From be24a5dd52fc9c93a04a36284f5187f656b6b81d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 27 Dec 2024 10:14:00 -0600
Subject: [PATCH] Add generic Fedora kickstarts

* `fedora.ks` is used for virtual machines running Fedora Linux
* `fedora-rpi.ks` is for Raspberry Pi machines
* `common.ks` is shared between the two
---
 fedora-common.ks | 101 +++++++++++++++++++++++++++++++++++++++++++++++
 fedora-rpi.ks    |  29 ++++++++++++++
 fedora.ks        |  21 ++++++++++
 3 files changed, 151 insertions(+)
 create mode 100644 fedora-common.ks
 create mode 100644 fedora-rpi.ks
 create mode 100644 fedora.ks

diff --git a/fedora-common.ks b/fedora-common.ks
new file mode 100644
index 0000000..d2cb75d
--- /dev/null
+++ b/fedora-common.ks
@@ -0,0 +1,101 @@
+# vim: set ft=sh :
+text
+url --url http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os
+repo --name=updates --baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch
+repo --name=dch --baseurl=http://files.pyrocufflink.blue/yum/dch/fedora/$releasever
+lang en_US.UTF-8
+keyboard us
+timezone --utc UTC
+rootpw --lock
+reboot
+
+%packages --exclude-weakdeps
+-NetworkManager
+-authconfig
+-dhcp-client
+-dnf-plugins-core
+-dnf-yum
+-dracut-config-rescue
+-man-db
+-openssh-clients
+-parted
+-plymouth
+-sssd-common
+-sssd-kcm
+-sudo
+-yum
+chrony
+dnf
+e2fsprogs
+grubby
+kitty-terminfo
+openssh-server
+python3-libselinux
+python3-policycoreutils
+rng-tools
+selinux-policy-targeted
+sshca-cli-systemd
+systemd-networkd
+%end
+
+services --enabled systemd-networkd,systemd-resolved,ssh-host-certs-renew.timer,ssh-host-certs.target --disabled systemd-homed,systemd-nsresourced,systemd-nsresourced.socket,systemd-userdbd,systemd-userdbd.socket
+
+%addon com_redhat_kdump --disable
+%end
+
+%post --erroronfail
+export NO_PROXY='pyrocufflink.blue,*.pyrocufflink.blue'
+
+echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
+echo 'deltarpm=0' >> /etc/dnf/dnf.conf
+echo '%_excludedocs 1' >> /etc/rpm/macros
+
+# Set the hostname
+hostname -f > /etc/hostname
+
+# Trust SSHCA to authenticate users
+curl -fsSL https://sshca.pyrocufflink.blue/user/ca > /etc/ssh/ca.pub
+test -s /etc/ssh/ca.pub || exit
+cat >> /etc/ssh/sshd_config.d/70-trustedusercakeys.conf <<'EOF'
+TrustedUserCAKeys /etc/ssh/ca.pub
+EOF
+
+# Configure SSH daemon to use host certificates obtained from SSHCA
+cat > /etc/sysconfig/ssh-host-cert-sign <<EOF
+SSHCA_SERVER=https://sshca.pyrocufflink.blue
+EOF
+for a in ecdsa ed25519 rsa; do
+    printf 'HostCertificate /etc/ssh/ssh_host_%s_key-cert.pub\n' "${a}"
+done > /etc/ssh/sshd_config.d/10-hostcertificate.conf
+
+# Configure networking with systemd-networkd
+# Use MAC address as client ID to keep the same lease from Anaconda
+rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network
+cat > /etc/systemd/network/99-default.network <<EOF
+[Match]
+Name=en*
+Type=ether
+
+[Network]
+DHCP=true
+
+[DHCPv4]
+ClientIdentifier=mac
+UseDomain=true
+EOF
+ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+# systemd-getty-generator is broken in F40
+if [ $(rpm -E %fedora) -eq 40 ]; then
+    console=$(cat /sys/class/tty/console/active)
+    case "${console}" in
+    ttyS*)
+        systemctl enable serial-getty@$console
+        ;;
+    esac
+fi
+
+# Enable read-only rootfs. This cannot be done with part/logvol, as that would
+# make Anaconda mount it read-only befor the installation starts.
+#sed -i -r '/\S+\s+\/\s+/s/defaults/ro/' /etc/fstab
+%end
diff --git a/fedora-rpi.ks b/fedora-rpi.ks
new file mode 100644
index 0000000..5a0bebe
--- /dev/null
+++ b/fedora-rpi.ks
@@ -0,0 +1,29 @@
+# vim: set ft=sh :
+bootloader --location none
+clearpart --all --initlabel --disklabel msdos
+part /boot/efi --fstype vfat --size 128 --label RASPBERRYPI
+part /boot --fstype ext4 --size 512 --label boot
+part pv.01 --size 1 --grow
+volgroup fedora pv.01
+logvol / --fstype ext4 --name rootfs --vgname fedora --size 4096 --label rootfs
+logvol swap --fstype swap --name swap --vgname fedora --size 1024 --maxsize 8192 --label swap --grow
+logvol /var --fstype ext4 --name var --vgname fedora --size 2048 --label var --grow
+logvol /var/log --fstype ext4 --name var_log --vgname fedora --size 1024 --label var-log
+logvol /home --fstype ext4 --name home --vgname fedora --size 100 --label home
+logvol /tmp --fstype ext4 --name tmp --vgname fedora --size 2048 --label tmp
+
+timesource --ntp-pool 2.fedora.pool.ntp.org
+
+%packages --exclude-weakdeps
+bcm2711-firmware
+bcm283x-overlays
+uboot-images-armv8
+%end
+
+%include http://git.pyrocufflink.net/infra/kickstart/raw/branch/master/fedora-common.ks
+
+%post --erroronfail
+cp -P /usr/share/uboot/rpi_arm64/u-boot.bin /boot/efi/rpi-u-boot.bin
+
+grubby --args='quiet systemd.show_status=1' --update-kernel=ALL
+%end
diff --git a/fedora.ks b/fedora.ks
new file mode 100644
index 0000000..aeea88d
--- /dev/null
+++ b/fedora.ks
@@ -0,0 +1,21 @@
+# vim: set ft=sh sw=4 ts=4 sts=4 et :
+
+# Create the "standard" disk layout using only the first disk
+# Other disks are left alone in case they already contain data, e.g.
+# migrated from another system.
+bootloader --location mbr
+clearpart --all --initlabel --drives vda
+reqpart
+part /boot --fstype ext4 --size=512 --ondisk vda
+part pv.01 --size=1 --grow --ondisk vda
+volgroup fedora pv.01
+logvol / --fstype ext4 --name=root --vgname=fedora --size=4096
+logvol /home --fstype ext4 --name=home --vgname=fedora --size=100
+logvol /var --fstype ext4 --name=var --vgname=fedora --size=1024 --grow
+logvol /var/log --fstype ext4 --name=var_log --vgname=fedora --size=1024
+
+%include https://git.pyrocufflink.net/infra/kickstart/raw/branch/master/fedora-common.ks
+
+%packages
+qemu-guest-agent
+%end