pynezz/fedora-isobuilder
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make git repo

Browse Source
This commit is contained in:
pynezz
2026-01-31 22:52:27 +01:00
parent f4139c2216
commit 4e80f64c3d
7 changed files with 1161 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

272
Makefile Normal file
View File

@@ -0,0 +1,272 @@
# Fedora 42 Custom Live ISO Builder
# Requires: lorax, lorax-lmc-novirt, anaconda (for kickstart validation)
# Must run with sudo for livemedia-creator
SHELL := /bin/bash
.ONESHELL:
.SHELLFLAGS := -eu -o pipefail -c
# ============================================================================
# Configuration
# ============================================================================
FEDORA_VERSION := 42
ARCH := x86_64
VARIANT ?= minimal
BUILD_DIR := $(CURDIR)/build
CACHE_DIR := $(CURDIR)/cache
OUTPUT_DIR := $(CURDIR)/output
KICKSTART_DIR := $(CURDIR)/kickstarts
OVERLAY_DIR := $(CURDIR)/overlays
SCRIPTS_DIR := $(CURDIR)/scripts
TMP_DIR := /var/tmp/lorax-build
ISO_LABEL := FEDORA-CUSTOM
ISO_NAME := fedora-$(FEDORA_VERSION)-custom-$(VARIANT)-$(ARCH)
ISO_FILE := $(OUTPUT_DIR)/$(ISO_NAME).iso
LORAX_OPTS := --nomacboot --noverifyssl
KICKSTART ?= $(KICKSTART_DIR)/$(VARIANT).ks
# ============================================================================
# Colors
# ============================================================================
CLR_RED := \033[0;31m
CLR_GREEN := \033[0;32m
CLR_YELLOW := \033[0;33m
CLR_BLUE := \033[0;34m
CLR_RESET := \033[0m
# ============================================================================
# Default target
# ============================================================================
.PHONY: all
all: help
# ============================================================================
# Help
# ============================================================================
.PHONY: help
help:
@printf "Fedora $(FEDORA_VERSION) Custom Live ISO Builder\n"
@printf "==============================================\n\n"
@printf "Usage: sudo make <target> [VARIANT=<variant>]\n\n"
@printf "Build targets:\n"
@printf " iso Build the live ISO (requires sudo)\n"
@printf " iso-novirt Build without KVM (slower, works in containers)\n\n"
@printf "Variants (VARIANT=):\n"
@printf " minimal Bare minimum bootable system (~400MB)\n"
@printf " kiosk Single-app kiosk/PoS system\n"
@printf " workstation Lightweight workstation with Sway\n"
@printf " security Security/forensics toolkit\n\n"
@printf "Setup targets:\n"
@printf " deps Install build dependencies\n"
@printf " init-kickstarts Generate kickstart templates\n\n"
@printf "Utility targets:\n"
@printf " validate Validate kickstart syntax\n"
@printf " test-qemu Boot ISO in QEMU\n"
@printf " checksum Generate SHA256/MD5 checksums\n"
@printf " clean Remove build artifacts\n"
@printf " distclean Remove everything including output\n\n"
@printf "Examples:\n"
@printf " make init-kickstarts\n"
@printf " sudo make iso VARIANT=minimal\n"
@printf " sudo make iso VARIANT=kiosk\n"
@printf " sudo make iso KICKSTART=./custom.ks\n"
# ============================================================================
# Dependencies
# ============================================================================
.PHONY: deps
deps:
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Installing build dependencies...\n"
@if ! command -v dnf &>/dev/null; then \
printf "$(CLR_RED)[ERROR]$(CLR_RESET) Requires Fedora/RHEL with dnf\n"; \
exit 1; \
fi
dnf install -y \
lorax \
lorax-lmc-novirt \
anaconda \
pykickstart \
qemu-kvm \
libvirt \
virt-install \
syslinux \
isomd5sum \
squashfs-tools \
xorriso \
grub2-tools-extra
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) Dependencies installed\n"
# ============================================================================
# Directory setup
# ============================================================================
.PHONY: dirs
dirs:
@mkdir -p $(BUILD_DIR) $(CACHE_DIR) $(OUTPUT_DIR) $(KICKSTART_DIR) $(OVERLAY_DIR) $(SCRIPTS_DIR) $(TMP_DIR)
# ============================================================================
# Kickstart generation (via external script)
# ============================================================================
.PHONY: init-kickstarts
init-kickstarts: dirs
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Generating kickstart templates...\n"
@chmod +x $(SCRIPTS_DIR)/gen-kickstarts.sh
@$(SCRIPTS_DIR)/gen-kickstarts.sh $(KICKSTART_DIR)
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) Kickstarts created in $(KICKSTART_DIR)/\n"
# ============================================================================
# Validation
# ============================================================================
.PHONY: validate
