rocky9.ks.cfg

# TODO: It seems network fails on "Not connected" for a few seconds,
# enough for Anaconda to crash in unattended mode.
# cmdline
# Fall back to text mode instead
text

poweroff

lang en_US.UTF-8
keyboard us
timezone Europe/Stockholm --utc
timesource --ntp-server ntp1.sonix.network
timesource --ntp-server ntp2.sonix.network
timesource --ntp-server sth1.ntp.se
timesource --ntp-server sth2.ntp.se
timesource --ntp-server gbg1.ntp.se

firstboot --disable
# Do not configure the X Window System
skipx
# System services
services --enabled="chronyd"

rootpw $2b$10$nWzjLP1rOcngUYdr/MWhXu076wtenkWqSVSb38xMpbEGv4a6VqFnq --iscrypted
user --name=sonix --password=$2b$10$nWzjLP1rOcngUYdr/MWhXu076wtenkWqSVSb38xMpbEGv4a6VqFnq --iscrypted --groups=wheel
sshkey --username=sonix "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJCdzuxbilMQWyUEjUMLs2gJ47H8FqabFK+ffyUnHTS"

url --url https://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os --proxy http://proxy.sonix.network:3128
repo --name=AppStream --mirrorlist https://mirrors.rockylinux.org/mirrorlist?repo=AppStream-9&arch=x86_64

%pre
for x in $(</proc/cmdline)
do
   case $x in
      HOSTNAME*)
         eval $x
         ;;
      nameserver*)
         eval $x
         ;;
   esac
done
addr="$(ip ro get 2001:: | awk '{print $9}')/64"
gw="$(ip ro get 2001:: | awk '{print $9}' | sed -E 's/:([^:]+)$//'):1"
dev="$(ip ro get 2001:: | awk '{print $5}')"
echo "network --no-activate --onboot yes --device ${dev} --noipv4 --bootproto static --ipv6 $addr --ipv6gateway $gw --nameserver ${nameserver:-${gw}} --hostname $HOSTNAME" > /tmp/network.ks
%end

%include /tmp/network.ks

selinux --enforcing
firewall --enabled --ssh

zerombr
clearpart --all --initlabel

part /boot --fstype="ext4" --size=1024
part /boot/efi --fstype="vfat" --size=512
part pv.01 --size=1 --grow
volgroup vgsys pv.01
logvol / --fstype=ext4 --name=lvroot --vgname=vgsys --grow --size=4096 --maxsize=15000
logvol /home --fstype=ext4 --name=lvhome --vgname=vgsys --size=4096 --fsoptions="nodev,nosuid,noexec"
logvol /var --fstype=ext4 --name=lvvar --vgname=vgsys --size=10000 --fsoptions="nodev,nosuid,noexec"
logvol /var/tmp --fstype=ext4 --name=lvvartmp --vgname=vgsys --size=4096 --fsoptions="nodev,nosuid,noexec"
logvol /tmp --fstype=ext4 --name=lvtmp --vgname=vgsys --size=4096 --fsoptions="nodev,nosuid,noexec"
logvol /var/log --fstype=ext4 --name=lvvarlog --vgname=vgsys --size=10000 --fsoptions="nodev,nosuid,noexec"
logvol /var/log/audit --fstype=ext4 --name=lvvarlogaudit --vgname=vgsys --size=4096 --fsoptions="nodev,nosuid,noexec"
logvol swap --name=lvswap --vgname=vgsys --size=4096

%packages
@^minimal-environment
kexec-tools
wget
tar
vim
lsof
tmux
-iwl*firmware
-timedatex
-tuned
-libsss_autofs
-python3-unbound
-rsync
%end

