3072
+
+CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
+
+HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+
+PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

modules/ssh-hardening/configs/tsys-sshd-config

@@ -0,0 +1,20 @@
+Include /etc/ssh/sshd_config.d/*.conf
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+KbdInteractiveAuthentication no
+PrintMotd no
+PasswordAuthentication no
+AllowTcpForwarding no
+X11Forwarding no
+ChallengeResponseAuthentication no
+AcceptEnv LANG LC_*
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+UsePAM yes
+Banner /etc/issue.net
+MaxAuthTries 2
+MaxStartups 10:30:100
+PermitRootLogin prohibit-password
+ClientAliveInterval 300
+ClientAliveCountMax 3
+AllowUsers root localuser subodev
+LoginGraceTime 60

modules/system-config/apply

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# KNEL System Configuration Module
+# Applies system-wide configuration files
+
+set -euo pipefail
+
+echo "Running system configuration module..."
+
+# Create necessary directories
+mkdir -p /root/.ssh
+
+# Deploy system configuration files
+if [[ -f ./templates/zshrc ]]; then
+    mo ./templates/zshrc > /etc/zshrc
+fi
+
+if [[ -f ./templates/aliases ]]; then
+    mo ./templates/aliases > /etc/aliases
+    newaliases
+fi
+
+if [[ -f ./templates/rsyslog.conf ]]; then
+    mo ./templates/rsyslog.conf > /etc/rsyslog.conf
+fi
+
+# Configure DHCP client
+if [[ -f ./templates/dhclient.conf ]]; then
+    mo ./templates/dhclient.conf > /etc/dhcp/dhclient.conf
+fi
+
+# Configure SNMP
+systemctl stop snmpd 2>/dev/null || true
+/etc/init.d/snmpd stop 2>/dev/null || true
+
+if [[ -f ./templates/snmp-sudo.conf ]]; then
+    mo ./templates/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp
+fi
+
+# Adjust SNMP service for log verbosity
+sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
+
+# Configure SNMP based on system type
+if [[ $IS_RASPI -eq 1 ]] && [[ -f ./templates/snmpd-rpi.conf ]]; then
+    mo ./templates/snmpd-rpi.conf > /etc/snmp/snmpd.conf
+elif [[ $IS_PHYSICAL_HOST -eq 1 ]] && [[ -f ./templates/snmpd-physicalhost.conf ]]; then
+    mo ./templates/snmpd-physicalhost.conf > /etc/snmp/snmpd.conf
+elif [[ $IS_VIRT_GUEST -eq 1 ]] && [[ -f ./templates/snmpd.conf ]]; then
+    mo ./templates/snmpd.conf > /etc/snmp/snmpd.conf
+fi
+
+# Configure lldpd
+if [[ -f ./templates/lldpd ]]; then
+    mo ./templates/lldpd > /etc/default/lldpd
+    systemctl restart lldpd
+fi
+
+# Configure Cockpit
+if [[ -f ./templates/disallowed-users ]]; then
+    mo ./templates/disallowed-users > /etc/cockpit/disallowed-users
+    systemctl restart cockpit
+fi
+
+# Configure NTP for non-NTP servers
+if [[ $NTP_SERVER_CHECK -eq 0 ]] && [[ -f ./templates/ntp.conf ]]; then
+    mo ./templates/ntp.conf > /etc/ntpsec/ntp.conf
+    systemctl restart ntpsec.service
+fi
+
+# Reload systemd and restart SNMP
+systemctl daemon-reload
+systemctl restart snmpd 2>/dev/null || true
+/etc/init.d/snmpd restart 2>/dev/null || true
+
+echo "System configuration module completed"

modules/system-config/templates/aliases

@@ -0,0 +1,3 @@
+# See man 5 aliases for format
+postmaster:    root
+root: coo@turnsys.com

modules/system-config/templates/rsyslog.conf

@@ -0,0 +1,6 @@
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog")   # provides kernel logging support
+#module(load="immark")  # provides --MARK-- message capability
+
+*.* @tsys-librenms.knel.net:514
+:omusrmsg:EOF