validate: $(KICKSTART)
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Validating: $(KICKSTART)\n"
@ksvalidator $(KICKSTART)
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) Kickstart is valid\n"
# ============================================================================
# Root check
# ============================================================================
.PHONY: check-root
check-root:
@if [ "$$(id -u)" -ne 0 ]; then \
printf "$(CLR_RED)[ERROR]$(CLR_RESET) Must run as root (use sudo)\n"; \
exit 1; \
fi
# ============================================================================
# ISO Build
# ============================================================================
.PHONY: iso
iso: dirs validate check-root
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Building: $(ISO_NAME)\n"
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Kickstart: $(KICKSTART)\n"
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) This may take 10-30 minutes...\n"
@rm -rf $(BUILD_DIR)/result
livemedia-creator \
--ks $(KICKSTART) \
--no-virt \
--resultdir $(BUILD_DIR)/result \
--project "Fedora Custom" \
--releasever $(FEDORA_VERSION) \
--volid $(ISO_LABEL) \
--iso-only \
--iso-name $(ISO_NAME).iso \
--tmp $(TMP_DIR) \
--logfile $(BUILD_DIR)/livemedia.log \
$(LORAX_OPTS)
@mv $(BUILD_DIR)/result/$(ISO_NAME).iso $(ISO_FILE) 2>/dev/null || \
mv $(BUILD_DIR)/result/images/$(ISO_NAME).iso $(ISO_FILE) 2>/dev/null || \
find $(BUILD_DIR) -name "*.iso" -exec mv {} $(ISO_FILE) \;
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) ISO created: $(ISO_FILE)\n"
@$(MAKE) -s checksum
.PHONY: iso-novirt
iso-novirt: iso
# ============================================================================
# Testing
# ============================================================================
.PHONY: test-qemu
test-qemu: $(ISO_FILE)
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Booting ISO in QEMU...\n"
qemu-system-x86_64 \
-enable-kvm \
-m 2048 \
-cpu host \
-smp 2 \
-cdrom $(ISO_FILE) \
-boot d \
-vga virtio \
-display gtk
.PHONY: test-qemu-serial
test-qemu-serial: $(ISO_FILE)
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Booting ISO (serial console)...\n"
qemu-system-x86_64 \
-enable-kvm \
-m 2048 \
-cpu host \
-smp 2 \
-cdrom $(ISO_FILE) \
-boot d \
-nographic \
-serial mon:stdio
# ============================================================================
# Checksums
# ============================================================================
.PHONY: checksum
checksum: $(ISO_FILE)
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Generating checksums...\n"
@cd $(OUTPUT_DIR) && sha256sum $(notdir $(ISO_FILE)) > $(notdir $(ISO_FILE)).sha256
@cd $(OUTPUT_DIR) && md5sum $(notdir $(ISO_FILE)) > $(notdir $(ISO_FILE)).md5
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) Checksums:\n"
@cat $(ISO_FILE).sha256
.PHONY: implant-md5
implant-md5: $(ISO_FILE)
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Implanting MD5 into ISO...\n"
implantisomd5 $(ISO_FILE)
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) Verify with: checkisomd5 $(ISO_FILE)\n"
# ============================================================================
# Cleanup
# ============================================================================
.PHONY: clean
clean:
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Cleaning build artifacts...\n"
rm -rf $(BUILD_DIR)
rm -rf $(TMP_DIR)
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) Clean complete\n"
.PHONY: distclean
distclean: clean
@printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Removing all generated files...\n"
rm -rf $(OUTPUT_DIR)
rm -rf $(CACHE_DIR)
@printf "$(CLR_GREEN)[OK]$(CLR_RESET) Distclean complete\n"
# ============================================================================
# Info
# ============================================================================
.PHONY: info
info:
@printf "Configuration:\n"
@printf " FEDORA_VERSION: $(FEDORA_VERSION)\n"
@printf " ARCH: $(ARCH)\n"
@printf " VARIANT: $(VARIANT)\n"
@printf " KICKSTART: $(KICKSTART)\n"
@printf " ISO_FILE: $(ISO_FILE)\n"
@printf " BUILD_DIR: $(BUILD_DIR)\n"
@printf " TMP_DIR: $(TMP_DIR)\n"
.PHONY: list-isos
list-isos:
@printf "Built ISOs:\n"
@ls -lh $(OUTPUT_DIR)/*.iso 2>/dev/null || printf " (none)\n"
# ============================================================================
# Kickstart prerequisite
# ============================================================================
$(KICKSTART):
@printf "$(CLR_RED)[ERROR]$(CLR_RESET) Kickstart not found: $(KICKSTART)\n"
@printf "$(CLR_YELLOW)[HINT]$(CLR_RESET) Run: make init-kickstarts\n"
@exit 1

