# KNEL Configuration Management - FetchApply This repository contains the KNEL server configuration management system implemented with the FetchApply framework. ## Overview The KNEL FetchApply system provides automated server provisioning, configuration, and security hardening for Linux servers. It uses the FetchApply framework to apply configurations based on server classes and hostnames. ## Repository Structure ``` . ├── classes/ # Server classifications │ ├── physical/ # Physical Dell servers │ ├── virtual/ # Virtual machines │ ├── librenms/ # LibreNMS monitoring servers │ ├── database/ # Database servers │ ├── webserver/ # Web servers │ └── dev-workstation/ # Development workstations ├── initializers/ # One-time setup scripts ├── modules/ # Recurring maintenance modules ├── roles/ # Groups of related modules └── variables # Global configuration variables ``` ## Installation ### Prerequisites - Linux server (Ubuntu 18.04+ or Debian 10+ recommended) - Root or sudo access - Internet connectivity for package downloads ### Install FetchApply First, install FetchApply on your system: ```bash curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git ``` ### Usage Once installed, FetchApply will automatically: 1. Detect the server type based on hostname and hardware characteristics 2. Apply the appropriate configuration modules and initializers 3. Maintain the system configuration with regular runs You can also run FetchApply manually: ```bash sudo fa ``` ## Server Classes Servers are automatically classified based on their characteristics: ### Physical Servers (`physical`) **Criteria:** Dell physical hardware detected via dmidecode **Applied Modules:** - System setup and package installation - SSH hardening - Security hardening - OAM monitoring ### Virtual Machines (`virtual`) **Criteria:** KVM/Hyper-V guests detected via virt-what **Applied Modules:** - System setup and package installation - SSH hardening - Security hardening (virtual-optimized) - OAM monitoring ### LibreNMS Servers (`librenms`) **Criteria:** Hostname contains "tsys-librenms" **Applied Modules:** - Standard server configuration - LibreNMS monitoring setup - Security hardening ### Development Workstations (`dev-workstation`) **Criteria:** Hostname matches "subopi-dev" or "CharlesDevServer" **Applied Modules:** - Development tools and packages - Less restrictive SSH configuration - Security monitoring ## Security Features The system includes comprehensive security hardening: - SSH key-based authentication only - 2FA support via Google Authenticator - Wazuh security monitoring - SCAP/STIG compliance hardening - Automated security updates ## Monitoring and Management - LibreNMS network monitoring integration - Cockpit web-based management interface - Comprehensive logging and audit trails - SNMP monitoring configuration - Performance monitoring tools ## Configuration Templates Configuration files are managed using mustache templates (via `mo`) to allow for: - Environment-specific customizations - Dynamic variable substitution - Class-based configuration variations ## Maintenance The system is designed to be idempotent and can be safely re-run to: - Restore configuration drift - Apply security updates - Add new servers to the fleet - Standardize configurations across environments ## Troubleshooting For detailed status information: ```bash sudo fa status ``` To run specific modules: ```bash sudo fa run ``` To pause automatic runs during maintenance: ```bash sudo fa pause ``` To resume automatic runs: ```bash sudo fa resume ``` ## Repository Information **Issues:** https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline **Discussion:** https://community.turnsys.com/c/chieftechnologyandproductofficer/26 ## License This project is licensed under the terms specified in the LICENSE file.