modules/system-config/templates/zshrc

@@ -0,0 +1,258 @@
+# ~/.zshrc file for zsh interactive shells.
+# see /usr/share/doc/zsh/examples/zshrc for examples
+
+setopt autocd              # change directory just by typing its name
+#setopt correct            # auto correct mistakes
+setopt interactivecomments # allow comments in interactive mode
+setopt magicequalsubst     # enable filename expansion for arguments of the form ‘anything=expression’
+setopt nonomatch           # hide error message if there is no match for the pattern
+setopt notify              # report the status of background jobs immediately
+setopt numericglobsort     # sort filenames numerically when it makes sense
+setopt promptsubst         # enable command substitution in prompt
+
+WORDCHARS=${WORDCHARS//\/} # Don't consider certain characters part of the word
+
+# hide EOL sign ('%')
+PROMPT_EOL_MARK=""
+
+# configure key keybindings
+bindkey -v                                        # emacs key bindings
+bindkey ' ' magic-space                           # do history expansion on space
+bindkey '^U' backward-kill-line                   # ctrl + U
+bindkey '^[[3;5~' kill-word                       # ctrl + Supr
+bindkey '^[[3~' delete-char                       # delete
+bindkey '^[[1;5C' forward-word                    # ctrl + ->
+bindkey '^[[1;5D' backward-word                   # ctrl + <-
+bindkey '^[[5~' beginning-of-buffer-or-history    # page up
+bindkey '^[[6~' end-of-buffer-or-history          # page down
+bindkey '^[[H' beginning-of-line                  # home
+bindkey '^[[F' end-of-line                        # end
+bindkey '^[[Z' undo                               # shift + tab undo last action
+
+# enable completion features
+autoload -Uz compinit
+compinit -d ~/.cache/zcompdump
+zstyle ':completion:*:*:*:*:*' menu select
+zstyle ':completion:*' auto-description 'specify: %d'
+zstyle ':completion:*' completer _expand _complete
+zstyle ':completion:*' format 'Completing %d'
+zstyle ':completion:*' group-name ''
+zstyle ':completion:*' list-colors ''
+zstyle ':completion:*' list-prompt %SAt %p: Hit TAB for more, or the character to insert%s
+zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}'
+zstyle ':completion:*' rehash true
+zstyle ':completion:*' select-prompt %SScrolling active: current selection at %p%s
+zstyle ':completion:*' use-compctl false
+zstyle ':completion:*' verbose true
+zstyle ':completion:*:kill:*' command 'ps -u $USER -o pid,%cpu,tty,cputime,cmd'
+
+# History configurations
+HISTFILE=~/.zsh_history
+HISTSIZE=10000
+SAVEHIST=200000
+setopt hist_expire_dups_first # delete duplicates first when HISTFILE size exceeds HISTSIZE
+setopt hist_ignore_dups       # ignore duplicated commands history list
+setopt hist_ignore_space      # ignore commands that start with space
+setopt hist_verify            # show command with history expansion to user before running it
+#setopt share_history         # share command history data
+
+# force zsh to show the complete history
+alias history="history 0"
+
+# configure `time` format
+TIMEFMT=$'\nreal\t%E\nuser\t%U\nsys\t%S\ncpu\t%P'
+
+# make less more friendly for non-text input files, see lesspipe(1)
+#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color|*-256color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+        # We have color support; assume it's compliant with Ecma-48
+        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+        # a case would tend to support setf rather than setaf.)
+        color_prompt=yes
+    else
+        color_prompt=
+    fi
+fi
+
+configure_prompt() {
+    prompt_symbol=㉿
+    # Skull emoji for root terminal
+    #[ "$EUID" -eq 0 ] && prompt_symbol=💀
+    case "$PROMPT_ALTERNATIVE" in
+        twoline)
+            PROMPT=$'%F{%(#.blue.green)}┌──${debian_chroot:+($debian_chroot)─}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))─}(%B%F{%(#.red.blue)}%n'$prompt_symbol$'%m%b%F{%(#.blue.green)})-[%B%F{reset}%(6~.%-1~/…/%4~.%5~)%b%F{%(#.blue.green)}]\n└─%B%(#.%F{red}#.%F{blue}$)%b%F{reset} '
+            # Right-side prompt with exit codes and background processes
+            #RPROMPT=$'%(?.. %? %F{red}%B⨯%b%F{reset})%(1j. %j %F{yellow}%B⚙%b%F{reset}.)'
+            ;;
+        oneline)
+            PROMPT=$'${debian_chroot:+($debian_chroot)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%B%F{%(#.red.blue)}%n@%m%b%F{reset}:%B%F{%(#.blue.green)}%~%b%F{reset}%(#.#.$) '
+            RPROMPT=
+            ;;
+        backtrack)
+            PROMPT=$'${debian_chroot:+($debian_chroot)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%B%F{red}%n@%m%b%F{reset}:%B%F{blue}%~%b%F{reset}%(#.#.$) '
+            RPROMPT=
+            ;;
+    esac
+    unset prompt_symbol
+}
+
+# The following block is surrounded by two delimiters.
+# These delimiters must not be modified. Thanks.
+# START KALI CONFIG VARIABLES
+PROMPT_ALTERNATIVE=twoline
+NEWLINE_BEFORE_PROMPT=yes
+# STOP KALI CONFIG VARIABLES
+
+if [ "$color_prompt" = yes ]; then
+    # override default virtualenv indicator in prompt
+    VIRTUAL_ENV_DISABLE_PROMPT=1
+
+    configure_prompt
+
+    # enable syntax-highlighting
+    if [ -f /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh ]; then
