Add configuration files required for two-factor authentication
via Google Authenticator:
- sshd-pam: PAM configuration integrating Google Authenticator
with standard Unix authentication, using nullok for gradual
rollout allowing users without 2FA to still authenticate
- sshd-2fa-config: SSH daemon configuration additions enabling
ChallengeResponseAuthentication and KeyboardInteractive
authentication methods required for 2FA flow
These configs support the KNEL security baseline requiring 2FA
for SSH access while maintaining backward compatibility during
user onboarding.
Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-2fa.sh
- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools
Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>