diff --git a/nvr2.ks b/nvr2.ks
new file mode 100644
index 0000000..1eb8da0
--- /dev/null
+++ b/nvr2.ks
@@ -0,0 +1,113 @@
+# vim: set ft=sh :
+text
+url --url http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os
+repo --name=updates --baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch
+repo --name=dch --baseurl=http://files.pyrocufflink.blue/yum/dch/fedora/$releasever
+lang en_US.UTF-8
+keyboard us
+timezone --utc UTC
+rootpw --lock
+reboot
+
+# Create the "standard" disk layout using only the first disk
+# Other disks are left alone in case they already contain data, e.g.
+# migrated from another system.
+ignoredisk --only-use /dev/disk/by-id/nvme-Samsung_SSD_980_250GB_S64CNJ0RB07610E
+bootloader --location mbr
+clearpart --all --initlabel
+reqpart
+part /boot --fstype ext4 --size=512
+part pv.01 --size=1 --grow
+volgroup fedora pv.01
+logvol / --fstype ext4 --name=root --vgname=fedora --size=4096
+logvol /home --fstype ext4 --name=home --vgname=fedora --size=100
+logvol /var --fstype ext4 --name=var --vgname=fedora --size=1024 --grow
+logvol /var/log --fstype ext4 --name=var_log --vgname=fedora --size=1024
+
+%packages --exclude-weakdeps
+-NetworkManager
+-authconfig
+-dhcp-client
+-dnf-plugins-core
+-dnf-yum
+-dracut-config-rescue
+-grub2-tools-extra
+-man-db
+-openssh-clients
+-parted
+-plymouth
+-sssd-common
+-sssd-kcm
+-sudo
+-yum
+amd-gpu-firware
+btrfs-progs
+chrony
+dnf
+e2fsprogs
+grubby
+kitty-terminfo
+mdadm
+openssh-server
+python3-libselinux
+python3-policycoreutils
+rng-tools
+selinux-policy-targeted
+smartmontools
+sshca-cli-systemd
+systemd-networkd
+%end
+
+network --hostname=nvr2.pyrocufflink.blue
+
+services --enabled systemd-networkd,systemd-resolved,ssh-host-certs-renew.timer,ssh-host-certs.target --disabled systemd-homed,systemd-userdbd,systemd-userdbd.socket
+
+%addon com_redhat_kdump --disable
+%end
+
+%post --erroronfail
+date
+env
+echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
+echo 'deltarpm=0' >> /etc/dnf/dnf.conf
+echo '%_excludedocs 1' >> /etc/rpm/macros
+
+# Trust SSHCA to authenticate users
+cat >> /etc/ssh/ca.pub <<'EOF'
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
+EOF
+cat >> /etc/ssh/sshd_config.d/70-trustedusercakeys.conf <<'EOF'
+TrustedUserCAKeys /etc/ssh/ca.pub
+EOF
+
+# Configure SSH daemon to use host certificates obtained from SSHCA
+cat > /etc/sysconfig/ssh-host-cert-sign <<EOF
+SSHCA_SERVER=https://sshca.pyrocufflink.blue
+EOF
+for a in ecdsa ed25519 rsa; do
+    printf 'HostCertificate /etc/ssh/ssh_host_%s_key-cert.pub\n' "${a}"
+done > /etc/ssh/sshd_config.d/10-hostcertificate.conf
+
+# Configure networking with systemd-networkd
+rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network
+cat > /etc/systemd/network/99-default.network <<EOF
+[Match]
+Name=en*
+Type=ether
+
+[Network]
+DHCP=true
+EOF
+ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+# systemd-getty-generator is broken in F40
+if [ $(rpm -E %fedora) -eq 40 ]; then
+    console=$(cat /sys/class/tty/console/active)
+    case "${console}" in
+    ttyS*)
+        systemctl enable serial-getty@$console
+        ;;
+    esac
+fi
+%end
+