Make git repo

2026-01-31 22:52:27 +01:00
parent f4139c2216
commit 4e80f64c3d
7 changed files with 1161 additions and 0 deletions
--- a/gen-kickstarts.sh
+++ b/gen-kickstarts.sh
@@ -0,0 +1,356 @@
+#!/bin/bash
+# Generate kickstart templates for Fedora 42 custom ISOs
+set -euo pipefail
+
+KICKSTART_DIR="${1:-kickstarts}"
+mkdir -p "$KICKSTART_DIR"
+
+echo "[INFO] Generating kickstart templates in $KICKSTART_DIR"
+
+# =============================================================================
+# Minimal
+# =============================================================================
+cat >"$KICKSTART_DIR/minimal.ks" <<'EOF'
+# Fedora 42 Minimal Live ISO
+# Ultra-minimal bootable system
+
+url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
+
+lang en_US.UTF-8
+keyboard us
+timezone UTC --utc
+
+rootpw --plaintext changeme
+
+network --bootproto=dhcp --device=link --activate --onboot=yes
+
+bootloader --location=mbr --timeout=5
+
+clearpart --all --initlabel
+autopart --type=plain --nohome
+
+%packages --excludedocs
+@core
+kernel
+systemd
+dnf
+bash
+coreutils
+util-linux
+NetworkManager
+openssh-server
+openssh-clients
+vim-minimal
+less
+-plymouth
+-plymouth-*
+-firewalld
+-sssd*
+-abrt*
+%end
+
+%post --erroronfail
+systemctl disable dnf-makecache.timer
+systemctl disable dnf-makecache.service
+systemctl enable sshd
+systemctl enable NetworkManager
+
+mkdir -p /etc/systemd/journald.conf.d
+cat > /etc/systemd/journald.conf.d/size.conf << JEOF
+[Journal]
+SystemMaxUse=50M
+RuntimeMaxUse=20M
+JEOF
+
+dnf clean all
+rm -rf /var/cache/dnf/*
+%end
+
+reboot
+EOF
+
+echo "[OK] Created $KICKSTART_DIR/minimal.ks"
+
+# =============================================================================
+# Kiosk / PoS
+# =============================================================================
+cat >"$KICKSTART_DIR/kiosk.ks" <<'EOF'
+# Fedora 42 Kiosk/PoS Live ISO
+# Single-application kiosk system with Wayland
+
+url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
+
+lang en_US.UTF-8
+keyboard us
+timezone UTC --utc
+
+rootpw --plaintext changeme
+user --name=kiosk --groups=wheel --plaintext --password=kiosk
+
+network --bootproto=dhcp --device=link --activate --onboot=yes
+
+bootloader --location=mbr --timeout=1 --append="quiet splash"
+
+clearpart --all --initlabel
+autopart --type=plain --nohome
+
+%packages --excludedocs
+@core
+kernel
+systemd
+NetworkManager
+cage
+weston
+firefox
+dejavu-sans-fonts
+dejavu-sans-mono-fonts
+pipewire
+pipewire-pulseaudio
+plymouth
+plymouth-system-theme
+-abrt*
+-sssd*
+%end
+
+%post --erroronfail
+# Autologin on tty1
+mkdir -p /etc/systemd/system/getty@tty1.service.d
+cat > /etc/systemd/system/getty@tty1.service.d/autologin.conf << AEOF
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin kiosk --noclear %I \$TERM
+AEOF
+
+# Kiosk startup - launches Cage with Firefox
+cat > /home/kiosk/.bash_profile << 'BEOF'
+if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
+    exec cage -- firefox --kiosk https://localhost
+fi
+BEOF
+chown kiosk:kiosk /home/kiosk/.bash_profile
+
+# Lock kiosk user password
+passwd -l kiosk
+
+# Limit virtual consoles
+mkdir -p /etc/systemd/logind.conf.d
+cat > /etc/systemd/logind.conf.d/kiosk.conf << LEOF
+[Login]
+NAutoVTs=1
+ReserveVT=0
+LEOF
+
+systemctl enable NetworkManager
+systemctl set-default multi-user.target
+
+dnf clean all
+%end
+
+reboot
+EOF
+
+echo "[OK] Created $KICKSTART_DIR/kiosk.ks"
+
+# =============================================================================
+# Workstation (Sway)
+# =============================================================================
+cat >"$KICKSTART_DIR/workstation.ks" <<'EOF'
