wmariuss/ks.cfg

## ks.cfg
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
install
cdrom
# System language
lang en_GB.UTF-8
# Keyboard layouts
keyboard --vckeymap=gb --xlayouts='gb'
# Root password
rootpw --iscrypted MiVcjRNTyXvZs
# Disable firewalld
firewall --disabled
# Set SElinux to permissive
selinux --permissive
# System timezone
timezone Europe/London --isUtc
# Set bootloader to use MBR partition and disable Meltdown and Spectre mechanisms
bootloader --location=mbr --append="nopti noibrs noibpb crashkernel=auto" --boot-drive=sda --iscrypted --password=grub.pbkdf2.sha512.10000.97A6C78DA019E010342C2AB7AC2B49FA0F46A00BA163849DF323C40C21E325282D16F8C6FD09DC4F25FA8A40EA38A18EB2F058B2BBB1BDCCE9B98058A2C73AA4.279C2913892DDCC11E3DF99A7C3165E3843A4A3551C2A67A749DE1CB915307D63780B79FB2E261C57DC06D96B3EC1B84505BB23D8A27BF4ECD108E3964FA612E
# Use text installation mode
text
# Disable X
skipx
# Avoid manual confirmation of partitions removal
zerombr
# Partition clearing information
clearpart --all --initlabel --drives=sda
# Disk partitioning information
part /boot --fstype="xfs" --size=512
part pv.00 --fstype="lvmpv" --size=22528 --ondisk=sda --grow
volgroup centos pv.00
logvol / --fstype="ext4" --size=10240 --name=root --vgname=centos
logvol /home --fstype="ext4" --size=1024 --name=home --vgname=centos
logvol swap --recommended --fstype="swap" --name=swap --vgname=centos
logvol /opt --fstype="ext4" --size=2048 --name=opt --vgname=centos
logvol /var --fstype="ext4" --size=4096 --name=var --vgname=centos
# Disable the Setup Agent on first boot
firstboot --disabled
# Accept the End User License Agreement (EULA)
eula --agreed
# Enable NetworkManager and sshd
services --enabled=NetworkManager,sshd,chronyd
# Repo information
repo --name=base --baseurl=http://mirror.centos.org/centos/8/BaseOS/x86_64/os
repo --name=appstream --baseurl=http://mirror.centos.org/centos/8/AppStream/x86_64/os/
repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/
repo --name=extras --baseurl=http://mirror.centos.org/centos/8/extras/x86_64/os/

# Enable kdump
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
# Reboot server for the first time
reboot --eject

# Packages information
%packages --ignoremissing
@^minimal
@core
chrony
-biosdevname
-iwl*firmware
-iprutils
-alsa-*
-plymouth*
%end

%include /tmp/network.ks
# Pre installation information
%pre --log=/root/ks-pre.log
# Figure out the name of the interface and activate as DHCP
ip addr | grep -i broadcast | awk '{ print $2 }' > /tmp/interface
sed -i 's/:/\ /g' /tmp/interface
interface=`cat /tmp/interface`
ns="10.0.11.1,10.0.11.2"
echo "network --hostname=template-centos8 --bootproto=dhcp --device=$interface --ipv6=auto --activate" >>/tmp/network.ks
echo "nameserver $ns" >>/etc/resolv.conf
%end

# Post installation information
%post --log=/root/anaconda-ks-post.log
# Remove Redhat/Centos7 naming convention
sed -i 's/^GRUB_CMDLINE_LINUX="[^"]*/& net.ifnames=0 biosdevname=0 loglevel=3/' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
ip addr | grep -i broadcast | awk '{ print $2 }' > /tmp/interface
sed -i 's/:/\ /g' /tmp/interface
interface=`cat /tmp/interface`
sed -i 's/^NAME="[^"]*"$/NAME="eth0"/' /etc/sysconfig/network-scripts/ifcfg-$interface
sed -i 's/^DEVICE="[^"]*"$/DEVICE="eth0"/' /etc/sysconfig/network-scripts/ifcfg-$interface
mv /etc/sysconfig/network-scripts/ifcfg-$interface /etc/sysconfig/network-scripts/ifcfg-eth0
systemctl disable NetworkManager

