# vim: set ft=sh :
text
url --metalink https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
repo --name=updates --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
repo --name=fedora-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
repo --name=updates-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
lang en_US.UTF-8
keyboard us
timezone --utc UTC
rootpw --lock
reboot

bootloader --location mbr
clearpart --all --initlabel
reqpart
part /boot --fstype ext4 --size=1024
part btrfs.0 --fstype btrfs --size 4096
part btrfs.1 --fstype btrfs --grow
btrfs none --label fedora btrfs.0
btrfs none --label data btrfs.1
btrfs / --subvol --name root LABEL=fedora
btrfs /home --subvol --name home LABEL=data
btrfs /var --subvol --name var LABEL=data
btrfs /etc/cni/net.d --subvol --name cni-net LABEL=data
btrfs /usr/libexec/kubernetes/kubelet-plugins --subvol --name kubelet-plugins LABEL=data
btrfs /opt --subvol --name opt LABEL=data

%pre
echo '%packages' > /tmp/packages.ks
sys_vendor=$(tr A-Z a-z < /sys/devices/virtual/dmi/id/sys_vendor)
case "${sys_vendor}" in
kvm|bochs|qemu)
    install_qga=1
    ;;
esac
if [ ${install_qga:-0} -eq 1 ]; then
    echo 'qemu-guest-agent' >> /tmp/packages.ks
fi
echo '%end' >> /tmp/packages.ks
%end
%include /tmp/packages.ks

module --name cri-o --stream 1.22

%packages --exclude-weakdeps
-NetworkManager
-authconfig
-dhcp-client
-dnf-plugins-core
-dnf-yum
-dracut-config-rescue
-e2fsprogs
-firewalld
-man-db
-openssh-clients
-parted
-plymouth
-sssd-common
-sssd-kcm
-sudo
-yum
-zram-generator
-zram-generator-defaults
chrony
cri-o
cri-tools
dnf
dnf-command(system-upgrade)
ethtool
grubby
iproute-tc
iptables-nft
kitty-terminfo
kubernetes-client
kubernetes-kubeadm
kubernetes-node
openssh-server
rng-tools
selinux-policy-targeted
systemd-networkd
%end

services --enabled crio,kubelet,systemd-networkd,systemd-resolved

%addon com_redhat_kdump --disable
%end

%post --erroronfail
echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
echo 'deltarpm=0' >> /etc/dnf/dnf.conf
echo '%_excludedocs 1' >> /etc/rpm/macros

systemctl mask systemd-journald-audit.socket

sed -i \
    -e 's:.*AuthorizedKeysCommand .*:AuthorizedKeysCommand /usr/local/libexec/ssh-authorized-keys %u %t:' \
    -e 's:.*AuthorizedKeysCommandUser .*:AuthorizedKeysCommandUser nobody:' \
    /etc/ssh/sshd_config
cat > /usr/local/libexec/ssh-authorized-keys <<"EOF"
#!/bin/sh

USER="${1}"
KEYTYPE="${2}"

curl -gs http://sshkeys.pyrocufflink.blue/"${USER}"/"${KEYTYPE}".pub
EOF
chmod +x /usr/local/libexec/ssh-authorized-keys
chcon -t bin_t /usr/local/libexec/ssh-authorized-keys
setsebool -NP authlogin_yubikey on

rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network

cat > /etc/systemd/network/99-default.network <<EOF
[Match]
Name=en*
Type=ether

[Network]
DHCP=true
EOF
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

# Generate SSH host keys before first boot, since / will be read-only then
/usr/libexec/openssh/sshd-keygen ecdsa
/usr/libexec/openssh/sshd-keygen ed25519
/usr/libexec/openssh/sshd-keygen rsa

cat > /etc/modules-load.d/k8s.conf <<'EOF'
br_netfilter
EOF

cat > /etc/sysctl.d/k8s.conf <<'EOF'
# Required for Kubernetes
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF

sed -i 's/^driver = .*/driver = "btrfs"/' /etc/containers/storage.conf

# Enable read-only rootfs. This cannot be done with part/logvol, as that would
# make Anaconda mount it read-only befor the installation starts.
sed -i -r '/\S+\s+\/\s+/s/subvol=root/ro,&/' /etc/fstab
%end