refactor: Remove librenms, add ansible/salt clients

- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools

Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>

initializers/2fa/apply

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# KNEL 2FA Module
+# Configures two-factor authentication via Google Authenticator
+
+set -euo pipefail
+
+echo "Running 2FA module..."
+
+# Install Google Authenticator for PAM
+DEBIAN_FRONTEND="noninteractive" apt-get -y install \
+    libpam-google-authenticator \
+    qrencode
+
+# Configure PAM for SSH with 2FA (use nullok for gradual rollout)
+if [[ -f ./configs/sshd-pam ]]; then
+    cp ./configs/sshd-pam /etc/pam.d/sshd
+fi
+
+# Configure SSH to allow challenge-response authentication
+if [[ -f ./configs/sshd-2fa-config ]]; then
+    # Backup existing config
+    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
+    
+    # Add 2FA settings to SSH config
+    cat ./configs/sshd-2fa-config >> /etc/ssh/sshd_config
+fi
+
+# Restart SSH service
+systemctl restart ssh
+
+echo "2FA module completed"
+echo "Note: Users must run 'google-authenticator' to set up their 2FA tokens"