jmpolom/minimal-ks.cfg

## minimal-ks.cfg
# text install
text --non-interactive

# fedora repos
url --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
repo --name=fedora --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
repo --name=updates --metalink="https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch"

# rpmfusion repos
repo --name=rpmfusion-free --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64" --includepkgs=rpmfusion-free-release
repo --name=rpmfusion-free-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64" --cost=0
repo --name=rpmfusion-nonfree --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64" --includepkgs=rpmfusion-nonfree-release
repo --name=rpmfusion-nonfree-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64" --cost=0

# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'

# System language
lang en_US.UTF-8

# packages
%packages
# base, from "@^custom-environment"
audit
basesystem
bash
coreutils
curl
dhcp-client
dnf
e2fsprogs
filesystem
glibc
grubby
hostname
iproute
iputils
kbd
less
man-db
ncurses
openssh-clients
openssh-server
parted
passwd
policycoreutils
procps-ng
rootfiles
rpm
rpmfusion-free-release
rpmfusion-nonfree-release
selinux-policy-targeted
setup
shadow-utils
sssd-common
sssd-kcm
sudo
systemd
util-linux
vim-minimal
yum

# default group packages
dnf-plugins-core
dracut-config-rescue
fedora-repos-modular
systemd-oomd-defaults
zram-generator-defaults

# fedora additions
bash-completion
buildah
chrony
dhcp-server
ethtool
git
htop
iftop
iperf3
kernel-tools
knot-resolver
knot-utils
mtr
netperf
podman
snapper
systemd-networkd
vim

# exclude
-firewalld
-NetworkManager
-plymouth
-systemd-resolved
%end

# Run the Setup Agent on first boot
firstboot --enable

# System bootloader and kernel command line: disable plymouth, cgroupsv2
bootloader --location=mbr --boot-drive=nvme1n1 --append="console=tty0 console=ttyS0,115200n8 console=ttyS1,115200n8 console=ttyS2,115200n8"

# Generated using Blivet version 3.4.2
ignoredisk --only-use=nvme1n1

# Partition clearing information
clearpart --all --drives=nvme1n1 --initlabel

# Disk partitioning information
part /boot/efi --fstype="efi" --ondisk=nvme1n1 --size=512 --fsoptions="umask=0077,shortname=winnt" --label=efi
part /boot --fstype="ext4" --ondisk=nvme1n1 --size=1024 --label=boot
part btrfs.01 --fstype="btrfs" --ondisk=nvme1n1 --size=230000 --encrypted --luks-version=luks2 --passphrase="ifyouwantpeaceprepareforwar"
btrfs none --label=fedora btrfs.01
btrfs / --subvol --name=rootfs LABEL=fedora
btrfs /.snapshots --subvol --name="rootfs/snapshots" rootfs
btrfs /home --subvol --name=home rootfs
btrfs /opt --subvol --name=opt rootfs

# System timezone
timezone America/Detroit --utc

# Root password
rootpw --lock
user --groups=wheel --name=iac --plaintext --password=newiacuser --uid=1100 --gid=1100 --gecos="iac"

# Set default start state of system services
services --enabled=systemd-networkd,kresd@1 --disabled=dhcpd,dhcpd6

%post
# set default subvolume
btrfs subvolume set-default 256 /

# dhcp on all interfaces to start
cat << _EOF > /etc/systemd/network/all.network
[Match]
Name=*

[Network]
DHCP=yes
_EOF

# networkd dbus fix
mkdir -p /etc/systemd/system/systemd-networkd.service.d

cat << _EOF > /etc/systemd/system/systemd-networkd.service.d/after-dbus.conf
[Unit]
After=dbus.socket
_EOF

# a more sensible resolv.conf since we have kresd onboard
cat << _EOF > /etc/resolv.conf
nameserver 127.0.0.1
_EOF

# dracut modules for systemd-cryptenroll
cat << _EOF > /etc/dracut.conf.d/cryptenroll-fix.conf
install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
_EOF

# add tpm2 and fido2 options to crypttab
sed -E -i 's/(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/\1 \2 \3 fido2-device=auto,tpm2-device=auto,\4/' /etc/crypttab

# regen initrd
KERNEL_VERSION=$(rpm -q kernel --qf '%{version}-%{release}.%{arch}\n')
dracut -f /boot/initramfs-"$KERNEL_VERSION".img "$KERNEL_VERSION"

# grub serial console
grep -qx 'GRUB_SERIAL_COMMAND=.*' /etc/default/grub || echo 'GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"' >> /etc/default/grub

# set grub console output
sed -i '/GRUB_TERMINAL_OUTPUT=/s/.*/GRUB_TERMINAL_OUTPUT="console serial"/' /etc/default/grub

# grub btrfs snapshot booting
grep -qx 'SUSE_BTRFS_SNAPSHOT_BOOTING=.*' /etc/default/grub || echo 'SUSE_BTRFS_SNAPSHOT_BOOTING=true' >> /etc/default/grub

# update grub config
grub2-mkconfig -o /boot/grub2/grub.cfg

%end
	# text install
	text --non-interactive

	# fedora repos
	url --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
	repo --name=fedora --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
	repo --name=updates --metalink="https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch"

