Add Dell-specific server management scripts:
- fixeth.sh: Ethernet interface naming fix script for Dell
servers that require consistent network interface naming
after BIOS/firmware updates or hardware changes
- omsa.sh: Dell OpenManage Server Administrator installation
script for hardware monitoring, health status, and
out-of-band management capabilities
These scripts support Dell PowerEdge server operations in
the KNEL infrastructure, enabling hardware monitoring and
consistent network configuration.
Related: KNELServerBuild/ProjectCode/Dell/Server/
Add Salt minion configuration for ongoing configuration management:
- salt-minion: Configuration file pointing to the Salt master
at salt-master.knownelement.com with appropriate settings
for the KNEL infrastructure
This enables the server to receive configuration management
updates, orchestration commands, and compliance enforcement
from the central Salt master after initial provisioning.
Part of the KNEL management stack: FetchApply → Salt → Ansible
Add comprehensive Wazuh agent configuration for security monitoring:
- wazuh-agent.conf: Full XML configuration including:
* Server connection to tsys-nsm.knel.net via TCP/1514
* AES encryption for agent-server communication
* Rootcheck module for rootkit and anomaly detection
* Syscheck file integrity monitoring for critical paths
(/etc, /usr/bin, /usr/sbin, /bin, /sbin)
* Log collection from syslog, auth.log, kern.log, dmesg
* Active response capability enabled
* Environment/organization labels for asset management
The agent connects to the centralized Wazuh server for log
aggregation, intrusion detection, and compliance monitoring.
Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-wazuh.sh
Add configuration files required for two-factor authentication
via Google Authenticator:
- sshd-pam: PAM configuration integrating Google Authenticator
with standard Unix authentication, using nullok for gradual
rollout allowing users without 2FA to still authenticate
- sshd-2fa-config: SSH daemon configuration additions enabling
ChallengeResponseAuthentication and KeyboardInteractive
authentication methods required for 2FA flow
These configs support the KNEL security baseline requiring 2FA
for SSH access while maintaining backward compatibility during
user onboarding.
Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-2fa.sh
- Add secharden-audit-agents functionality to security-hardening
- Create unattended-upgrades initializer for automatic security updates
- Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config
- Port sslStackFromSource.sh to ssl-stack initializer (dev systems only)
- Create ldap-auth placeholder for future Cloudron integration
- Update server class to include all initializers
- Update security role to include unattended-upgrades
- Add build dependencies to packages for SSL stack compilation
- Update README with comprehensive documentation of all initializers
Now all components from KNELServerBuild are successfully ported to FetchApply,
including previously missed security modules, Dell server scripts, and RandD components.
Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Add MENTALMODEL.md documenting architecture and tool responsibilities
- Clarify Salt is for ongoing configuration management and automation
- Clarify Ansible is for ComplianceAsCode deployment from github.com/ComplianceAsCode/content
- Update README.md to reflect correct understanding of tool purposes
- Update decision matrix for when to use each tool
- Document migration path and future service plans (Beszel, Netbird via Salt)
Establishes clear separation of concerns across the configuration management ecosystem.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools
Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Configure all server classes (physical, virtual, database, webserver, ntp-server, librenms, dev-workstation)
- Set appropriate initializers, modules, and roles for each class
- Define class-specific configurations based on server type
- Standardize configuration across all server types
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Created base FetchApply directory structure with classes, initializers, modules, roles, and variables
- Ported SetupNewSystem.sh functionality to modular FetchApply structure
- Created server classes: physical, virtual, librenms, database, webserver, dev-workstation
- Implemented initializers for system-setup, packages, ssh-keys, and user-configuration
- Created modules for oam, system-config, ssh-hardening, and librenms-agent
- Defined security and monitoring roles
- Copied configuration templates from KNELServerBuild
- Updated README with comprehensive FetchApply usage instructions
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
