feat: Complete port of all KNELServerBuild components to FetchApply
- Add secharden-audit-agents functionality to security-hardening - Create unattended-upgrades initializer for automatic security updates - Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config - Port sslStackFromSource.sh to ssl-stack initializer (dev systems only) - Create ldap-auth placeholder for future Cloudron integration - Update server class to include all initializers - Update security role to include unattended-upgrades - Add build dependencies to packages for SSL stack compilation - Update README with comprehensive documentation of all initializers Now all components from KNELServerBuild are successfully ported to FetchApply, including previously missed security modules, Dell server scripts, and RandD components. Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
This commit is contained in:
51
README.md
51
README.md
@@ -29,6 +29,10 @@ The KNEL FetchApply system provides automated server provisioning for Linux serv
|
||||
│ ├── 2fa/ # Two-factor authentication setup
|
||||
│ ├── wazuh/ # Wazuh security monitoring
|
||||
│ ├── security-hardening/ # SCAP/STIG compliance
|
||||
│ ├── unattended-upgrades/ # Automatic security updates
|
||||
│ ├── dell-config/ # Dell server specific configurations
|
||||
│ ├── ssl-stack/ # SSL stack compilation (dev systems)
|
||||
│ ├── ldap-auth/ # LDAP authentication (placeholder)
|
||||
│ ├── salt-client/ # Salt minion configuration
|
||||
│ └── user-configuration/ # User shell settings
|
||||
├── roles/ # Groups of related initializers
|
||||
@@ -83,7 +87,7 @@ The system automatically detects:
|
||||
|
||||
### Core Setup
|
||||
- **system-setup** - System detection and variable setup
|
||||
- **packages** - Package installation with conditional logic (includes ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN)
|
||||
- **packages** - Package installation with conditional logic (includes build tools for SSL stack, ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN)
|
||||
- **user-configuration** - Shell settings and user preferences
|
||||
|
||||
### Configuration
|
||||
@@ -96,7 +100,13 @@ The system automatically detects:
|
||||
### Security
|
||||
- **2fa** - Set up Google Authenticator for 2FA
|
||||
- **wazuh** - Deploy Wazuh security monitoring agent
|
||||
- **security-hardening** - SCAP/STIG compliance hardening
|
||||
- **security-hardening** - SCAP/STIG compliance hardening (includes auditd, systemd, logrotate configs)
|
||||
- **unattended-upgrades** - Configure automatic security updates
|
||||
|
||||
### Specialized
|
||||
- **dell-config** - Dell server specific optimizations (CPU performance, OMSA tools)
|
||||
- **ssl-stack** - Compile OpenSSL, nghttp2, curl, APR, and Apache from source (dev systems only)
|
||||
- **ldap-auth** - LDAP authentication configuration (placeholder for Cloudron)
|
||||
|
||||
### Monitoring
|
||||
- **oam** - Operations and Maintenance tools (up2date script)
|
||||
@@ -124,10 +134,28 @@ The system installs clients for specific management purposes:
|
||||
- Wazuh security monitoring
|
||||
- SCAP/STIG compliance hardening
|
||||
- AIDE file integrity monitoring
|
||||
- Automatic security updates
|
||||
|
||||
## Specialized Configurations
|
||||
|
||||
### Dell Servers
|
||||
- Automatic CPU performance tuning
|
||||
- Dell OpenManage Server Administrator setup
|
||||
- Ethernet configuration scripts
|
||||
|
||||
### Development Workstations
|
||||
- SSL stack compilation (OpenSSL 1.1.0h, nghttp2, curl, APR, Apache)
|
||||
- HTTP/2 enabled Apache HTTPd
|
||||
- Custom SSL installations
|
||||
|
||||
### Future Services
|
||||
- Beszel monitoring (to be deployed via Salt)
|
||||
- Netbird networking (to be deployed via Salt)
|
||||
- LDAP authentication (Cloudron integration)
|
||||
|
||||
## Migration Path
|
||||
|
||||
This system provides the foundation for comprehensive management:
|
||||
This system provides a foundation for comprehensive management:
|
||||
|
||||
1. **FetchApply** - Initial server provisioning (this repo)
|
||||
2. **Salt Master** - Ongoing configuration management and automation
|
||||
@@ -142,6 +170,15 @@ Ansible will be used specifically to deploy and manage:
|
||||
- Compliance validation and reporting
|
||||
- Documentation generation
|
||||
|
||||
## SSL Stack Compilation
|
||||
|
||||
Available on development workstations or when `COMPILE_SSL_STACK=true`:
|
||||
- OpenSSL 1.1.0h with weak ciphers enabled (legacy compatibility)
|
||||
- nghttp2 for HTTP/2 support
|
||||
- curl with HTTP/2 and custom OpenSSL support
|
||||
- Apache HTTPd with HTTP/2 enabled
|
||||
- Custom installations at `/usr/local/custom-ssl/`
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
For detailed status information:
|
||||
@@ -156,6 +193,12 @@ To run specific initializers:
|
||||
sudo fa run <initializer-name>
|
||||
```
|
||||
|
||||
To compile SSL stack:
|
||||
|
||||
```bash
|
||||
COMPILE_SSL_STACK=true sudo fa run ssl-stack
|
||||
```
|
||||
|
||||
To pause automatic runs during maintenance:
|
||||
|
||||
```bash
|
||||
@@ -175,4 +218,4 @@ sudo fa resume
|
||||
|
||||
## License
|
||||
|
||||
This project is licensed under terms specified in the LICENSE file.
|
||||
This project is licensed under the terms specified in the LICENSE file.
|
||||
Reference in New Issue
Block a user