219
README.md Normal file
View File

@@ -0,0 +1,219 @@
# Fedora 42 Custom Live ISO Builder
A Makefile-based toolchain for building custom Fedora 42 live ISOs optimized for specific use cases like Point-of-Sale systems, kiosks, security workstations, and minimal servers.
## Quick Start
```bash
# Install dependencies (requires Fedora)
sudo make deps
# Generate kickstart templates
make init-kickstarts
# Build minimal ISO
sudo make iso VARIANT=minimal
# Test in QEMU
make test-qemu
```
## Available Variants
| Variant | Description | Approx Size |
| ------------- | ---------------------------------------- | ----------- |
| `minimal` | Bare minimum bootable system with SSH | ~400MB |
| `kiosk` | Single-app kiosk/PoS with Cage + Firefox | ~800MB |
| `workstation` | Lightweight GUI with Sway | ~1.2GB |
| `security` | Security/forensics toolkit | ~1.5GB |
## Requirements
- Fedora 42 (or compatible) host system
- Root privileges for ISO creation
- ~10GB free disk space
- KVM support recommended (or use `iso-novirt`)
## Usage
### Build Commands
```bash
# Build with default (minimal) variant
sudo make iso
# Build specific variant
sudo make iso VARIANT=kiosk
sudo make iso VARIANT=workstation
sudo make iso VARIANT=security
# Use custom kickstart
sudo make iso KICKSTART=/path/to/custom.ks
# Build without KVM (slower, works in containers)
sudo make iso-novirt VARIANT=minimal
```
### Utility Commands
```bash
# Validate kickstart syntax
make validate KICKSTART=kickstarts/minimal.ks
# Test ISO in QEMU
make test-qemu
# Generate checksums
make checksum
# Show configuration
make info
# Clean build artifacts
make clean
sudo make distclean # Also removes output/
```
## Customization
### Modifying Kickstarts
The kickstart files in `kickstarts/` control the entire OS configuration:
1. **Packages**: Add/remove packages in the `%packages` section
2. **Services**: Enable/disable systemd units in `%post`
3. **Users**: Configure users and authentication
4. **Partitioning**: Customize disk layout
### Adding Custom Files
1. Place files in `overlays/<variant>/`
2. Copy them in the `%post` section of your kickstart
Example:
```bash
%post
# Copy custom configs
cp -r /run/install/repo/overlays/* /
%end
```
### Creating New Variants
1. Create `kickstarts/myvariant.ks`
2. Build with `sudo make iso VARIANT=myvariant`
## Directory Structure
```
.
├── Makefile # Build system
├── README.md
├── kickstarts/ # Kickstart definitions
│ ├── minimal.ks
│ ├── kiosk.ks
│ ├── workstation.ks
│ └── security.ks
├── overlays/ # Files to include in ISO
├── build/ # Temporary build files
├── cache/ # Downloaded packages (preserved)
└── output/ # Final ISO files
└── fedora-42-custom-*.iso
```
## PoS/Kiosk Specific Notes
For Point-of-Sale or kiosk deployments:
### Security Hardening
```kickstart
%post
# Disable USB storage
echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usb.conf
# Disable Ctrl+Alt+Del reboot
systemctl mask ctrl-alt-del.target
# Read-only root filesystem (advanced)
# Add 'ro' to kernel cmdline and use overlayfs
%end
```
### Auto-start Application
The `kiosk` variant uses Cage (minimal Wayland compositor) to run Firefox in kiosk mode. Modify `/home/kiosk/.bash_profile` to launch your application:
```bash
# For a custom app
exec cage -- /usr/local/bin/my-pos-app
# For a web app
exec cage -- firefox --kiosk https://pos.example.com
# For Electron apps
exec cage -- /opt/myapp/myapp --kiosk
```
### Network Configuration
For static IP (common in PoS):
```kickstart
network --bootproto=static --ip=192.168.1.100 --netmask=255.255.255.0 \
--gateway=192.168.1.1 --nameserver=192.168.1.1 --device=link
```
## Troubleshooting
### Build fails with "No space left on device"
The build uses `/var/tmp/lorax-build` by default. Either:
- Free space on that partition
- Change `TMP_DIR` in Makefile to a larger partition
### "Cannot find a valid baseurl"
Network issues or mirror problems. Try:
```bash
# Use a specific mirror
sudo make iso LORAX_REPO=https://mirror.example.com/fedora/42/Everything/x86_64/os/
```
### SELinux denials
If building in a container or restricted environment:
```bash
# Temporarily set permissive (not recommended for production)
sudo setenforce 0
sudo make iso
sudo setenforce 1
```
### ISO won't boot
1. Verify checksum: `make checksum`
2. Check implanted MD5: `checkisomd5 output/*.iso`
3. Review build log: `less build/livemedia.log`
## Advanced: Building in Containers
For reproducible builds in CI/CD:
```bash
podman run --rm -it --privileged \
-v $(pwd):/build:Z \
-v /dev:/dev \
registry.fedoraproject.org/fedora:42 \
bash -c "cd /build && make deps && make iso-novirt"
```
Note: Container builds require `--privileged` for loop devices and must use `iso-novirt`.
## License
MIT - Do whatever you want with this.

