Files

Charles N Wyble 1e506fed1d feat: Complete port of all KNELServerBuild components to FetchApply

- Add secharden-audit-agents functionality to security-hardening
- Create unattended-upgrades initializer for automatic security updates
- Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config
- Port sslStackFromSource.sh to ssl-stack initializer (dev systems only)
- Create ldap-auth placeholder for future Cloudron integration
- Update server class to include all initializers
- Update security role to include unattended-upgrades
- Add build dependencies to packages for SSL stack compilation
- Update README with comprehensive documentation of all initializers

Now all components from KNELServerBuild are successfully ported to FetchApply,
including previously missed security modules, Dell server scripts, and RandD components.

Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>

2026-01-21 12:48:32 -05:00

7.5 KiB

Raw Blame History

KNEL Configuration Management - FetchApply

This repository contains the KNEL server configuration management system implemented with the FetchApply framework.

NOTE: This is a one-time provisioning system. For ongoing configuration management, this uses:

Salt for system configuration and automation
Ansible for ComplianceAsCode deployment

Overview

The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for Salt/Ansible-based management.

Repository Structure

.
├── classes/
│   └── server/              # Single class for all servers
│       ├── initializers       # List of initializers to run
│       └── roles             # List of roles to apply
├── initializers/            # One-time setup scripts
│   ├── system-setup/       # System detection and basic setup
│   ├── packages/           # Package installation with conditional logic
│   ├── oam/              # Operations and Maintenance setup
│   ├── system-config/     # System configuration files
│   ├── ssh-hardening/     # SSH security hardening
│   ├── ssh-keys/          # SSH authorized key deployment
│   ├── postfix/           # Email configuration
│   ├── 2fa/              # Two-factor authentication setup
│   ├── wazuh/            # Wazuh security monitoring
│   ├── security-hardening/ # SCAP/STIG compliance
│   ├── unattended-upgrades/ # Automatic security updates
│   ├── dell-config/       # Dell server specific configurations
│   ├── ssl-stack/         # SSL stack compilation (dev systems)
│   ├── ldap-auth/         # LDAP authentication (placeholder)
│   ├── salt-client/       # Salt minion configuration
│   └── user-configuration/ # User shell settings
├── roles/                 # Groups of related initializers
│   ├── security          # Security-related initializers
│   └── monitoring       # Monitoring-related initializers
├── modules/               # Placeholder for future Ansible modules
└── variables             # Global configuration variables

Installation

Prerequisites

Linux server (Ubuntu 18.04+ or Debian 10+ recommended)
Root or sudo access
Internet connectivity for package downloads

Install FetchApply

First, install FetchApply on your system:

curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git

Usage

Once installed, FetchApply will automatically:

Detect system characteristics (physical/virtual, OS, special hosts)
Run initializers in sequence to provision the server
Apply security hardening and configuration management setup

You can also run FetchApply manually:

sudo fa

System Detection

The system automatically detects:

Physical vs Virtual - Using dmidecode and virt-what
Operating System - Ubuntu vs Kali detection
Special Hosts - NTP servers, development workstations
User Accounts - Detects localuser and subodev users
Raspberry Pi - Hardware detection for RPi-specific configs

Initializers

Core Setup

system-setup - System detection and variable setup
packages - Package installation with conditional logic (includes build tools for SSL stack, ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN)
user-configuration - Shell settings and user preferences

Configuration

system-config - Deploy system configuration files (SNMP, NTP, Cockpit, etc.)
ssh-hardening - SSH security hardening
ssh-keys - Deploy SSH authorized keys
postfix - Configure email delivery
salt-client - Configure Salt minion for ongoing configuration management

Security

2fa - Set up Google Authenticator for 2FA
wazuh - Deploy Wazuh security monitoring agent
security-hardening - SCAP/STIG compliance hardening (includes auditd, systemd, logrotate configs)
unattended-upgrades - Configure automatic security updates

Specialized

dell-config - Dell server specific optimizations (CPU performance, OMSA tools)
ssl-stack - Compile OpenSSL, nghttp2, curl, APR, and Apache from source (dev systems only)
ldap-auth - LDAP authentication configuration (placeholder for Cloudron)

Monitoring

oam - Operations and Maintenance tools (up2date script)

Configuration Management Tools

The system installs clients for specific management purposes:

Ansible Core - For deploying ComplianceAsCode content from https://github.com/ComplianceAsCode/content
Salt Minion - For ongoing system configuration, automation, and orchestration
Tailscale - VPN connectivity for secure remote access

Tool Responsibilities

Tool	Primary Responsibility	When Used
FetchApply	Initial server provisioning	Once at deployment
Salt	Ongoing configuration & automation	Continuously
Ansible	ComplianceAsCode deployment	Periodically/on-demand

Security Features

SSH key-based authentication only
2FA support via Google Authenticator (gradual rollout)
Wazuh security monitoring
SCAP/STIG compliance hardening
AIDE file integrity monitoring
Automatic security updates

Specialized Configurations

Dell Servers

Automatic CPU performance tuning
Dell OpenManage Server Administrator setup
Ethernet configuration scripts

Development Workstations

SSL stack compilation (OpenSSL 1.1.0h, nghttp2, curl, APR, Apache)
HTTP/2 enabled Apache HTTPd
Custom SSL installations

Future Services

Beszel monitoring (to be deployed via Salt)
Netbird networking (to be deployed via Salt)
LDAP authentication (Cloudron integration)

Migration Path

This system provides a foundation for comprehensive management:

FetchApply - Initial server provisioning (this repo)
Salt Master - Ongoing configuration management and automation
Ansible Playbooks - ComplianceAsCode deployment and management
Future Services - Beszel monitoring and Netbird networking via Salt

Compliance Management

Ansible will be used specifically to deploy and manage:

Compliance frameworks from https://github.com/ComplianceAsCode/content
Security baselines and hardening rules
Compliance validation and reporting
Documentation generation

SSL Stack Compilation

Available on development workstations or when COMPILE_SSL_STACK=true:

OpenSSL 1.1.0h with weak ciphers enabled (legacy compatibility)
nghttp2 for HTTP/2 support
curl with HTTP/2 and custom OpenSSL support
Apache HTTPd with HTTP/2 enabled
Custom installations at /usr/local/custom-ssl/

Troubleshooting

For detailed status information:

sudo fa status

To run specific initializers:

sudo fa run <initializer-name>

To compile SSL stack:

COMPILE_SSL_STACK=true sudo fa run ssl-stack

To pause automatic runs during maintenance:

sudo fa pause

To resume automatic runs:

sudo fa resume

Repository Information

Issues: https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline
Discussion: https://community.turnsys.com/c/chieftechnologyandproductofficer/26

License

This project is licensed under the terms specified in the LICENSE file.

7.5 KiB Raw Blame History