Add configuration files required for two-factor authentication
via Google Authenticator:
- sshd-pam: PAM configuration integrating Google Authenticator
with standard Unix authentication, using nullok for gradual
rollout allowing users without 2FA to still authenticate
- sshd-2fa-config: SSH daemon configuration additions enabling
ChallengeResponseAuthentication and KeyboardInteractive
authentication methods required for 2FA flow
These configs support the KNEL security baseline requiring 2FA
for SSH access while maintaining backward compatibility during
user onboarding.
Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-2fa.sh
- Add secharden-audit-agents functionality to security-hardening
- Create unattended-upgrades initializer for automatic security updates
- Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config
- Port sslStackFromSource.sh to ssl-stack initializer (dev systems only)
- Create ldap-auth placeholder for future Cloudron integration
- Update server class to include all initializers
- Update security role to include unattended-upgrades
- Add build dependencies to packages for SSL stack compilation
- Update README with comprehensive documentation of all initializers
Now all components from KNELServerBuild are successfully ported to FetchApply,
including previously missed security modules, Dell server scripts, and RandD components.
Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Add MENTALMODEL.md documenting architecture and tool responsibilities
- Clarify Salt is for ongoing configuration management and automation
- Clarify Ansible is for ComplianceAsCode deployment from github.com/ComplianceAsCode/content
- Update README.md to reflect correct understanding of tool purposes
- Update decision matrix for when to use each tool
- Document migration path and future service plans (Beszel, Netbird via Salt)
Establishes clear separation of concerns across the configuration management ecosystem.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools
Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Configure all server classes (physical, virtual, database, webserver, ntp-server, librenms, dev-workstation)
- Set appropriate initializers, modules, and roles for each class
- Define class-specific configurations based on server type
- Standardize configuration across all server types
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Created base FetchApply directory structure with classes, initializers, modules, roles, and variables
- Ported SetupNewSystem.sh functionality to modular FetchApply structure
- Created server classes: physical, virtual, librenms, database, webserver, dev-workstation
- Implemented initializers for system-setup, packages, ssh-keys, and user-configuration
- Created modules for oam, system-config, ssh-hardening, and librenms-agent
- Defined security and monitoring roles
- Copied configuration templates from KNELServerBuild
- Updated README with comprehensive FetchApply usage instructions
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
