KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
afe61cae9dd9b2e1db30d0d4eb44f0cca93ddc16
KNELConfigMgmt-FetchApply/README.md
Charles N Wyble afe61cae9d refactor: Remove librenms, add ansible/salt clients 
- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools

Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 11:43:35 -05:00

161 lines
5.3 KiB
Markdown
Raw Blame History

# KNEL Configuration Management - FetchApply
This repository contains the KNEL server configuration management system implemented with the FetchApply framework.
**NOTE:** This is a one-time provisioning system. For ongoing configuration management, this will be replaced by:
- Ansible playbooks for configuration management
- Salt for system orchestration
## Overview
The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for migrating to Ansible/Salt-based management.
## Repository Structure
```
.
├── classes/
│ └── server/ # Single class for all servers
│ ├── initializers # List of initializers to run
│ └── roles # List of roles to apply
├── initializers/ # One-time setup scripts
│ ├── system-setup/ # System detection and basic setup
│ ├── packages/ # Package installation with conditional logic
│ ├── oam/ # Operations and Maintenance setup
│ ├── system-config/ # System configuration files
│ ├── ssh-hardening/ # SSH security hardening
│ ├── ssh-keys/ # SSH authorized key deployment
│ ├── postfix/ # Email configuration
│ ├── 2fa/ # Two-factor authentication setup
│ ├── wazuh/ # Wazuh security monitoring
│ ├── security-hardening/ # SCAP/STIG compliance
│ ├── salt-client/ # Salt minion configuration
│ └── user-configuration/ # User shell settings
├── roles/ # Groups of related initializers
│ ├── security # Security-related initializers
│ └── monitoring # Monitoring-related initializers
├── modules/ # Placeholder for future Ansible modules
└── variables # Global configuration variables
```
## Installation
### Prerequisites
- Linux server (Ubuntu 18.04+ or Debian 10+ recommended)
- Root or sudo access
- Internet connectivity for package downloads
### Install FetchApply
First, install FetchApply on your system:
```bash
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git
```
### Usage
Once installed, FetchApply will automatically:
1. Detect system characteristics (physical/virtual, OS, special hosts)
2. Run initializers in sequence to provision the server
3. Apply security hardening and configuration management setup
You can also run FetchApply manually:
```bash
sudo fa
```
## System Detection
The system automatically detects:
- **Physical vs Virtual** - Using dmidecode and virt-what
- **Operating System** - Ubuntu vs Kali detection
- **Special Hosts** - NTP servers, development workstations
- **User Accounts** - Detects localuser and subodev users
- **Raspberry Pi** - Hardware detection for RPi-specific configs
## Initializers
### Core Setup
- **system-setup** - System detection and variable setup
- **packages** - Package installation with conditional logic (includes ansible-core, salt-minion, tailscale)
- **user-configuration** - Shell settings and user preferences
### Configuration
- **system-config** - Deploy system configuration files (SNMP, NTP, Cockpit, etc.)
- **ssh-hardening** - SSH security hardening
- **ssh-keys** - Deploy SSH authorized keys
- **postfix** - Configure email delivery
- **salt-client** - Configure Salt minion for configuration management
### Security
- **2fa** - Set up Google Authenticator for 2FA
- **wazuh** - Deploy Wazuh security monitoring agent
- **security-hardening** - SCAP/STIG compliance hardening
### Monitoring
- **oam** - Operations and Maintenance tools (up2date script)
## Configuration Management Tools
The system installs clients for future configuration management:
- **Ansible Core** - Already installed for ad-hoc automation tasks
- **Salt Minion** - Configured and ready for Salt master connection
- **Tailscale** - VPN connectivity for secure remote access
## Security Features
- SSH key-based authentication only
- 2FA support via Google Authenticator (gradual rollout)
- Wazuh security monitoring
- SCAP/STIG compliance hardening
- AIDE file integrity monitoring
## Migration Path
This system is designed as an initial provisioning step. Future migration plans:
1. **Ansible Playbooks** - Replace initializers with Ansible roles for configuration management
2. **Salt Configuration** - Use Salt master for ongoing configuration orchestration
3. **Vault Integration** - Centralized secrets management
## Troubleshooting
For detailed status information:
```bash
sudo fa status
```
To run specific initializers:
```bash
sudo fa run <initializer-name>
```
To pause automatic runs during maintenance:
```bash
sudo fa pause
```
To resume automatic runs:
```bash
sudo fa resume
```
## Repository Information
**Issues:** https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline
**Discussion:** https://community.turnsys.com/c/chieftechnologyandproductofficer/26
## License
This project is licensed under terms specified in the LICENSE file.
View Git Blame Copy Permalink