jmpolom · February 16, 2022 00:41
diff --git a/minimal-ks.cfg b/minimal-ks.cfg
 # text install
 text --non-interactive

 # fedora repos
 url --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
 repo --name=fedora --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
 repo --name=updates --metalink="https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch"

 # rpmfusion repos
 repo --name=rpmfusion-free --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64" --includepkgs=rpmfusion-free-release
 repo --name=rpmfusion-free-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64" --cost=0
 repo --name=rpmfusion-nonfree --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64" --includepkgs=rpmfusion-nonfree-release
 repo --name=rpmfusion-nonfree-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64" --cost=0

 # Keyboard layouts
 keyboard --vckeymap=us --xlayouts='us'

 # System language
 lang en_US.UTF-8

 # packages
 %packages
 # base, from "@^custom-environment"
 audit
 basesystem
 bash
 coreutils
 curl
 dhcp-client
 dnf
 e2fsprogs
 filesystem
 glibc
 grubby
 hostname
 iproute
 iputils
 kbd
 less
 man-db
 ncurses
 openssh-clients
 openssh-server
 parted
 passwd
 policycoreutils
 procps-ng
 rootfiles
 rpm
 rpmfusion-free-release
 rpmfusion-nonfree-release
 selinux-policy-targeted
 setup
 shadow-utils
 sssd-common
 sssd-kcm
 sudo
 systemd
 util-linux
 vim-minimal
 yum

 # default group packages
 dnf-plugins-core
 dracut-config-rescue
 fedora-repos-modular
 systemd-oomd-defaults
 zram-generator-defaults

 # fedora additions
 bash-completion
 buildah
 chrony
 dhcp-server
 ethtool
 git
 htop
 iftop
 iperf3
 kernel-tools
 knot-resolver
 knot-utils
 mtr
 netperf
 podman
 snapper
 systemd-networkd
 vim

 # exclude
 -firewalld
 -NetworkManager
 -plymouth
 -systemd-resolved
 %end

 # Run the Setup Agent on first boot
 firstboot --enable

 # System bootloader and kernel command line: disable plymouth, cgroupsv2
 bootloader --location=mbr --boot-drive=nvme1n1 --append="console=tty0 console=ttyS0,115200n8 console=ttyS1,115200n8 console=ttyS2,115200n8"

 # Generated using Blivet version 3.4.2
 ignoredisk --only-use=nvme1n1

 # Partition clearing information
 clearpart --all --drives=nvme1n1 --initlabel

 # Disk partitioning information
 part /boot/efi --fstype="efi" --ondisk=nvme1n1 --size=512 --fsoptions="umask=0077,shortname=winnt" --label=efi
 part /boot --fstype="ext4" --ondisk=nvme1n1 --size=1024 --label=boot
 part btrfs.01 --fstype="btrfs" --ondisk=nvme1n1 --size=230000 --encrypted --luks-version=luks2 --passphrase="ifyouwantpeaceprepareforwar"
 btrfs none --label=fedora btrfs.01
 btrfs / --subvol --name=rootfs LABEL=fedora
 btrfs /.snapshots --subvol --name="rootfs/snapshots" rootfs
 btrfs /home --subvol --name=home rootfs
 btrfs /opt --subvol --name=opt rootfs

 # System timezone
 timezone America/Detroit --utc

 # Root password
 rootpw --lock
 user --groups=wheel --name=iac --plaintext --password=newiacuser --uid=1100 --gid=1100 --gecos="iac"

 # Set default start state of system services
 services --enabled=systemd-networkd,kresd@1 --disabled=dhcpd,dhcpd6

 %post
 # set default subvolume
 btrfs subvolume set-default 256 /

 # dhcp on all interfaces to start
 cat << _EOF > /etc/systemd/network/all.network
 [Match]
 Name=*

 [Network]
 DHCP=yes
 _EOF

 # networkd dbus fix
 mkdir -p /etc/systemd/system/systemd-networkd.service.d

 cat << _EOF > /etc/systemd/system/systemd-networkd.service.d/after-dbus.conf
 [Unit]
 After=dbus.socket
 _EOF

 # a more sensible resolv.conf since we have kresd onboard
 cat << _EOF > /etc/resolv.conf
 nameserver 127.0.0.1
 _EOF

 # dracut modules for systemd-cryptenroll
 cat << _EOF > /etc/dracut.conf.d/cryptenroll-fix.conf
 install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
 _EOF

 # add tpm2 and fido2 options to crypttab
 sed -E -i 's/(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/\1 \2 \3 fido2-device=auto,tpm2-device=auto,\4/' /etc/crypttab

 # regen initrd
 KERNEL_VERSION=$(rpm -q kernel --qf '%{version}-%{release}.%{arch}\n')
 dracut -f /boot/initramfs-"$KERNEL_VERSION".img "$KERNEL_VERSION"

 # grub serial console
 grep -qx 'GRUB_SERIAL_COMMAND=.*' /etc/default/grub || echo 'GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"' >> /etc/default/grub

 # set grub console output
 sed -i '/GRUB_TERMINAL_OUTPUT=/s/.*/GRUB_TERMINAL_OUTPUT="console serial"/' /etc/default/grub

 # grub btrfs snapshot booting
 grep -qx 'SUSE_BTRFS_SNAPSHOT_BOOTING=.*' /etc/default/grub || echo 'SUSE_BTRFS_SNAPSHOT_BOOTING=true' >> /etc/default/grub

