diff --git a/zaphym.ks b/zaphym.ks
new file mode 100644
index 0000000..e25074f
--- /dev/null
+++ b/zaphym.ks
@@ -0,0 +1,311 @@
+# vim: set ft=sh :
+graphical
+install
+url --url http://mirror.rnet.missouri.edu/fedora/linux/releases/32/Everything/x86_64/os/
+repo --name=updates --baseurl=http://mirror.rnet.missouri.edu/fedora/linux/updates/32/Everything/x86_64/
+lang en_US.UTF-8
+keyboard us
+timezone --utc America/Chicago
+rootpw --lock
+user --name dhatch --uid 1987 --gid 1987 --groups wheel,kvm,mock,wireshark,disk --gecos "Dustin C. Hatch" --shell /bin/zsh --iscrypted --password $6$sO9XmlC6Y8NiRyNT$8SLQmhI9kKOAJl5fys.qFUyGb1MHSJdE5WVOsjGTY2qlPqYKfX0SqKnhw6l3nqYVFNW7YQx.CoSaHC0AjVotw.
+reboot
+
+bootloader --location mbr --append "quiet systemd.show_status=1 console=ttyS0,115200 console=tty0"
+clearpart --all --initlabel
+reqpart
+part /boot --fstype ext4 --size=200
+part pv.01 --size=623620 --encrypted --passphrase="elude cameo press ladybug debunk untidy"
+volgroup zaphym pv.01
+logvol swap --fstype swap --name=swap --vgname=zaphym --size=131072 --fsoptions="noexec,nodev,nosuid"
+logvol / --fstype ext4 --name=root --vgname=zaphym --size=32768
+logvol /var --fstype ext4 --name=var --vgname=zaphym --size=131072 --fsoptions="noexec,nodev,nosuid"
+logvol /var/log --fstype ext4 --name=var_log --vgname=zaphym --size=1024 --fsoptions="noexec,nodev,nosuid"
+logvol /var/tmp --fstype ext4 --name=var_tmp --vgname=zaphym --size=65536 --fsoptions="noexec,nodev,nosuid"
+logvol /home --fstype ext4 --name=home --vgname=zaphym --size=262144 --fsoptions="nodev,nosuid"
+
+%packages --excludeWeakdeps
+-NetworkManager
+-authconfig
+-authselect
+-dhcp-client
+-dnf-yum
+-dracut-config-rescue
+-plymouth
+-sssd-common
+-sssd-kcm
+-yum
+adwaita-gtk2-theme
+audit
+avahi
+cargo
+chrony
+compton
+cracklib-dicts
+dash
+dejavu-sans-fonts
+dejavu-serif-fonts
+desktop-backgrounds-compat
+diceware
+dmenu
+dnf
+dnf-command(system-upgrade)
+dnf-plugins-core
+dnf-utils
+dnsmasq
+dosfstools
+e2fsprogs
+efibootmgr
+fedpkg
+feh
+firefox
+firewalld
+flatpak
+gedit
+gimp
+git
+gitg
+grubby
+gucharmap
+gvfs-fuse
+gvfs-smb
+htop
+httpd
+i3
+icedtea-web
+inkscape
+inotify-tools
+iperf3
+java-11-openjdk-headless
+jq
+krb5-workstation
+less
+liberation-fonts   
+libreoffice
+libvirt-client
+libvirt-daemon-driver-network
+libvirt-daemon-driver-qemu
+libvirt-daemon-driver-storage-core
+lxdm
+man-db
+man-pages
+mate-notification-daemon
+meld
+mesa-dri-drivers
+meson
+mock
+mozilla-fira-mono-fonts
+mozilla-fira-sans-fonts
+mtools
+netpbm
+nginx
+ninja-build
+nmap
+nodejs
+npm
+openldap-clients
+openssh-clients
+openssh-server
+openssl
+parted
+patch
+pinentry-gtk
+pmount
+podman
+policycoreutils-python-utils
+postgresql-server
+pv
+pwgen
+py3status
+python3-pip
+qemu-system-x86-core
+redis
+remmina
+remmina-plugins-rdp
+ripgrep
+rng-tools
+rpm-build
+rust
+rsync
+rsyslog
+samba-client
+selinux-policy-targeted
+setools-console
+smem
+squid
+strace
+strongswan
+sudo
+tar
+thunderbird
+tmux
+tokei
+twine
+unzip
+util-linux-user
+urw-base35-fonts
+vim-X11
+vim-enhanced
+virt-install
+virt-manager
+wireshark-cli
+xclip
+xdotool
+xscreensaver
+xorg-x11-drv-amdgpu
+xorg-x11-fonts-misc
+xorg-x11-server-Xorg
+xorg-x11-server-utils
+xorg-x11-utils
+xorg-x11-xauth
+xorg-x11-xinit
+xorg-x11-xinit-session
+zip
+zsh
+%end
+
+services --enabled serial-getty@ttyS0,dnsmasq,lxdm,systemd-networkd,systemd-resolved,rngd,rsyslog
+
+%addon com_redhat_kdump --disable
+%end
+
+%post --erroronfail
+echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
+echo 'deltarpm=0' >> /etc/dnf/dnf.conf
+
+systemctl mask systemd-journald-audit.socket
+
+systemctl set-default graphical.target
+
+echo zaphym.securepassage.com > /etc/hostname
