KNEL Configuration Management - FetchApply

This repository contains the KNEL server configuration management system implemented with the FetchApply framework.

Overview

The KNEL FetchApply system provides automated server provisioning, configuration, and security hardening for Linux servers. It uses the FetchApply framework to apply configurations based on server classes and hostnames.

Repository Structure

.
├── classes/          # Server classifications
│   ├── physical/     # Physical Dell servers
│   ├── virtual/      # Virtual machines
│   ├── librenms/     # LibreNMS monitoring servers
│   ├── database/     # Database servers
│   ├── webserver/    # Web servers
│   └── dev-workstation/ # Development workstations
├── initializers/     # One-time setup scripts
├── modules/          # Recurring maintenance modules
├── roles/           # Groups of related modules
└── variables         # Global configuration variables

Installation

Prerequisites

• Linux server (Ubuntu 18.04+ or Debian 10+ recommended)
• Root or sudo access
• Internet connectivity for package downloads

Install FetchApply

First, install FetchApply on your system:

curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git

Usage

Once installed, FetchApply will automatically:

1. Detect the server type based on hostname and hardware characteristics
2. Apply the appropriate configuration modules and initializers
3. Maintain the system configuration with regular runs

You can also run FetchApply manually:

sudo fa

Server Classes

Servers are automatically classified based on their characteristics:

Physical Servers (physical)

Criteria: Dell physical hardware detected via dmidecode

Applied Modules:

• System setup and package installation
• SSH hardening
• Security hardening
• OAM monitoring

Virtual Machines (virtual)

Criteria: KVM/Hyper-V guests detected via virt-what

Applied Modules:

• System setup and package installation
• SSH hardening
• Security hardening (virtual-optimized)
• OAM monitoring

LibreNMS Servers (librenms)

Criteria: Hostname contains "tsys-librenms"

Applied Modules:

• Standard server configuration
• LibreNMS monitoring setup
• Security hardening

Development Workstations (dev-workstation)

Criteria: Hostname matches "subopi-dev" or "CharlesDevServer"

Applied Modules:

• Development tools and packages
• Less restrictive SSH configuration
• Security monitoring

Security Features

The system includes comprehensive security hardening:

• SSH key-based authentication only
• 2FA support via Google Authenticator
• Wazuh security monitoring
• SCAP/STIG compliance hardening
• Automated security updates

Monitoring and Management

• LibreNMS network monitoring integration
• Cockpit web-based management interface
• Comprehensive logging and audit trails
• SNMP monitoring configuration
• Performance monitoring tools

Configuration Templates

Configuration files are managed using mustache templates (via mo) to allow for:

• Environment-specific customizations
• Dynamic variable substitution
• Class-based configuration variations

Maintenance

The system is designed to be idempotent and can be safely re-run to:

• Restore configuration drift
• Apply security updates
• Add new servers to the fleet
• Standardize configurations across environments

Troubleshooting

For detailed status information:

sudo fa status

To run specific modules:

sudo fa run <module-name>

To pause automatic runs during maintenance:

sudo fa pause

To resume automatic runs:

sudo fa resume

Repository Information

Issues: https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline
Discussion: https://community.turnsys.com/c/chieftechnologyandproductofficer/26

License

This project is licensed under the terms specified in the LICENSE file.