+        . /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+        ZSH_HIGHLIGHT_HIGHLIGHTERS=(main brackets pattern)
+        ZSH_HIGHLIGHT_STYLES[default]=none
+        ZSH_HIGHLIGHT_STYLES[unknown-token]=underline
+        ZSH_HIGHLIGHT_STYLES[reserved-word]=fg=cyan,bold
+        ZSH_HIGHLIGHT_STYLES[suffix-alias]=fg=green,underline
+        ZSH_HIGHLIGHT_STYLES[global-alias]=fg=green,bold
+        ZSH_HIGHLIGHT_STYLES[precommand]=fg=green,underline
+        ZSH_HIGHLIGHT_STYLES[commandseparator]=fg=blue,bold
+        ZSH_HIGHLIGHT_STYLES[autodirectory]=fg=green,underline
+        ZSH_HIGHLIGHT_STYLES[path]=bold
+        ZSH_HIGHLIGHT_STYLES[path_pathseparator]=
+        ZSH_HIGHLIGHT_STYLES[path_prefix_pathseparator]=
+        ZSH_HIGHLIGHT_STYLES[globbing]=fg=blue,bold
+        ZSH_HIGHLIGHT_STYLES[history-expansion]=fg=blue,bold
+        ZSH_HIGHLIGHT_STYLES[command-substitution]=none
+        ZSH_HIGHLIGHT_STYLES[command-substitution-delimiter]=fg=magenta,bold
+        ZSH_HIGHLIGHT_STYLES[process-substitution]=none
+        ZSH_HIGHLIGHT_STYLES[process-substitution-delimiter]=fg=magenta,bold
+        ZSH_HIGHLIGHT_STYLES[single-hyphen-option]=fg=green
+        ZSH_HIGHLIGHT_STYLES[double-hyphen-option]=fg=green
+        ZSH_HIGHLIGHT_STYLES[back-quoted-argument]=none
+        ZSH_HIGHLIGHT_STYLES[back-quoted-argument-delimiter]=fg=blue,bold
+        ZSH_HIGHLIGHT_STYLES[single-quoted-argument]=fg=yellow
+        ZSH_HIGHLIGHT_STYLES[double-quoted-argument]=fg=yellow
+        ZSH_HIGHLIGHT_STYLES[dollar-quoted-argument]=fg=yellow
+        ZSH_HIGHLIGHT_STYLES[rc-quote]=fg=magenta
+        ZSH_HIGHLIGHT_STYLES[dollar-double-quoted-argument]=fg=magenta,bold
+        ZSH_HIGHLIGHT_STYLES[back-double-quoted-argument]=fg=magenta,bold
+        ZSH_HIGHLIGHT_STYLES[back-dollar-quoted-argument]=fg=magenta,bold
+        ZSH_HIGHLIGHT_STYLES[assign]=none
+        ZSH_HIGHLIGHT_STYLES[redirection]=fg=blue,bold
+        ZSH_HIGHLIGHT_STYLES[comment]=fg=black,bold
+        ZSH_HIGHLIGHT_STYLES[named-fd]=none
+        ZSH_HIGHLIGHT_STYLES[numeric-fd]=none
+        ZSH_HIGHLIGHT_STYLES[arg0]=fg=cyan
+        ZSH_HIGHLIGHT_STYLES[bracket-error]=fg=red,bold
+        ZSH_HIGHLIGHT_STYLES[bracket-level-1]=fg=blue,bold
+        ZSH_HIGHLIGHT_STYLES[bracket-level-2]=fg=green,bold
+        ZSH_HIGHLIGHT_STYLES[bracket-level-3]=fg=magenta,bold
+        ZSH_HIGHLIGHT_STYLES[bracket-level-4]=fg=yellow,bold
+        ZSH_HIGHLIGHT_STYLES[bracket-level-5]=fg=cyan,bold
+        ZSH_HIGHLIGHT_STYLES[cursor-matchingbracket]=standout
+    fi
+else
+    PROMPT='${debian_chroot:+($debian_chroot)}%n@%m:%~%(#.#.$) '
+fi
+unset color_prompt force_color_prompt
+
+toggle_oneline_prompt(){
+    if [ "$PROMPT_ALTERNATIVE" = oneline ]; then
+        PROMPT_ALTERNATIVE=twoline
+    else
+        PROMPT_ALTERNATIVE=oneline
+    fi
+    configure_prompt
+    zle reset-prompt
+}
+zle -N toggle_oneline_prompt
+bindkey ^P toggle_oneline_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*|Eterm|aterm|kterm|gnome*|alacritty)
+    TERM_TITLE=$'\e]0;${debian_chroot:+($debian_chroot)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%n@%m: %~\a'
+    ;;
+*)
+    ;;
+esac
+
+precmd() {
+    # Print the previously configured title
+    print -Pnr -- "$TERM_TITLE"
+
+    # Print a new line before the prompt, but only if it is not the first line
+    if [ "$NEWLINE_BEFORE_PROMPT" = yes ]; then
+        if [ -z "$_NEW_LINE_BEFORE_PROMPT" ]; then
+            _NEW_LINE_BEFORE_PROMPT=1
+        else
+            print ""
+        fi
+    fi
+}
+
+# enable color support of ls, less and man, and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    export LS_COLORS="$LS_COLORS:ow=30;44:" # fix ls color for folders with 777 permissions
+
+    alias ls='ls --color=auto'
+    #alias dir='dir --color=auto'
+    #alias vdir='vdir --color=auto'
+
+    alias grep='grep --color=auto'
+    alias fgrep='fgrep --color=auto'
+    alias egrep='egrep --color=auto'
+    alias diff='diff --color=auto'
+    alias ip='ip --color=auto'
+
+    export LESS_TERMCAP_mb=$'\E[1;31m'     # begin blink
+    export LESS_TERMCAP_md=$'\E[1;36m'     # begin bold
+    export LESS_TERMCAP_me=$'\E[0m'        # reset bold/blink
+    export LESS_TERMCAP_so=$'\E[01;33m'    # begin reverse video
+    export LESS_TERMCAP_se=$'\E[0m'        # reset reverse video
+    export LESS_TERMCAP_us=$'\E[1;32m'     # begin underline
+    export LESS_TERMCAP_ue=$'\E[0m'        # reset underline
+
+    # Take advantage of $LS_COLORS for completion as well
+    zstyle ':completion:*' list-colors "${(s.:.)LS_COLORS}"
+    zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#)*=0=01;31'
+fi
+
+# some more ls aliases
+alias ll='ls -l'
+alias la='ls -A'
+alias l='ls -CF'
+
+# enable auto-suggestions based on the history
+if [ -f /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh ]; then
+    . /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh
+    # change suggestion color
+    ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE='fg=#999'
+fi
+
+# enable command-not-found if installed
+if [ -f /etc/zsh_command_not_found ]; then
+    . /etc/zsh_command_not_found
+fi