356
gen-kickstarts.sh Executable file
View File

@@ -0,0 +1,356 @@
#!/bin/bash
# Generate kickstart templates for Fedora 42 custom ISOs
set -euo pipefail
KICKSTART_DIR="${1:-kickstarts}"
mkdir -p "$KICKSTART_DIR"
echo "[INFO] Generating kickstart templates in $KICKSTART_DIR"
# =============================================================================
# Minimal
# =============================================================================
cat >"$KICKSTART_DIR/minimal.ks" <<'EOF'
# Fedora 42 Minimal Live ISO
# Ultra-minimal bootable system
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=5
clearpart --all --initlabel
autopart --type=plain --nohome
%packages --excludedocs
@core
kernel
systemd
dnf
bash
coreutils
util-linux
NetworkManager
openssh-server
openssh-clients
vim-minimal
less
-plymouth
-plymouth-*
-firewalld
-sssd*
-abrt*
%end
%post --erroronfail
systemctl disable dnf-makecache.timer
systemctl disable dnf-makecache.service
systemctl enable sshd
systemctl enable NetworkManager
mkdir -p /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/size.conf << JEOF
[Journal]
SystemMaxUse=50M
RuntimeMaxUse=20M
JEOF
dnf clean all
rm -rf /var/cache/dnf/*
%end
reboot
EOF
echo "[OK] Created $KICKSTART_DIR/minimal.ks"
# =============================================================================
# Kiosk / PoS
# =============================================================================
cat >"$KICKSTART_DIR/kiosk.ks" <<'EOF'
# Fedora 42 Kiosk/PoS Live ISO
# Single-application kiosk system with Wayland
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
user --name=kiosk --groups=wheel --plaintext --password=kiosk
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=1 --append="quiet splash"
clearpart --all --initlabel
autopart --type=plain --nohome
%packages --excludedocs
@core
kernel
systemd
NetworkManager
cage
weston
firefox
dejavu-sans-fonts
dejavu-sans-mono-fonts
pipewire
pipewire-pulseaudio
plymouth
plymouth-system-theme
-abrt*
-sssd*
%end
%post --erroronfail
# Autologin on tty1
mkdir -p /etc/systemd/system/getty@tty1.service.d
cat > /etc/systemd/system/getty@tty1.service.d/autologin.conf << AEOF
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin kiosk --noclear %I \$TERM
AEOF
# Kiosk startup - launches Cage with Firefox
cat > /home/kiosk/.bash_profile << 'BEOF'
if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
exec cage -- firefox --kiosk https://localhost
fi
BEOF
chown kiosk:kiosk /home/kiosk/.bash_profile
# Lock kiosk user password
passwd -l kiosk
# Limit virtual consoles
mkdir -p /etc/systemd/logind.conf.d
cat > /etc/systemd/logind.conf.d/kiosk.conf << LEOF
[Login]
NAutoVTs=1
ReserveVT=0
LEOF
systemctl enable NetworkManager
systemctl set-default multi-user.target
dnf clean all
%end
reboot
EOF
echo "[OK] Created $KICKSTART_DIR/kiosk.ks"
# =============================================================================
# Workstation (Sway)
# =============================================================================
cat >"$KICKSTART_DIR/workstation.ks" <<'EOF'
# Fedora 42 Lightweight Workstation Live ISO
# Minimal GUI with Sway (Wayland)
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
user --name=user --groups=wheel --plaintext --password=user
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=5
clearpart --all --initlabel
autopart --type=plain
%packages --excludedocs
@core
kernel
systemd
NetworkManager
sway
swaylock
swayidle
swaybg
waybar
foot
wofi
vim
htop
git
curl
wget
dejavu-sans-fonts
dejavu-sans-mono-fonts
google-noto-emoji-fonts
pipewire
pipewire-pulseaudio
wireplumber
thunar
firefox
-plymouth*
-abrt*
-sssd*
%end
%post --erroronfail
systemctl enable NetworkManager
