KNELConfigMgmt-FetchApply/README.md

# KNEL Configuration Management - FetchApply

This repository contains the KNEL server configuration management system implemented with the FetchApply framework.

**NOTE:** This is a one-time provisioning system. For ongoing configuration management, this uses:
- Salt for system configuration and automation
- Ansible for ComplianceAsCode deployment

## Overview

The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for Salt/Ansible-based management.

## Repository Structure

```
.
├── classes/
│   └── server/              # Single class for all servers
│       ├── initializers       # List of initializers to run
│       └── roles             # List of roles to apply
├── initializers/            # One-time setup scripts
│   ├── system-setup/       # System detection and basic setup
│   ├── packages/           # Package installation with conditional logic
│   ├── oam/              # Operations and Maintenance setup
│   ├── system-config/     # System configuration files
│   ├── ssh-hardening/     # SSH security hardening
│   ├── ssh-keys/          # SSH authorized key deployment
│   ├── postfix/           # Email configuration
│   ├── 2fa/              # Two-factor authentication setup
│   ├── wazuh/            # Wazuh security monitoring
│   ├── security-hardening/ # SCAP/STIG compliance
│   ├── salt-client/       # Salt minion configuration
│   └── user-configuration/ # User shell settings
├── roles/                 # Groups of related initializers
│   ├── security          # Security-related initializers
│   └── monitoring       # Monitoring-related initializers
├── modules/               # Placeholder for future Ansible modules
└── variables             # Global configuration variables
```

## Installation

### Prerequisites

- Linux server (Ubuntu 18.04+ or Debian 10+ recommended)
- Root or sudo access
- Internet connectivity for package downloads

### Install FetchApply

First, install FetchApply on your system:

```bash
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/KNEL/KNELConfigMgmt-FetchApply.git
```

### Usage

Once installed, FetchApply will automatically:

1. Detect system characteristics (physical/virtual, OS, special hosts)
2. Run initializers in sequence to provision the server
3. Apply security hardening and configuration management setup

You can also run FetchApply manually:

```bash
sudo fa
```

## System Detection

The system automatically detects:

- **Physical vs Virtual** - Using dmidecode and virt-what
- **Operating System** - Ubuntu vs Kali detection
- **Special Hosts** - NTP servers, development workstations
- **User Accounts** - Detects localuser and subodev users
- **Raspberry Pi** - Hardware detection for RPi-specific configs

## Initializers

### Core Setup
- **system-setup** - System detection and variable setup
- **packages** - Package installation with conditional logic (includes ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN)
- **user-configuration** - Shell settings and user preferences

### Configuration
- **system-config** - Deploy system configuration files (SNMP, NTP, Cockpit, etc.)
- **ssh-hardening** - SSH security hardening
- **ssh-keys** - Deploy SSH authorized keys
- **postfix** - Configure email delivery
- **salt-client** - Configure Salt minion for ongoing configuration management

### Security
- **2fa** - Set up Google Authenticator for 2FA
- **wazuh** - Deploy Wazuh security monitoring agent
- **security-hardening** - SCAP/STIG compliance hardening

### Monitoring
- **oam** - Operations and Maintenance tools (up2date script)

## Configuration Management Tools

The system installs clients for specific management purposes:

- **Ansible Core** - For deploying ComplianceAsCode content from https://github.com/ComplianceAsCode/content
- **Salt Minion** - For ongoing system configuration, automation, and orchestration
- **Tailscale** - VPN connectivity for secure remote access

## Tool Responsibilities

| Tool | Primary Responsibility | When Used |
|-------|-------------------|-----------|
| FetchApply | Initial server provisioning | Once at deployment |
| Salt | Ongoing configuration & automation | Continuously |
| Ansible | ComplianceAsCode deployment | Periodically/on-demand |

## Security Features

- SSH key-based authentication only
- 2FA support via Google Authenticator (gradual rollout)
- Wazuh security monitoring
- SCAP/STIG compliance hardening
- AIDE file integrity monitoring

## Migration Path

This system provides the foundation for comprehensive management:

1. **FetchApply** - Initial server provisioning (this repo)
2. **Salt Master** - Ongoing configuration management and automation
3. **Ansible Playbooks** - ComplianceAsCode deployment and management
4. **Future Services** - Beszel monitoring and Netbird networking via Salt

## Compliance Management

Ansible will be used specifically to deploy and manage:
- Compliance frameworks from https://github.com/ComplianceAsCode/content
- Security baselines and hardening rules
- Compliance validation and reporting
- Documentation generation

## Troubleshooting

For detailed status information:

```bash
sudo fa status
```

To run specific initializers:

```bash
sudo fa run <initializer-name>
```

To pause automatic runs during maintenance:

```bash
sudo fa pause
```

To resume automatic runs:

```bash
sudo fa resume
```

## Repository Information

**Issues:** https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline  
**Discussion:** https://community.turnsys.com/c/chieftechnologyandproductofficer/26

## License

This project is licensed under terms specified in the LICENSE file.