# Enable provision user
useradd -m -G wheel -u 1100 provision -p aeZdifquIPmJM
mkdir /home/provision/.ssh
chmod 0700 /home/provision/.ssh
echo -e 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsdDe/HsAKj/zpqqfrZgX1v27yFwuEFL0yrAW7TUYpAYmDDON6PjOvCwL6Eyn6IJP+rJ0EM2+VUtRMbbpmGZsBWA2QlDRQeBKfGzGe81QEsQjcVPd3Ci/HEapncwz/nyU+kahMGJm0+WZA50gIgWk/vzGChYuyQuDr29k3294DOoe9Zytwly1Sy3mq8gf25s29eiuXTPn1sxYXDnPjtE6CbbpXZP8dnhCFX9lAQhkOpDjmQih53DK+u3897edBbHQ4aNshVvq8nUKYlVjXB8+NUzz359c1f+tkzy5jyKR7OgCnto0q8JwsVD88oOak60dBqi5DgErayUO0CD4oR0B/cX4/K2Xb+S4jgHckAJi9V6TTUTjFJRWxGeVll6FzoTs9yry8qim6GcfbIbkttANBauv7aUPpptT0IJvMaZMJb4LrpVH2oayY6LkG0jcoULJkWnFZGCZDyJVzSv3rcE8DBW8uff9IvUgVKUxWwXHwtytkJQxSC25ihpd5iKerczq+PNYRg8HULuWBg/zs8HgNoCjmfHVpcusJX3p7u/owilBLplpvYBq+WZgH7nGyWnbZaU/qZvWZtUnPPCkM0JI7rhIxmKjw8Wgczt1YSA7OiELyban4gZMGZ+BORdVFC14ucOTSumlsz7OjMvAwREZP96T4X5bj95ROnhFLvG4RYQ== mstanca@work' >> /home/provision/.ssh/authorized_keys
chown -R provision:provision /home/provision/.ssh
chmod 0644 /home/provision/.ssh/authorized_keys

# Disable use of DNS for incoming connections via ssh
sed 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
yum install bc net-tools wget curl epel-release perl bzip2 bind-utils open-vm-tools tcpdump yum-utils telnet -y
yum update -y
yum clean all
systemctl enable NetworkManager
%end

# Enforce password policies
%anaconda
pwpolicy root --minlen=10 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=10 --minquality=1 --notstrict --nochanges --notempty
pwpolicy luks --minlen=10 --minquality=1 --notstrict --nochanges --notempty
%end
	# System authorization information
	auth --enableshadow --passalgo=sha512
	# Use CDROM installation media
	install
	cdrom
	# System language
	lang en_GB.UTF-8
	# Keyboard layouts
	keyboard --vckeymap=gb --xlayouts='gb'
	# Root password
	rootpw --iscrypted MiVcjRNTyXvZs
	# Disable firewalld
	firewall --disabled
	# Set SElinux to permissive
	selinux --permissive
	# System timezone
	timezone Europe/London --isUtc
	# Set bootloader to use MBR partition and disable Meltdown and Spectre mechanisms
	bootloader --location=mbr --append="nopti noibrs noibpb crashkernel=auto" --boot-drive=sda --iscrypted --password=grub.pbkdf2.sha512.10000.97A6C78DA019E010342C2AB7AC2B49FA0F46A00BA163849DF323C40C21E325282D16F8C6FD09DC4F25FA8A40EA38A18EB2F058B2BBB1BDCCE9B98058A2C73AA4.279C2913892DDCC11E3DF99A7C3165E3843A4A3551C2A67A749DE1CB915307D63780B79FB2E261C57DC06D96B3EC1B84505BB23D8A27BF4ECD108E3964FA612E
	# Use text installation mode
	text
	# Disable X
	skipx
	# Avoid manual confirmation of partitions removal
	zerombr
	# Partition clearing information
	clearpart --all --initlabel --drives=sda
	# Disk partitioning information
	part /boot --fstype="xfs" --size=512
	part pv.00 --fstype="lvmpv" --size=22528 --ondisk=sda --grow
	volgroup centos pv.00
	logvol / --fstype="ext4" --size=10240 --name=root --vgname=centos
	logvol /home --fstype="ext4" --size=1024 --name=home --vgname=centos
	logvol swap --recommended --fstype="swap" --name=swap --vgname=centos
	logvol /opt --fstype="ext4" --size=2048 --name=opt --vgname=centos
	logvol /var --fstype="ext4" --size=4096 --name=var --vgname=centos
	# Disable the Setup Agent on first boot
	firstboot --disabled
	# Accept the End User License Agreement (EULA)
	eula --agreed
	# Enable NetworkManager and sshd
	services --enabled=NetworkManager,sshd,chronyd
	# Repo information
	repo --name=base --baseurl=http://mirror.centos.org/centos/8/BaseOS/x86_64/os
	repo --name=appstream --baseurl=http://mirror.centos.org/centos/8/AppStream/x86_64/os/
	repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/
	repo --name=extras --baseurl=http://mirror.centos.org/centos/8/extras/x86_64/os/