roles/monitoring

@@ -0,0 +1,6 @@
+# Monitoring Role
+# Combines monitoring and management modules
+
+oam
+system-config
+monitoring

roles/security

@@ -0,0 +1,7 @@
+# Security Role
+# Combines all security-related modules
+
+ssh-hardening
+2fa
+wazuh
+security-hardening

variables

@@ -0,0 +1,34 @@
+# KNEL FetchApply Configuration Variables
+# This file contains global variables used throughout the FetchApply modules
+
+# Download root for external configurations
+export DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
+
+# System detection variables (will be populated at runtime)
+export UBUNTU_CHECK
+export IS_PHYSICAL_HOST
+export SUBODEV_CHECK
+export LOCALUSER_CHECK
+export KALI_CHECK
+export VIRT_TYPE
+export IS_VIRT_GUEST
+export IS_KVM_GUEST
+export LIBRENMS_CHECK
+export NTP_SERVER_CHECK
+export DEV_WORKSTATION_CHECK
+export IS_RASPI
+
+# User directories
+export ROOT_SSH_DIR="/root/.ssh"
+export LOCALUSER_SSH_DIR="/home/localuser/.ssh"
+export SUBODEV_SSH_DIR="/home/subodev/.ssh"
+
+# Framework paths
+export KNELShellFrameworkRoot="/usr/local/share/KNEL/ShellFramework"
+
+# Package management
+export DEBIAN_FRONTEND="noninteractive"
+
+# Logging
+export CURRENT_TIMESTAMP
+export LOGFILENAME="/var/log/fetchapply/knel-deployment.log"