Comment out LDAP configuration deployment as cloudron-ldap.conf
does not exist in the configs directory. Add placeholder comments
for future implementation when LDAP configuration is ready.
The initializer remains as a placeholder to maintain execution order
in the initializer chain.
🤖 Generated with [Crush](https://github.com/charmassociates/crush)
Assisted-by: GLM-5 via Crush <crush@charm.land>
Fix SSH configuration deployment to use the correct config filename:
- Change ./configs/sshd-config to ./configs/tsys-sshd-config
- Change ./configs/sshd-dev-config to ./configs/tsys-sshd-config
Both production and development environments now use the unified
tsys-sshd-config file to ensure consistent SSH hardening across
all deployment scenarios.
🤖 Generated with [Crush](https://github.com/charmassociates/crush)
Assisted-by: GLM-5 via Crush <crush@charm.land>
Add Dell-specific server management scripts:
- fixeth.sh: Ethernet interface naming fix script for Dell
servers that require consistent network interface naming
after BIOS/firmware updates or hardware changes
- omsa.sh: Dell OpenManage Server Administrator installation
script for hardware monitoring, health status, and
out-of-band management capabilities
These scripts support Dell PowerEdge server operations in
the KNEL infrastructure, enabling hardware monitoring and
consistent network configuration.
Related: KNELServerBuild/ProjectCode/Dell/Server/
Add Salt minion configuration for ongoing configuration management:
- salt-minion: Configuration file pointing to the Salt master
at salt-master.knownelement.com with appropriate settings
for the KNEL infrastructure
This enables the server to receive configuration management
updates, orchestration commands, and compliance enforcement
from the central Salt master after initial provisioning.
Part of the KNEL management stack: FetchApply → Salt → Ansible
Add comprehensive Wazuh agent configuration for security monitoring:
- wazuh-agent.conf: Full XML configuration including:
* Server connection to tsys-nsm.knel.net via TCP/1514
* AES encryption for agent-server communication
* Rootcheck module for rootkit and anomaly detection
* Syscheck file integrity monitoring for critical paths
(/etc, /usr/bin, /usr/sbin, /bin, /sbin)
* Log collection from syslog, auth.log, kern.log, dmesg
* Active response capability enabled
* Environment/organization labels for asset management
The agent connects to the centralized Wazuh server for log
aggregation, intrusion detection, and compliance monitoring.
Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-wazuh.sh
Add configuration files required for two-factor authentication
via Google Authenticator:
- sshd-pam: PAM configuration integrating Google Authenticator
with standard Unix authentication, using nullok for gradual
rollout allowing users without 2FA to still authenticate
- sshd-2fa-config: SSH daemon configuration additions enabling
ChallengeResponseAuthentication and KeyboardInteractive
authentication methods required for 2FA flow
These configs support the KNEL security baseline requiring 2FA
for SSH access while maintaining backward compatibility during
user onboarding.
Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-2fa.sh
- Add secharden-audit-agents functionality to security-hardening
- Create unattended-upgrades initializer for automatic security updates
- Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config
- Port sslStackFromSource.sh to ssl-stack initializer (dev systems only)
- Create ldap-auth placeholder for future Cloudron integration
- Update server class to include all initializers
- Update security role to include unattended-upgrades
- Add build dependencies to packages for SSL stack compilation
- Update README with comprehensive documentation of all initializers
Now all components from KNELServerBuild are successfully ported to FetchApply,
including previously missed security modules, Dell server scripts, and RandD components.
Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools
Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Created base FetchApply directory structure with classes, initializers, modules, roles, and variables
- Ported SetupNewSystem.sh functionality to modular FetchApply structure
- Created server classes: physical, virtual, librenms, database, webserver, dev-workstation
- Implemented initializers for system-setup, packages, ssh-keys, and user-configuration
- Created modules for oam, system-config, ssh-hardening, and librenms-agent
- Defined security and monitoring roles
- Copied configuration templates from KNELServerBuild
- Updated README with comprehensive FetchApply usage instructions
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