mkdir -p /home/user/.config/sway
cat > /home/user/.config/sway/config << 'SEOF'
set $mod Mod4
set $term foot
set $menu wofi --show drun
bindsym $mod+Return exec $term
bindsym $mod+d exec $menu
bindsym $mod+Shift+q kill
bindsym $mod+Shift+e exit
floating_modifier $mod normal
bindsym $mod+Shift+c reload
bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right
bindsym $mod+1 workspace 1
bindsym $mod+2 workspace 2
bindsym $mod+3 workspace 3
bindsym $mod+Shift+1 move container to workspace 1
bindsym $mod+Shift+2 move container to workspace 2
bindsym $mod+Shift+3 move container to workspace 3
bar {
position top
status_command waybar
}
include /etc/sway/config.d/*
SEOF
chown -R user:user /home/user/.config
cat >> /home/user/.bash_profile << 'BEOF'
if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
exec sway
fi
BEOF
dnf clean all
%end
reboot
EOF
echo "[OK] Created $KICKSTART_DIR/workstation.ks"
# =============================================================================
# Security toolkit
# =============================================================================
cat >"$KICKSTART_DIR/security.ks" <<'EOF'
# Fedora 42 Security/Forensics Toolkit Live ISO
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
user --name=analyst --groups=wheel --plaintext --password=analyst
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=5
clearpart --all --initlabel
autopart --type=plain
%packages --excludedocs
@core
kernel
systemd
NetworkManager
nmap
tcpdump
wireshark-cli
openssl
gnupg2
aide
rkhunter
lynis
sleuthkit
testdisk
foremost
vim
tmux
htop
strace
ltrace
gdb
curl
wget
netcat
socat
bind-utils
whois
traceroute
mtr
python3
python3-pip
bash-completion
podman
buildah
cryptsetup
-plymouth*
-abrt*
%end
%post --erroronfail
systemctl enable NetworkManager
# Security hardening
echo "* hard core 0" >> /etc/security/limits.conf
cat > /etc/sysctl.d/99-security.conf << SEOF
kernel.core_pattern=|/bin/false
kernel.dmesg_restrict=1
kernel.randomize_va_space=2
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
SEOF
mkdir -p /home/analyst/workspace/{captures,evidence,reports}
chown -R analyst:analyst /home/analyst/workspace
dnf clean all
%end
reboot
EOF
echo "[OK] Created $KICKSTART_DIR/security.ks"
echo "[INFO] All kickstart templates generated"

72
kickstarts/kiosk.ks Normal file
View File

@@ -0,0 +1,72 @@
# Fedora 42 Kiosk/PoS Live ISO
# Single-application kiosk system with Wayland
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
user --name=kiosk --groups=wheel --plaintext --password=kiosk
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=1 --append="quiet splash"
clearpart --all --initlabel
autopart --type=plain --nohome
%packages --excludedocs
@core
kernel
systemd
NetworkManager
cage
weston
firefox
dejavu-sans-fonts
dejavu-sans-mono-fonts
pipewire
pipewire-pulseaudio
plymouth
plymouth-system-theme
-abrt*
-sssd*
%end
%post --erroronfail
# Autologin on tty1
mkdir -p /etc/systemd/system/getty@tty1.service.d
cat > /etc/systemd/system/getty@tty1.service.d/autologin.conf << AEOF
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin kiosk --noclear %I \$TERM
AEOF
# Kiosk startup - launches Cage with Firefox
cat > /home/kiosk/.bash_profile << 'BEOF'
if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
exec cage -- firefox --kiosk https://localhost
fi
BEOF
chown kiosk:kiosk /home/kiosk/.bash_profile
# Lock kiosk user password
passwd -l kiosk
# Limit virtual consoles
mkdir -p /etc/systemd/logind.conf.d
cat > /etc/systemd/logind.conf.d/kiosk.conf << LEOF
[Login]
NAutoVTs=1
ReserveVT=0
LEOF
systemctl enable NetworkManager
systemctl set-default multi-user.target
dnf clean all
%end
reboot