+sed -i 's/localhost /zaphym.securepassage.com zaphym localhost /' /etc/hosts
+
+rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network
+
+mkdir -p /etc/systemd/resolved.conf.d
+cat > /etc/systemd/resolved.conf.d/no-stub-listener.conf <<EOF
+[Resolve]
+DNSStubListener=no
+EOF
+
+cat > /etc/systemd/network/20-br0.netdev <<EOF
+[NetDev]
+Name=br0
+Kind=bridge
+EOF
+
+cat > /etc/systemd/network/60-br0.network <<EOF
+[Match]
+Name=br0
+
+[Network]
+DHCP=yes
+EOF
+
+cat > /etc/systemd/network/40-eno1.network <<EOF
+[Match]
+Name=eno1
+
+[Network]
+Bridge=br0
+EOF
+
+cat > /etc/systemd/network/61-virbr0.network <<EOF
+[Match]
+Name=virbr0
+
+[Network]
+Address=172.21.10.1/26
+EOF
+
+cat > /etc/systemd/network/21-virbr0.netdev <<EOF
+[NetDev]
+Name=virbr0
+Kind=bridge
+EOF
+
+cat > /etc/resolv.conf <<EOF
+search securepassage.com
+nameserver ::1
+EOF
+
+mkdir /etc/systemd/system/dnsmasq.service.d
+cat > /etc/systemd/system/dnsmasq.service.d/after-resolved.conf <<EOF
+[Unit]
+Wants=systemd-resolved.service
+After=systemd-resolved.service
+EOF
+
+cat > /etc/dnsmasq.d/dustin.test.conf <<EOF
+interface=virbr0
+dhcp-range=set:test0,172.21.10.2,172.21.10.19,10m
+dhcp-range=set:test0,::ff,::ff:ffff,constructor:virbr0,slaac
+domain=dustin.test,172.21.10.0/26
+interface-name=zaphym.dustin.test,virbr0
+srv-host=_fmosconfig._tcp.dustin.test,zaphym.dustin.test,4967,10,100
+txt-record=_fmosconfig._tcp.dustin.test,ssl=no
+EOF
+
+cat > /etc/dnsmasq.d/securepassage.conf <<EOF
+server=/securepassage.com/192.168.20.146
+server=/securepassage.com/192.168.20.147
+server=/lab.firemon.com/192.168.20.146
+server=/lab.firemon.com/192.168.20.147
+server=/intranet.firemon.com/192.168.20.146
+server=/intranet.firemon.com/192.168.20.147
+server=/firemon.in/192.168.20.146
+server=/firemon.in/192.168.20.147
+server=/168.192.in-addr.arpa/192.168.20.146
+server=/168.192.in-addr.arpa/192.168.20.147
+server=/10.in-addr.arpa/192.168.20.146
+server=/10.in-addr.arpa/192.168.20.147
+EOF
+
+cat > /etc/dnsmasq.d/fmaas.conf <<EOF
+server=/testing.cloud.frmn/10.61.65.10
+server=/65.61.10.in-addr.arpa/10.61.65.10
+server=/prod.cloud.frmn/10.61.1.10
+server=/1.61.10.in-addr.arpa/10.61.1.10
+server=/dev.cloud.frmn/10.82.1.10
+server=/1.82.10.in-addr.arpa/10.82.1.10
+EOF
+
+cat > /etc/dnsmasq.d/resolv.conf <<EOF
+resolv-file=/run/systemd/resolve/resolv.conf
+EOF
+
+cat > /etc/qemu/bridge.conf <<EOF
+allow br0
+allow virbr0
+allow virbr1
+allow virbr2
+allow virbr3
+EOF
+
+sed -i \
+    -e 's/Xorg/Xorg -dpi 144/' \
+    -e 's/gtk_theme=.*/gtk_theme=Adwaita/' \
+    -e 's:bg=.*:bg=/usr/share/backgrounds/default.png:' \
+    -e 's/disable=0/disable=1/' \
+    /etc/lxdm/lxdm.conf
+
+
+# Generate SSH host keys before first boot, since / will be read-only then
+/usr/libexec/openssh/sshd-keygen ecdsa
+/usr/libexec/openssh/sshd-keygen ed25519
+/usr/libexec/openssh/sshd-keygen rsa
+
+# Configuration for FMOS virtual machines/automatic configuration
+firewall-offline-cmd --zone internal --add-interface virbr0
+firewall-offline-cmd --zone internal --add-service dhcp
+firewall-offline-cmd --zone internal --add-service dns
+firewall-offline-cmd --zone internal --add-service http
+firewall-offline-cmd --zone internal --add-port 4967/tcp
+firewall-offline-cmd --zone public --add-rich-rule 'rule family="ipv4" source address="172.21.10.0/26" masquerade'
+
+# Enable read-only rootfs. This cannot be done with part/logvol, as that would
+# make Anaconda mount it read-only befor the installation starts.
+sed -i -r '/\S+\s+\/\s+/s/defaults/ro,nodev/' /etc/fstab
+
+# Make sure all filesystems /tmp is mounted noexec,nosuid,nodev
+echo 'tmpfs /tmp tmpfs mode=1777,strictatime,noexec,nodev,nosuid 0 0' >> /etc/fstab
+%end