%post
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky9
echo "HISTTIMEFORMAT='%F %T '" > /etc/profile.d/sonix-histtimeformat.sh
echo "export HISTTIMEFORMAT" >> /etc/profile.d/sonix-histtimeformat.sh
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
echo "vm.swappiness = 1" > /etc/sysctl.d/sonix-swappiness.conf
nmcli radio all off

cat >/etc/modprobe.d/filesystems.conf <<EOF
install cramfs /bin/false
blacklist cramfs
install squashfs /bin/false
blacklist squashfs
install udf /bin/false
blacklist udf
EOF

echo "/dev/shm                      tmpfs         defaults,rw,nosuid,nodev,noexec,relatime   0 0" >> /etc/fstab
echo "install usb-storage /bin/true" > /etc/modprobe.d/usbstorage.conf
chmod og-rwx /boot/grub2/grub.cfg
echo "Storage=none" >> /etc/systemd/coredump.conf
echo "ProcessSizeMax=0" >> /etc/systemd/coredump.conf

echo "net.ipv6.conf.all.autoconf = 0" > /etc/sysctl.d/sonix-ipv6.conf
echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.d/sonix-ipv6.conf
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.d/sonix-ipv6.conf
echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.d/sonix-ipv6.conf
echo "net.ipv6.conf.default.accept_source_route = 0" >> /etc/sysctl.d/sonix-ipv6.conf
echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.d/sonix-ipv6.conf
echo "net.ipv6.conf.all.accept_redirects= 0" >> /etc/sysctl.d/sonix-ipv6.conf

echo "net.ipv4.conf.all.arp_filter = 1" > /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.all.arp_announce = 1" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/sonix-ipv4.conf
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/sonix-ipv4.conf

sed -i 's/rhgb quiet/verbose audit=1 audit_backlog_limit=8192/' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg

sed -i 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config.d/sonix.conf
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/sonix.conf
echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config.d/sonix.conf
echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config.d/sonix.conf
sed -i 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config.d/sonix.conf
echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config.d/sonix.conf
echo "MaxAuthTries 4" >> /etc/ssh/sshd_config.d/sonix.conf
echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config.d/sonix.conf
echo "MaxSessions 10" >> /etc/ssh/sshd_config.d/sonix.conf
echo "LoginGraceTime 60" >> /etc/ssh/sshd_config.d/sonix.conf
echo "ClientAliveInterval 1200" >> /etc/ssh/sshd_config.d/sonix.conf
echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config.d/sonix.conf
echo "Defaults use_pty" > /etc/sudoers.d/sonix-pty
echo "%wheel  ALL=(ALL)       NOPASSWD: ALL" > /etc/sudoers.d/sonix-default
echo 'Defaults logfile="/var/log/sudo.log"' > /etc/sudoers.d/sonix-logfile

echo "minclass = 4" > /etc/security/pwquality.conf.d/sonix-policy.conf
echo "minlen = 14" >> /etc/security/pwquality.conf.d/sonix-policy.conf
echo "enforce_for_root" >> /etc/security/pwquality.conf.d/sonix-policy.conf

sed -i 's/# deny = 3/deny = 5/' /etc/security/faillock.conf
sed -i 's/# unlock_time = 600/unlock_time = 300/' /etc/security/faillock.conf

sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs
echo 'readonly TMOUT=1200 ; export TMOUT' >> /etc/profile.d/sonix-tmout.sh
echo "umask 027" > /etc/profile.d/sonix-set-umask.sh
chmod +x /etc/profile.d/sonix-set-umask.sh
sed -i 's/^UMASK\t\t022/UMASK\t\t027/' /etc/login.defs
sed -i 's/^USERGROUPS_ENAB yes/USERGROUPS_ENAB no/' /etc/login.defs

echo '$FileCreateMode 0640' > /etc/rsyslog.d/filecreatemode.conf

find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod g-wx,o-rwx "{}" +

chmod og-rwx /etc/crontab
chmod og-rwx /etc/cron.hourly
chmod og-rwx /etc/cron.daily
chmod og-rwx /etc/cron.weekly
chmod og-rwx /etc/cron.monthly
chmod og-rwx /etc/cron.d
rm -f /etc/cron.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow

#update-crypto-policies --set DEFAULT

echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net

#rm -f /root/anaconda-ks.cfg
%end