	# rpmfusion repos
	repo --name=rpmfusion-free --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64" --includepkgs=rpmfusion-free-release
	repo --name=rpmfusion-free-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64" --cost=0
	repo --name=rpmfusion-nonfree --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64" --includepkgs=rpmfusion-nonfree-release
	repo --name=rpmfusion-nonfree-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64" --cost=0

	# Keyboard layouts
	keyboard --vckeymap=us --xlayouts='us'

	# System language
	lang en_US.UTF-8

	# packages
	%packages
	# base, from "@^custom-environment"
	audit
	basesystem
	bash
	coreutils
	curl
	dhcp-client
	dnf
	e2fsprogs
	filesystem
	glibc
	grubby
	hostname
	iproute
	iputils
	kbd
	less
	man-db
	ncurses
	openssh-clients
	openssh-server
	parted
	passwd
	policycoreutils
	procps-ng
	rootfiles
	rpm
	rpmfusion-free-release
	rpmfusion-nonfree-release
	selinux-policy-targeted
	setup
	shadow-utils
	sssd-common
	sssd-kcm
	sudo
	systemd
	util-linux
	vim-minimal
	yum

	# default group packages
	dnf-plugins-core
	dracut-config-rescue
	fedora-repos-modular
	systemd-oomd-defaults
	zram-generator-defaults

	# fedora additions
	bash-completion
	buildah
	chrony
	dhcp-server
	ethtool
	git
	htop
	iftop
	iperf3
	kernel-tools
	knot-resolver
	knot-utils
	mtr
	netperf
	podman
	snapper
	systemd-networkd
	vim

	# exclude
	-firewalld
	-NetworkManager
	-plymouth
	-systemd-resolved
	%end

	# Run the Setup Agent on first boot
	firstboot --enable

	# System bootloader and kernel command line: disable plymouth, cgroupsv2
	bootloader --location=mbr --boot-drive=nvme1n1 --append="console=tty0 console=ttyS0,115200n8 console=ttyS1,115200n8 console=ttyS2,115200n8"

	# Generated using Blivet version 3.4.2
	ignoredisk --only-use=nvme1n1

	# Partition clearing information
	clearpart --all --drives=nvme1n1 --initlabel

	# Disk partitioning information
	part /boot/efi --fstype="efi" --ondisk=nvme1n1 --size=512 --fsoptions="umask=0077,shortname=winnt" --label=efi
	part /boot --fstype="ext4" --ondisk=nvme1n1 --size=1024 --label=boot
	part btrfs.01 --fstype="btrfs" --ondisk=nvme1n1 --size=230000 --encrypted --luks-version=luks2 --passphrase="ifyouwantpeaceprepareforwar"
	btrfs none --label=fedora btrfs.01
	btrfs / --subvol --name=rootfs LABEL=fedora
	btrfs /.snapshots --subvol --name="rootfs/snapshots" rootfs
	btrfs /home --subvol --name=home rootfs
	btrfs /opt --subvol --name=opt rootfs

	# System timezone
	timezone America/Detroit --utc

	# Root password
	rootpw --lock
	user --groups=wheel --name=iac --plaintext --password=newiacuser --uid=1100 --gid=1100 --gecos="iac"

	# Set default start state of system services
	services --enabled=systemd-networkd,kresd@1 --disabled=dhcpd,dhcpd6

	%post
	# set default subvolume
	btrfs subvolume set-default 256 /

	# dhcp on all interfaces to start
	cat << _EOF > /etc/systemd/network/all.network
	[Match]
	Name=*

	[Network]
	DHCP=yes
	_EOF

	# networkd dbus fix
	mkdir -p /etc/systemd/system/systemd-networkd.service.d

	cat << _EOF > /etc/systemd/system/systemd-networkd.service.d/after-dbus.conf
	[Unit]
	After=dbus.socket
	_EOF

	# a more sensible resolv.conf since we have kresd onboard
	cat << _EOF > /etc/resolv.conf
	nameserver 127.0.0.1
	_EOF

	# dracut modules for systemd-cryptenroll
	cat << _EOF > /etc/dracut.conf.d/cryptenroll-fix.conf
	install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
	_EOF

	# add tpm2 and fido2 options to crypttab
	sed -E -i 's/(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/\1 \2 \3 fido2-device=auto,tpm2-device=auto,\4/' /etc/crypttab

	# regen initrd
	KERNEL_VERSION=$(rpm -q kernel --qf '%{version}-%{release}.%{arch}\n')
	dracut -f /boot/initramfs-"$KERNEL_VERSION".img "$KERNEL_VERSION"

	# grub serial console
	grep -qx 'GRUB_SERIAL_COMMAND=.*' /etc/default/grub \|\| echo 'GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"' >> /etc/default/grub

	# set grub console output
	sed -i '/GRUB_TERMINAL_OUTPUT=/s/.*/GRUB_TERMINAL_OUTPUT="console serial"/' /etc/default/grub

	# grub btrfs snapshot booting
	grep -qx 'SUSE_BTRFS_SNAPSHOT_BOOTING=.*' /etc/default/grub \|\| echo 'SUSE_BTRFS_SNAPSHOT_BOOTING=true' >> /etc/default/grub

	# update grub config
	grub2-mkconfig -o /boot/grub2/grub.cfg

	%end