 # update grub config
 grub2-mkconfig -o /boot/grub2/grub.cfg

 %end
	# text install
	text --non-interactive

	# fedora repos
	url --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
	repo --name=fedora --metalink="https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch"
	repo --name=updates --metalink="https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch"

	# rpmfusion repos
	repo --name=rpmfusion-free --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64" --includepkgs=rpmfusion-free-release
	repo --name=rpmfusion-free-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64" --cost=0
	repo --name=rpmfusion-nonfree --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64" --includepkgs=rpmfusion-nonfree-release
	repo --name=rpmfusion-nonfree-updates --metalink="https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64" --cost=0

	# Keyboard layouts
	keyboard --vckeymap=us --xlayouts='us'

	# System language
	lang en_US.UTF-8

	# packages
	%packages
	# base, from "@^custom-environment"
	audit
	basesystem
	bash
	coreutils
	curl
	dhcp-client
	dnf
	e2fsprogs
	filesystem
	glibc
	grubby
	hostname
	iproute
	iputils
	kbd
	less
	man-db
	ncurses
	openssh-clients
	openssh-server
	parted
	passwd
	policycoreutils
	procps-ng
	rootfiles
	rpm
	rpmfusion-free-release
	rpmfusion-nonfree-release
	selinux-policy-targeted
	setup
	shadow-utils
	sssd-common
	sssd-kcm
	sudo
	systemd
	util-linux
	vim-minimal
	yum

	# default group packages
	dnf-plugins-core
	dracut-config-rescue
	fedora-repos-modular
	systemd-oomd-defaults
	zram-generator-defaults

	# fedora additions
	bash-completion
	buildah
	chrony
	dhcp-server
	ethtool
	git
	htop
	iftop
	iperf3
	kernel-tools
	knot-resolver
	knot-utils
	mtr
	netperf
	podman
	snapper
	systemd-networkd
	vim

	# exclude
	-firewalld
	-NetworkManager
	-plymouth
	-systemd-resolved
	%end

	# Run the Setup Agent on first boot
	firstboot --enable

	# System bootloader and kernel command line: disable plymouth, cgroupsv2
	bootloader --location=mbr --boot-drive=nvme1n1 --append="console=tty0 console=ttyS0,115200n8 console=ttyS1,115200n8 console=ttyS2,115200n8"

	# Generated using Blivet version 3.4.2
	ignoredisk --only-use=nvme1n1

	# Partition clearing information
	clearpart --all --drives=nvme1n1 --initlabel

	# Disk partitioning information
	part /boot/efi --fstype="efi" --ondisk=nvme1n1 --size=512 --fsoptions="umask=0077,shortname=winnt" --label=efi
	part /boot --fstype="ext4" --ondisk=nvme1n1 --size=1024 --label=boot
	part btrfs.01 --fstype="btrfs" --ondisk=nvme1n1 --size=230000 --encrypted --luks-version=luks2 --passphrase="ifyouwantpeaceprepareforwar"
	btrfs none --label=fedora btrfs.01
	btrfs / --subvol --name=rootfs LABEL=fedora
	btrfs /.snapshots --subvol --name="rootfs/snapshots" rootfs
	btrfs /home --subvol --name=home rootfs
	btrfs /opt --subvol --name=opt rootfs

	# System timezone
	timezone America/Detroit --utc

	# Root password
	rootpw --lock
	user --groups=wheel --name=iac --plaintext --password=newiacuser --uid=1100 --gid=1100 --gecos="iac"

	# Set default start state of system services
	services --enabled=systemd-networkd,kresd@1 --disabled=dhcpd,dhcpd6

	%post
	# set default subvolume
	btrfs subvolume set-default 256 /

	# dhcp on all interfaces to start
	cat << _EOF > /etc/systemd/network/all.network
	[Match]
	Name=*

	[Network]
	DHCP=yes
	_EOF

	# networkd dbus fix
	mkdir -p /etc/systemd/system/systemd-networkd.service.d

	cat << _EOF > /etc/systemd/system/systemd-networkd.service.d/after-dbus.conf
	[Unit]
	After=dbus.socket
	_EOF

	# a more sensible resolv.conf since we have kresd onboard
	cat << _EOF > /etc/resolv.conf
	nameserver 127.0.0.1
	_EOF

	# dracut modules for systemd-cryptenroll
	cat << _EOF > /etc/dracut.conf.d/cryptenroll-fix.conf
	install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
	_EOF

	# add tpm2 and fido2 options to crypttab
	sed -E -i 's/(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/\1 \2 \3 fido2-device=auto,tpm2-device=auto,\4/' /etc/crypttab

	# regen initrd
	KERNEL_VERSION=$(rpm -q kernel --qf '%{version}-%{release}.%{arch}\n')
	dracut -f /boot/initramfs-"$KERNEL_VERSION".img "$KERNEL_VERSION"

	# grub serial console
	grep -qx 'GRUB_SERIAL_COMMAND=.*' /etc/default/grub \|\| echo 'GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"' >> /etc/default/grub

	# set grub console output
	sed -i '/GRUB_TERMINAL_OUTPUT=/s/.*/GRUB_TERMINAL_OUTPUT="console serial"/' /etc/default/grub

	# grub btrfs snapshot booting
	grep -qx 'SUSE_BTRFS_SNAPSHOT_BOOTING=.*' /etc/default/grub \|\| echo 'SUSE_BTRFS_SNAPSHOT_BOOTING=true' >> /etc/default/grub

	# update grub config
	grub2-mkconfig -o /boot/grub2/grub.cfg

	%end