	# Enable kdump
	%addon com_redhat_kdump --enable --reserve-mb='auto'
	%end
	# Reboot server for the first time
	reboot --eject

	# Packages information
	%packages --ignoremissing
	@^minimal
	@core
	chrony
	-biosdevname
	-iwl*firmware
	-iprutils
	-alsa-*
	-plymouth*
	%end

	%include /tmp/network.ks
	# Pre installation information
	%pre --log=/root/ks-pre.log
	# Figure out the name of the interface and activate as DHCP
	ip addr \| grep -i broadcast \| awk '{ print $2 }' > /tmp/interface
	sed -i 's/:/\ /g' /tmp/interface
	interface=`cat /tmp/interface`
	ns="10.0.11.1,10.0.11.2"
	echo "network --hostname=template-centos8 --bootproto=dhcp --device=$interface --ipv6=auto --activate" >>/tmp/network.ks
	echo "nameserver $ns" >>/etc/resolv.conf
	%end

	# Post installation information
	%post --log=/root/anaconda-ks-post.log
	# Remove Redhat/Centos7 naming convention
	sed -i 's/^GRUB_CMDLINE_LINUX="[^"]*/& net.ifnames=0 biosdevname=0 loglevel=3/' /etc/default/grub
	grub2-mkconfig -o /boot/grub2/grub.cfg
	ip addr \| grep -i broadcast \| awk '{ print $2 }' > /tmp/interface
	sed -i 's/:/\ /g' /tmp/interface
	interface=`cat /tmp/interface`
	sed -i 's/^NAME="[^"]*"$/NAME="eth0"/' /etc/sysconfig/network-scripts/ifcfg-$interface
	sed -i 's/^DEVICE="[^"]*"$/DEVICE="eth0"/' /etc/sysconfig/network-scripts/ifcfg-$interface
	mv /etc/sysconfig/network-scripts/ifcfg-$interface /etc/sysconfig/network-scripts/ifcfg-eth0
	systemctl disable NetworkManager

	# Enable provision user
	useradd -m -G wheel -u 1100 provision -p aeZdifquIPmJM
	mkdir /home/provision/.ssh
	chmod 0700 /home/provision/.ssh
	echo -e 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsdDe/HsAKj/zpqqfrZgX1v27yFwuEFL0yrAW7TUYpAYmDDON6PjOvCwL6Eyn6IJP+rJ0EM2+VUtRMbbpmGZsBWA2QlDRQeBKfGzGe81QEsQjcVPd3Ci/HEapncwz/nyU+kahMGJm0+WZA50gIgWk/vzGChYuyQuDr29k3294DOoe9Zytwly1Sy3mq8gf25s29eiuXTPn1sxYXDnPjtE6CbbpXZP8dnhCFX9lAQhkOpDjmQih53DK+u3897edBbHQ4aNshVvq8nUKYlVjXB8+NUzz359c1f+tkzy5jyKR7OgCnto0q8JwsVD88oOak60dBqi5DgErayUO0CD4oR0B/cX4/K2Xb+S4jgHckAJi9V6TTUTjFJRWxGeVll6FzoTs9yry8qim6GcfbIbkttANBauv7aUPpptT0IJvMaZMJb4LrpVH2oayY6LkG0jcoULJkWnFZGCZDyJVzSv3rcE8DBW8uff9IvUgVKUxWwXHwtytkJQxSC25ihpd5iKerczq+PNYRg8HULuWBg/zs8HgNoCjmfHVpcusJX3p7u/owilBLplpvYBq+WZgH7nGyWnbZaU/qZvWZtUnPPCkM0JI7rhIxmKjw8Wgczt1YSA7OiELyban4gZMGZ+BORdVFC14ucOTSumlsz7OjMvAwREZP96T4X5bj95ROnhFLvG4RYQ== mstanca@work' >> /home/provision/.ssh/authorized_keys
	chown -R provision:provision /home/provision/.ssh
	chmod 0644 /home/provision/.ssh/authorized_keys

	# Disable use of DNS for incoming connections via ssh
	sed 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
	yum install bc net-tools wget curl epel-release perl bzip2 bind-utils open-vm-tools tcpdump yum-utils telnet -y
	yum update -y
	yum clean all
	systemctl enable NetworkManager
	%end

	# Enforce password policies
	%anaconda
	pwpolicy root --minlen=10 --minquality=1 --notstrict --nochanges --notempty
	pwpolicy user --minlen=10 --minquality=1 --notstrict --nochanges --notempty
	pwpolicy luks --minlen=10 --minquality=1 --notstrict --nochanges --notempty
	%end