KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
afe61cae9dd9b2e1db30d0d4eb44f0cca93ddc16
KNELConfigMgmt-FetchApply/initializers/ssh-hardening/apply
Charles N Wyble afe61cae9d refactor: Remove librenms, add ansible/salt clients 
- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools

Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 11:43:35 -05:00

65 lines
2.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# KNEL SSH Hardening Module
# Applies SSH security hardening configurations
set -euo pipefail
echo "Running SSH hardening module..."
# Create SSH directories
mkdir -p $ROOT_SSH_DIR
# Setup root SSH keys
if [[ -f ./configs/root-ssh-authorized-keys ]]; then
cp ./configs/root-ssh-authorized-keys $ROOT_SSH_DIR/authorized_keys
chmod 400 $ROOT_SSH_DIR/authorized_keys
chown root: $ROOT_SSH_DIR/authorized_keys
fi
# Setup localuser SSH keys
if [[ $LOCALUSER_CHECK -gt 0 ]]; then
mkdir -p $LOCALUSER_SSH_DIR
if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
cp ./configs/localuser-ssh-authorized-keys $LOCALUSER_SSH_DIR/authorized_keys
chmod 400 $LOCALUSER_SSH_DIR/authorized_keys
chown localuser $LOCALUSER_SSH_DIR/authorized_keys
fi
fi
# Setup subodev SSH keys
if [[ $SUBODEV_CHECK -gt 0 ]]; then
mkdir -p $SUBODEV_SSH_DIR
if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
cp ./configs/localuser-ssh-authorized-keys $SUBODEV_SSH_DIR/authorized_keys
chmod 400 $SUBODEV_SSH_DIR/authorized_keys
chown subodev: $SUBODEV_SSH_DIR/authorized_keys
fi
fi
# Deploy SSH configuration based on environment
if [[ $DEV_WORKSTATION_CHECK -eq 0 ]]; then
# Production SSH configuration
if [[ -f ./configs/sshd-config ]]; then
cp ./configs/sshd-config /etc/ssh/sshd_config
fi
else
# Development workstation - more permissive settings
if [[ -f ./configs/sshd-dev-config ]]; then
cp ./configs/sshd-dev-config /etc/ssh/sshd_config
fi
fi
# Additional SSH hardening for non-Ubuntu systems
if [[ $UBUNTU_CHECK -ne 1 ]] && [[ -f ./configs/ssh-audit-hardening.conf ]]; then
mkdir -p /etc/ssh/sshd_config.d
cp ./configs/ssh-audit-hardening.conf /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
chmod og-rwx /etc/ssh/sshd_config.d/*
fi
# Secure SSH configuration permissions
chmod og-rwx /etc/ssh/sshd_config
echo "SSH hardening module completed"
View Git Blame Copy Permalink