Charles N Wyble
c5a504f9c8
- Add MENTALMODEL.md documenting architecture and tool responsibilities - Clarify Salt is for ongoing configuration management and automation - Clarify Ansible is for ComplianceAsCode deployment from github.com/ComplianceAsCode/content - Update README.md to reflect correct understanding of tool purposes - Update decision matrix for when to use each tool - Document migration path and future service plans (Beszel, Netbird via Salt) Establishes clear separation of concerns across the configuration management ecosystem. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
5.9 KiB
5.9 KiB
KNEL Configuration Management - FetchApply
This repository contains the KNEL server configuration management system implemented with the FetchApply framework.
NOTE: This is a one-time provisioning system. For ongoing configuration management, this uses:
- Salt for system configuration and automation
- Ansible for ComplianceAsCode deployment
Overview
The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for Salt/Ansible-based management.
Repository Structure
.
├── classes/
│ └── server/ # Single class for all servers
│ ├── initializers # List of initializers to run
│ └── roles # List of roles to apply
├── initializers/ # One-time setup scripts
│ ├── system-setup/ # System detection and basic setup
│ ├── packages/ # Package installation with conditional logic
│ ├── oam/ # Operations and Maintenance setup
│ ├── system-config/ # System configuration files
│ ├── ssh-hardening/ # SSH security hardening
│ ├── ssh-keys/ # SSH authorized key deployment
│ ├── postfix/ # Email configuration
│ ├── 2fa/ # Two-factor authentication setup
│ ├── wazuh/ # Wazuh security monitoring
│ ├── security-hardening/ # SCAP/STIG compliance
│ ├── salt-client/ # Salt minion configuration
│ └── user-configuration/ # User shell settings
├── roles/ # Groups of related initializers
│ ├── security # Security-related initializers
│ └── monitoring # Monitoring-related initializers
├── modules/ # Placeholder for future Ansible modules
└── variables # Global configuration variables
Installation
Prerequisites
- Linux server (Ubuntu 18.04+ or Debian 10+ recommended)
- Root or sudo access
- Internet connectivity for package downloads
Install FetchApply
First, install FetchApply on your system:
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git
Usage
Once installed, FetchApply will automatically:
- Detect system characteristics (physical/virtual, OS, special hosts)
- Run initializers in sequence to provision the server
- Apply security hardening and configuration management setup
You can also run FetchApply manually:
sudo fa
System Detection
The system automatically detects:
- Physical vs Virtual - Using dmidecode and virt-what
- Operating System - Ubuntu vs Kali detection
- Special Hosts - NTP servers, development workstations
- User Accounts - Detects localuser and subodev users
- Raspberry Pi - Hardware detection for RPi-specific configs
Initializers
Core Setup
- system-setup - System detection and variable setup
- packages - Package installation with conditional logic (includes ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN)
- user-configuration - Shell settings and user preferences
Configuration
- system-config - Deploy system configuration files (SNMP, NTP, Cockpit, etc.)
- ssh-hardening - SSH security hardening
- ssh-keys - Deploy SSH authorized keys
- postfix - Configure email delivery
- salt-client - Configure Salt minion for ongoing configuration management
Security
- 2fa - Set up Google Authenticator for 2FA
- wazuh - Deploy Wazuh security monitoring agent
- security-hardening - SCAP/STIG compliance hardening
Monitoring
- oam - Operations and Maintenance tools (up2date script)
Configuration Management Tools
The system installs clients for specific management purposes:
- Ansible Core - For deploying ComplianceAsCode content from https://github.com/ComplianceAsCode/content
- Salt Minion - For ongoing system configuration, automation, and orchestration
- Tailscale - VPN connectivity for secure remote access
Tool Responsibilities
| Tool | Primary Responsibility | When Used |
|---|---|---|
| FetchApply | Initial server provisioning | Once at deployment |
| Salt | Ongoing configuration & automation | Continuously |
| Ansible | ComplianceAsCode deployment | Periodically/on-demand |
Security Features
- SSH key-based authentication only
- 2FA support via Google Authenticator (gradual rollout)
- Wazuh security monitoring
- SCAP/STIG compliance hardening
- AIDE file integrity monitoring
Migration Path
This system provides the foundation for comprehensive management:
- FetchApply - Initial server provisioning (this repo)
- Salt Master - Ongoing configuration management and automation
- Ansible Playbooks - ComplianceAsCode deployment and management
- Future Services - Beszel monitoring and Netbird networking via Salt
Compliance Management
Ansible will be used specifically to deploy and manage:
- Compliance frameworks from https://github.com/ComplianceAsCode/content
- Security baselines and hardening rules
- Compliance validation and reporting
- Documentation generation
Troubleshooting
For detailed status information:
sudo fa status
To run specific initializers:
sudo fa run <initializer-name>
To pause automatic runs during maintenance:
sudo fa pause
To resume automatic runs:
sudo fa resume
Repository Information
Issues: https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline
Discussion: https://community.turnsys.com/c/chieftechnologyandproductofficer/26
License
This project is licensed under terms specified in the LICENSE file.