56
kickstarts/minimal.ks Normal file
View File

@@ -0,0 +1,56 @@
# Fedora 42 Minimal Live ISO
# Ultra-minimal bootable system
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=5
clearpart --all --initlabel
autopart --type=plain --nohome
%packages --excludedocs
@core
kernel
systemd
dnf
bash
coreutils
util-linux
NetworkManager
openssh-server
openssh-clients
vim-minimal
less
-plymouth
-plymouth-*
-firewalld
-sssd*
-abrt*
%end
%post --erroronfail
systemctl disable dnf-makecache.timer
systemctl disable dnf-makecache.service
systemctl enable sshd
systemctl enable NetworkManager
mkdir -p /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/size.conf << JEOF
[Journal]
SystemMaxUse=50M
RuntimeMaxUse=20M
JEOF
dnf clean all
rm -rf /var/cache/dnf/*
%end
reboot

84
kickstarts/security.ks Normal file
View File

@@ -0,0 +1,84 @@
# Fedora 42 Security/Forensics Toolkit Live ISO
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
user --name=analyst --groups=wheel --plaintext --password=analyst
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=5
clearpart --all --initlabel
autopart --type=plain
%packages --excludedocs
@core
kernel
systemd
NetworkManager
nmap
tcpdump
wireshark-cli
openssl
gnupg2
aide
rkhunter
lynis
sleuthkit
testdisk
foremost
vim
tmux
htop
strace
ltrace
gdb
curl
wget
netcat
socat
bind-utils
whois
traceroute
mtr
python3
python3-pip
bash-completion
podman
buildah
cryptsetup
-plymouth*
-abrt*
%end
%post --erroronfail
systemctl enable NetworkManager
# Security hardening
echo "* hard core 0" >> /etc/security/limits.conf
cat > /etc/sysctl.d/99-security.conf << SEOF
kernel.core_pattern=|/bin/false
kernel.dmesg_restrict=1
kernel.randomize_va_space=2
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
SEOF
mkdir -p /home/analyst/workspace/{captures,evidence,reports}
chown -R analyst:analyst /home/analyst/workspace
dnf clean all
%end
reboot

102
kickstarts/workstation.ks Normal file
View File

@@ -0,0 +1,102 @@
# Fedora 42 Lightweight Workstation Live ISO
# Minimal GUI with Sway (Wayland)
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64
lang en_US.UTF-8
keyboard us
timezone UTC --utc
rootpw --plaintext changeme
user --name=user --groups=wheel --plaintext --password=user
network --bootproto=dhcp --device=link --activate --onboot=yes
bootloader --location=mbr --timeout=5
clearpart --all --initlabel
autopart --type=plain
%packages --excludedocs
@core
kernel
systemd
NetworkManager
sway
swaylock
swayidle
swaybg
waybar
foot
wofi
vim
htop
git
curl
wget
dejavu-sans-fonts
dejavu-sans-mono-fonts
google-noto-emoji-fonts
pipewire
pipewire-pulseaudio
wireplumber
thunar
firefox
-plymouth*
-abrt*
-sssd*
%end
%post --erroronfail
systemctl enable NetworkManager
mkdir -p /home/user/.config/sway
cat > /home/user/.config/sway/config << 'SEOF'
set $mod Mod4
set $term foot
set $menu wofi --show drun
bindsym $mod+Return exec $term
bindsym $mod+d exec $menu
bindsym $mod+Shift+q kill
bindsym $mod+Shift+e exit
floating_modifier $mod normal
bindsym $mod+Shift+c reload
bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right
bindsym $mod+1 workspace 1
bindsym $mod+2 workspace 2
bindsym $mod+3 workspace 3
bindsym $mod+Shift+1 move container to workspace 1
bindsym $mod+Shift+2 move container to workspace 2
bindsym $mod+Shift+3 move container to workspace 3
bar {
position top
status_command waybar
}
include /etc/sway/config.d/*
SEOF
chown -R user:user /home/user/.config
cat >> /home/user/.bash_profile << 'BEOF'
if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
exec sway
fi
BEOF
dnf clean all
%end
reboot