## Kickstart file for FreeIPA, with Fedora Server ## # Installer type graphical #text # Repositories url --mirrorlist="https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64" #repo --name=fedora --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-35&arch=x86_64" --cost=1 #repo --name=fedora-updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f35&arch=x86_64" --cost=0 #repo --name=rpmfusion-free --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-35&arch=x86_64" --includepkgs=rpmfusion-free-release #repo --name=rpmfusion-free-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-released-35&arch=x86_64" --cost=0 #repo --name=rpmfusion-nonfree --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-35&arch=x86_64" --includepkgs=rpmfusion-nonfree-release #repo --name=rpmfusion-nonfree-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-updates-released-35&arch=x86_64" --cost=0 %packages # Install clevis packages clevis-dracut clevis-luks clevis-systemd %end # Keyboard layouts keyboard --vckeymap=us --xlayouts='us' # System language lang en_US.UTF-8 # Firewall configuration # This is disabled because it interferes with Kubernetes #firewall --use-system-defaults # Network information network --bootproto=static --device=enp6s18 --gateway=10.130.0.254 --ip=10.130.0.2 --nameserver=1.1.1.1 --nameserver=1.0.0.1 --netmask=255.255.0.0 --ipv6=auto --activate network --hostname=ipa # Use CDROM installation media # Disabled for netinstall images and clevis #cdrom # Run the Setup Agent on first boot firstboot --enable # Generated using Blivet version 3.4.2 ignoredisk --only-use=sda # System bootloader configuration bootloader --location=mbr --boot-drive=sda # Partition clearing information clearpart --all # Disk partitioning information part /boot --fstype="ext4" --ondisk=sda --size=1024 --label=boot part /boot/efi --fstype="efi" --ondisk=sda --size=512 --fsoptions="umask=0077,shortname=winnt" --label=EFI # LUKS password here is hardcoded, remember to change it after install (maybe with Ansible) part btrfs.system --fstype="btrfs" --ondisk=sda --grow --encrypted --luks-version=luks2 --passphrase=4u8t --label=system --fsoptions="x-systemd.device-timeout=0" btrfs none --label=btrfs.system btrfs.system btrfs / --subvol --name=@root LABEL=btrfs.system # System timezone timezone Europe/Rome --utc # Root password # It is hardcoded, remember to change it after install (maybe with Ansible) rootpw --plaintext "tuogenitore2" # SSH authorized keys # Ansible ssh sshkey --username=root "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxp2oMO4qEHXPpwnj8wPBuk46IAYJcct8kuxcigt1t4 ansible" # Add other keys with Ansible %post # Enable clevis clevis luks bind -y -k - -d /dev/sda3 \ tpm2 '{"hash":"sha1","key":"rsa"}' <<< "4u8t" # If you want to remove temporary LUKS password: #cryptsetup luksRemoveKey /dev/nvme0n1p3 <<< "4u8t" # Regenerate initramfs: dracut -fv --regenerate-all %end