+# Fedora 42 Lightweight Workstation Live ISO
+# Minimal GUI with Sway (Wayland)
+
+url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
+
+lang en_US.UTF-8
+keyboard us
+timezone UTC --utc
+
+rootpw --plaintext changeme
+user --name=user --groups=wheel --plaintext --password=user
+
+network --bootproto=dhcp --device=link --activate --onboot=yes
+
+bootloader --location=mbr --timeout=5
+
+clearpart --all --initlabel
+autopart --type=plain
+
+%packages --excludedocs
+@core
+kernel
+systemd
+NetworkManager
+sway
+swaylock
+swayidle
+swaybg
+waybar
+foot
+wofi
+vim
+htop
+git
+curl
+wget
+dejavu-sans-fonts
+dejavu-sans-mono-fonts
+google-noto-emoji-fonts
+pipewire
+pipewire-pulseaudio
+wireplumber
+thunar
+firefox
+-plymouth*
+-abrt*
+-sssd*
+%end
+
+%post --erroronfail
+systemctl enable NetworkManager
+
+mkdir -p /home/user/.config/sway
+cat > /home/user/.config/sway/config << 'SEOF'
+set $mod Mod4
+set $term foot
+set $menu wofi --show drun
+
+bindsym $mod+Return exec $term
+bindsym $mod+d exec $menu
+bindsym $mod+Shift+q kill
+bindsym $mod+Shift+e exit
+
+floating_modifier $mod normal
+bindsym $mod+Shift+c reload
+
+bindsym $mod+Left focus left
+bindsym $mod+Down focus down
+bindsym $mod+Up focus up
+bindsym $mod+Right focus right
+
+bindsym $mod+Shift+Left move left
+bindsym $mod+Shift+Down move down
+bindsym $mod+Shift+Up move up
+bindsym $mod+Shift+Right move right
+
+bindsym $mod+1 workspace 1
+bindsym $mod+2 workspace 2
+bindsym $mod+3 workspace 3
+bindsym $mod+Shift+1 move container to workspace 1
+bindsym $mod+Shift+2 move container to workspace 2
+bindsym $mod+Shift+3 move container to workspace 3
+
+bar {
+    position top
+    status_command waybar
+}
+
+include /etc/sway/config.d/*
+SEOF
+chown -R user:user /home/user/.config
+
+cat >> /home/user/.bash_profile << 'BEOF'
+if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
+    exec sway
+fi
+BEOF
+
+dnf clean all
+%end
+
+reboot
+EOF
+
+echo "[OK] Created $KICKSTART_DIR/workstation.ks"
+
+# =============================================================================
+# Security toolkit
+# =============================================================================
+cat >"$KICKSTART_DIR/security.ks" <<'EOF'
+# Fedora 42 Security/Forensics Toolkit Live ISO
+
+url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
+
+lang en_US.UTF-8
+keyboard us
+timezone UTC --utc
+
+rootpw --plaintext changeme
+user --name=analyst --groups=wheel --plaintext --password=analyst
+
+network --bootproto=dhcp --device=link --activate --onboot=yes
+
+bootloader --location=mbr --timeout=5
+
+clearpart --all --initlabel
+autopart --type=plain
+
+%packages --excludedocs
+@core
+kernel
+systemd
+NetworkManager
+nmap
+tcpdump
+wireshark-cli
+openssl
+gnupg2
+aide
+rkhunter
+lynis
+sleuthkit
+testdisk
+foremost
+vim
+tmux
+htop
+strace
+ltrace
+gdb
+curl
+wget
+netcat
+socat
+bind-utils
+whois
+traceroute
+mtr
+python3
+python3-pip
+bash-completion
+podman
+buildah
+cryptsetup
+-plymouth*
+-abrt*
+%end
+
+%post --erroronfail
+systemctl enable NetworkManager
+
+# Security hardening
+echo "* hard core 0" >> /etc/security/limits.conf
+
+cat > /etc/sysctl.d/99-security.conf << SEOF
+kernel.core_pattern=|/bin/false
+kernel.dmesg_restrict=1
+kernel.randomize_va_space=2
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv6.conf.all.accept_source_route=0
+net.ipv6.conf.default.accept_source_route=0
+SEOF
+
+mkdir -p /home/analyst/workspace/{captures,evidence,reports}
+chown -R analyst:analyst /home/analyst/workspace
+
+dnf clean all
+%end
+
+reboot
+EOF
+
+echo "[OK] Created $KICKSTART_DIR/security.ks"
+
+echo "[INFO] All kickstart templates generated"