runcom/Containerfile

## Containerfile
FROM quay.io/centos-boot/centos-tier-1-dev:stream9
RUN rpm-ostree install gdm firefox gnome-kiosk-script-session plymouth-system-theme
RUN rm -rf /var/lib/gdm/.config/pulse/default.pa && rm -rf /var/lib/xkb/README.compiled && ostree container commit

## example.ks
text

# Basic partitioning
clearpart --all --initlabel --disklabel=gpt
part prepboot  --size=4    --fstype=prepboot
part biosboot  --size=1    --fstype=biosboot
part /boot/efi --size=100  --fstype=efi
part /boot     --size=1000  --fstype=ext4 --label=boot
part / --grow --fstype xfs

ostreecontainer --url quay.io/<user>/kiosk-demo:latest	--no-signature-verification

firewall --disabled
services --enabled=sshd

user --name=core --groups=wheel

# Only inject a SSH key for root
rootpw --iscrypted locked
# Add your example SSH key here!
sshkey --username root "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7xFq1HtZKZiaD8MfkhNtn37m8GSc1W168NoSaT9RSf cardno:000F_C36A3FC0"
reboot

# Workarounds until https://github.com/rhinstaller/anaconda/pull/5298/ lands
bootloader --location=none --disabled
%post --erroronfail
set -euo pipefail
# Work around anaconda wanting a root password
passwd -l root
rootdevice=$(findmnt -nv -o SOURCE /)
device=$(lsblk -n -o PKNAME ${rootdevice})
/usr/bin/bootupctl backend install --auto --with-static-configs --device /dev/${device} /

# kiosk-user
mkdir -p /var/lib/AccountsService/users

cat > /var/lib/AccountsService/users/core << EOF
[User]
Session=gnome-kiosk-script
SystemAccount=false
EOF

mkdir -p /home/core/.local/bin/
cat > /home/core/.local/bin/gnome-kiosk-script << EOF
#!/bin/sh
while true; do
    firefox -kiosk https://time.gov/
done
EOF

cat > /etc/gdm/custom.conf << EOF
#Enable autologin for the user core
# GDM configuration storage
[daemon]
# Uncomment the line below to force the login screen to use Xorg
#WaylandEnable=false
AutomaticLogin=core
AutomaticLoginEnable=True
[security]
[xdmcp]
[chooser]
[debug]
# Uncomment the line below to turn on debugging
#Enable=true
EOF

chown -R core:core /home/core/
chmod u+x /home/core/.local/bin/gnome-kiosk-script
systemctl set-default graphical

%end

## how-to
podman build -t quay.io/<user>/kiosk-demo:latest .
podman push quay.io/<user>/kiosk-demo:latest
# disable sec boot (for some reason on my latest f39)
sudo cp /usr/share/edk2/ovmf/OVMF_VARS.fd /var/lib/libvirt/qemu/nvram/sagano-demo_VARS.fd
virt-install --connect qemu:///system --name sagano-demo --memory 2048 --vcpus 4 --disk size=40 \
          --boot loader=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,loader.readonly=yes,loader.secure='no',loader.type=pflash,nvram=/var/lib/libvirt/qemu/nvram/sagano-demo_VARS.fd --network=network=default,model=virtio \
          --os-variant rhel9.0 --location https://dl.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/os/ \
          --noautoconsole --initrd-inject $(pwd)/example.ks --extra-args="inst.ks=file:/example.ks console=tty0 console=ttyS0,115200 inst.profile=rhel"
	FROM quay.io/centos-boot/centos-tier-1-dev:stream9
	RUN rpm-ostree install gdm firefox gnome-kiosk-script-session plymouth-system-theme
	RUN rm -rf /var/lib/gdm/.config/pulse/default.pa && rm -rf /var/lib/xkb/README.compiled && ostree container commit
	text

	# Basic partitioning
	clearpart --all --initlabel --disklabel=gpt
	part prepboot --size=4 --fstype=prepboot
	part biosboot --size=1 --fstype=biosboot
	part /boot/efi --size=100 --fstype=efi
	part /boot --size=1000 --fstype=ext4 --label=boot
	part / --grow --fstype xfs

	ostreecontainer --url quay.io/<user>/kiosk-demo:latest --no-signature-verification

	firewall --disabled
	services --enabled=sshd

	user --name=core --groups=wheel

	# Only inject a SSH key for root
	rootpw --iscrypted locked
	# Add your example SSH key here!
	sshkey --username root "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7xFq1HtZKZiaD8MfkhNtn37m8GSc1W168NoSaT9RSf cardno:000F_C36A3FC0"
	reboot

	# Workarounds until https://github.com/rhinstaller/anaconda/pull/5298/ lands
	bootloader --location=none --disabled
	%post --erroronfail
	set -euo pipefail
	# Work around anaconda wanting a root password
	passwd -l root
	rootdevice=$(findmnt -nv -o SOURCE /)
	device=$(lsblk -n -o PKNAME ${rootdevice})
	/usr/bin/bootupctl backend install --auto --with-static-configs --device /dev/${device} /

	# kiosk-user
	mkdir -p /var/lib/AccountsService/users

	cat > /var/lib/AccountsService/users/core << EOF
	[User]
	Session=gnome-kiosk-script
	SystemAccount=false
	EOF

	mkdir -p /home/core/.local/bin/
	cat > /home/core/.local/bin/gnome-kiosk-script << EOF
	#!/bin/sh
	while true; do
	firefox -kiosk https://time.gov/
	done
	EOF

	cat > /etc/gdm/custom.conf << EOF
	#Enable autologin for the user core
	# GDM configuration storage
	[daemon]
	# Uncomment the line below to force the login screen to use Xorg
	#WaylandEnable=false
	AutomaticLogin=core
	AutomaticLoginEnable=True
	[security]
	[xdmcp]
	[chooser]
	[debug]
	# Uncomment the line below to turn on debugging
	#Enable=true
	EOF

	chown -R core:core /home/core/
	chmod u+x /home/core/.local/bin/gnome-kiosk-script
	systemctl set-default graphical

	%end
	podman build -t quay.io/<user>/kiosk-demo:latest .
	podman push quay.io/<user>/kiosk-demo:latest
	# disable sec boot (for some reason on my latest f39)
	sudo cp /usr/share/edk2/ovmf/OVMF_VARS.fd /var/lib/libvirt/qemu/nvram/sagano-demo_VARS.fd
	virt-install --connect qemu:///system --name sagano-demo --memory 2048 --vcpus 4 --disk size=40 \
	--boot loader=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,loader.readonly=yes,loader.secure='no',loader.type=pflash,nvram=/var/lib/libvirt/qemu/nvram/sagano-demo_VARS.fd --network=network=default,model=virtio \
	--os-variant rhel9.0 --location https://dl.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/os/ \
	--noautoconsole --initrd-inject $(pwd)/example.ks --extra-args="inst.ks=file:/example.ks console=tty0 console=ttyS0,115200 inst.profile=rhel"