%pre wget http://{{ pxe_server }}/started || true udevadm settle dmsetup remove_all # De-activate any exiting Volume Groups vgchange -an system vgchange -an os # Clear software raid devices if any raid_devices=$(mktemp /tmp/mdstat.XXXXXXXXX) grep '^md' /proc/mdstat | cut -d: -f1 > "$raid_devices" if [ -s "$raid_devices" ]; then for raid in $(cat "$raid_devices"); do wipefs -f -a "/dev/$raid" mdadm --stop -f "/dev/$raid" if [ $? != "0" ]; then udevadm settle dmsetup remove_all mdadm --stop -f "/dev/$raid" fi done else echo "All RAID devices are cleared" fi rm -vf "$raid_devices" # Wipe every detected block device that looks like an install target install_disks=$(lsblk -ndo NAME,TYPE | awk '$2 == "disk" {print "/dev/" $1}') if [ -z "$install_disks" ]; then echo "No block devices detected to wipe" else for disk in $install_disks; do echo "Wiping signatures on $disk" wipefs -f -a "$disk" done fi %end # Accept Eula eula --agreed # Firewall configuration firewall --enabled --ssh # Keyboard layouts keyboard 'us' # Timezone timezone Etc/UTC --isUtc # Network information network --bootproto=static --device={{ mgmt_interface|default("eth0") }} --gateway={{ gateway }} --ip={{ ip }} --netmask={{ netmask }} {% if dns_servers %}--nameserver={{ dns_servers | first }}{% endif %} --hostname={{ hostname }} # Root PW {% if pwd is defined and pwd %} rootpw --iscrypted {{ pwd }} {% elif pw is defined and pw %} rootpw {{ pw }} {% else %} # rootpw not set {% endif %} # Reboot after installation reboot # Use text mode install text # System language lang en_US # SELinux configuration selinux --permissive {% if pwd is defined and pwd %} user --name={{ username }} --groups=wheel --password={{ pwd }} --iscrypted {% elif pw is defined and pw %} user --name={{ username }} --groups=wheel --password={{ pw }} {% else %} # user password not set {% endif %} # Partition clearing information clearpart --all --initlabel # Disk partitioning information ## EFI partition (required for UEFI) part /boot/efi --fstype="efi" --size=600 --fsoptions="umask=0077,shortname=winnt" --ondisk={{ install_device }} ## Boot partition part /boot --fstype="xfs" --size=1024 --ondisk={{ install_device }} ##Create LVM physical volume part pv.01 --size=16384 --grow --ondisk={{ install_device }} ## Create volume group volgroup vg0 pv.01 ## Logical volumes logvol / --vg=vg0 --name=lv_root --size=20480 --fstype=xfs logvol /home --vg=vg0 --name=lv_home --size=102400 --fstype=xfs logvol /var --vg=vg0 --name=lv_var --size=500000 --grow --fstype=xfs logvol /var/log --vg=vg0 --name=lv_var_log --size=20480 --fstype=xfs logvol /var/log/audit --vg=vg0 --name=lv_var_log_audit --size=20480 --fstype=xfs logvol /var/tmp --vg=vg0 --name=lv_var_tmp --size=20480 --fstype=xfs logvol /tmp --vg=vg0 --name=lv_tmp --size=20480 --fstype=xfs logvol swap --vg=vg0 --name=lv_swap --size=15360 --fstype=swap %post --log=/root/ks-post.log systemctl enable --now sshd # Allow root login with password over SSH sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config systemctl restart sshd for drv in qemu network nodedev nwfilter secret storage interface; do systemctl start virt${drv}d{,-ro,-admin}.socket; done virt-host-validate nmcli connection modify {{ mgmt_interface|default("eth0") }} ipv6.method ignore %end %post --log=/root/ks-post.log systemctl enable --now sshd # Allow root login with password over SSH sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config systemctl restart sshd nmcli connection modify {{ mgmt_interface|default("eth0") }} ipv6.method ignore %end %packages @^server-product-environment @standard aide audit expect fapolicyd firewalld kexec-tools opensc openscap openscap-scanner openssh-server python3 openssl-pkcs11 policycoreutils postfix rng-tools rsyslog rsyslog-gnutls scap-security-guide tmux usbguard -abrt -abrt-addon-ccpp -abrt-addon-kerneloops -abrt-cli -abrt-plugin-sosreport -iprutils -krb5-server -krb5-workstation -libreport-plugin-logger -python3-abrt-addon -rsh-server -sendmail -telnet-server -tftp-server -tuned -vsftpd %end