# vim: set ft=sh :
text
url --url http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os
repo --name=updates --baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch
repo --name=dch --baseurl=http://files.pyrocufflink.blue/yum/dch/fedora/$releasever
lang en_US.UTF-8
keyboard us
timezone --utc UTC
rootpw --lock
reboot

# Create the "standard" disk layout using only the first disk
# Other disks are left alone in case they already contain data, e.g.
# migrated from another system.
ignoredisk --only-use /dev/disk/by-id/nvme-Samsung_SSD_980_250GB_S64CNJ0RB07610E
bootloader --location mbr
clearpart --all --initlabel
reqpart
part /boot --fstype ext4 --size=512
part pv.01 --size=1 --grow
volgroup fedora pv.01
logvol / --fstype ext4 --name=root --vgname=fedora --size=4096
logvol /home --fstype ext4 --name=home --vgname=fedora --size=100
logvol /var --fstype ext4 --name=var --vgname=fedora --size=1024 --grow
logvol /var/log --fstype ext4 --name=var_log --vgname=fedora --size=1024

%packages --exclude-weakdeps
-NetworkManager
-authconfig
-dhcp-client
-dnf-plugins-core
-dnf-yum
-dracut-config-rescue
-grub2-tools-extra
-man-db
-openssh-clients
-parted
-plymouth
-sssd-common
-sssd-kcm
-sudo
-yum
amd-gpu-firware
btrfs-progs
chrony
dnf
e2fsprogs
grubby
kitty-terminfo
mdadm
openssh-server
python3-libselinux
python3-policycoreutils
rng-tools
selinux-policy-targeted
smartmontools
sshca-cli-systemd
systemd-networkd
%end

network --hostname=nvr2.pyrocufflink.blue

services --enabled systemd-networkd,systemd-resolved,ssh-host-certs-renew.timer,ssh-host-certs.target --disabled systemd-homed,systemd-userdbd,systemd-userdbd.socket

%addon com_redhat_kdump --disable
%end

%post --erroronfail
date
env
echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
echo 'deltarpm=0' >> /etc/dnf/dnf.conf
echo '%_excludedocs 1' >> /etc/rpm/macros

# Trust SSHCA to authenticate users
cat >> /etc/ssh/ca.pub <<'EOF'
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
EOF
cat >> /etc/ssh/sshd_config.d/70-trustedusercakeys.conf <<'EOF'
TrustedUserCAKeys /etc/ssh/ca.pub
EOF

# Configure SSH daemon to use host certificates obtained from SSHCA
cat > /etc/sysconfig/ssh-host-cert-sign <<EOF
SSHCA_SERVER=https://sshca.pyrocufflink.blue
EOF
for a in ecdsa ed25519 rsa; do
    printf 'HostCertificate /etc/ssh/ssh_host_%s_key-cert.pub\n' "${a}"
done > /etc/ssh/sshd_config.d/10-hostcertificate.conf

# Configure networking with systemd-networkd
rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network
cat > /etc/systemd/network/99-default.network <<EOF
[Match]
Name=en*
Type=ether

[Network]
DHCP=true
EOF
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

# systemd-getty-generator is broken in F40
if [ $(rpm -E %fedora) -eq 40 ]; then
    console=$(cat /sys/class/tty/console/active)
    case "${console}" in
    ttyS*)
        systemctl enable serial-getty@$console
        ;;
    esac
fi
%end