Charles N Wyble
afe61cae9d
- Remove all librenms references from initializers and configuration - Keep tailscale as requested (remove netbird plans) - Add ansible-core (already present) and salt-minion packages - Create salt-client initializer for minion configuration - Update roles to replace librenms-agent with salt-client - Simplify oam initializer to only handle up2date script - Update README to reflect new architecture and tools Prepares infrastructure for migration to Salt configuration management while maintaining tailscale for VPN connectivity. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
KNEL Configuration Management - FetchApply
This repository contains the KNEL server configuration management system implemented with the FetchApply framework.
NOTE: This is a one-time provisioning system. For ongoing configuration management, this will be replaced by:
- Ansible playbooks for configuration management
- Salt for system orchestration
Overview
The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for migrating to Ansible/Salt-based management.
Repository Structure
.
├── classes/
│ └── server/ # Single class for all servers
│ ├── initializers # List of initializers to run
│ └── roles # List of roles to apply
├── initializers/ # One-time setup scripts
│ ├── system-setup/ # System detection and basic setup
│ ├── packages/ # Package installation with conditional logic
│ ├── oam/ # Operations and Maintenance setup
│ ├── system-config/ # System configuration files
│ ├── ssh-hardening/ # SSH security hardening
│ ├── ssh-keys/ # SSH authorized key deployment
│ ├── postfix/ # Email configuration
│ ├── 2fa/ # Two-factor authentication setup
│ ├── wazuh/ # Wazuh security monitoring
│ ├── security-hardening/ # SCAP/STIG compliance
│ ├── salt-client/ # Salt minion configuration
│ └── user-configuration/ # User shell settings
├── roles/ # Groups of related initializers
│ ├── security # Security-related initializers
│ └── monitoring # Monitoring-related initializers
├── modules/ # Placeholder for future Ansible modules
└── variables # Global configuration variables
Installation
Prerequisites
- Linux server (Ubuntu 18.04+ or Debian 10+ recommended)
- Root or sudo access
- Internet connectivity for package downloads
Install FetchApply
First, install FetchApply on your system:
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git
Usage
Once installed, FetchApply will automatically:
- Detect system characteristics (physical/virtual, OS, special hosts)
- Run initializers in sequence to provision the server
- Apply security hardening and configuration management setup
You can also run FetchApply manually:
sudo fa
System Detection
The system automatically detects:
- Physical vs Virtual - Using dmidecode and virt-what
- Operating System - Ubuntu vs Kali detection
- Special Hosts - NTP servers, development workstations
- User Accounts - Detects localuser and subodev users
- Raspberry Pi - Hardware detection for RPi-specific configs
Initializers
Core Setup
- system-setup - System detection and variable setup
- packages - Package installation with conditional logic (includes ansible-core, salt-minion, tailscale)
- user-configuration - Shell settings and user preferences
Configuration
- system-config - Deploy system configuration files (SNMP, NTP, Cockpit, etc.)
- ssh-hardening - SSH security hardening
- ssh-keys - Deploy SSH authorized keys
- postfix - Configure email delivery
- salt-client - Configure Salt minion for configuration management
Security
- 2fa - Set up Google Authenticator for 2FA
- wazuh - Deploy Wazuh security monitoring agent
- security-hardening - SCAP/STIG compliance hardening
Monitoring
- oam - Operations and Maintenance tools (up2date script)
Configuration Management Tools
The system installs clients for future configuration management:
- Ansible Core - Already installed for ad-hoc automation tasks
- Salt Minion - Configured and ready for Salt master connection
- Tailscale - VPN connectivity for secure remote access
Security Features
- SSH key-based authentication only
- 2FA support via Google Authenticator (gradual rollout)
- Wazuh security monitoring
- SCAP/STIG compliance hardening
- AIDE file integrity monitoring
Migration Path
This system is designed as an initial provisioning step. Future migration plans:
- Ansible Playbooks - Replace initializers with Ansible roles for configuration management
- Salt Configuration - Use Salt master for ongoing configuration orchestration
- Vault Integration - Centralized secrets management
Troubleshooting
For detailed status information:
sudo fa status
To run specific initializers:
sudo fa run <initializer-name>
To pause automatic runs during maintenance:
sudo fa pause
To resume automatic runs:
sudo fa resume
Repository Information
Issues: https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline
Discussion: https://community.turnsys.com/c/chieftechnologyandproductofficer/26
License
This project is licensed under terms specified in the LICENSE file.