fedora-isobuilder/gen-kickstarts.sh

#!/bin/bash
# Generate kickstart templates for Fedora 42 custom ISOs
set -euo pipefail

KICKSTART_DIR="${1:-kickstarts}"
mkdir -p "$KICKSTART_DIR"

echo "[INFO] Generating kickstart templates in $KICKSTART_DIR"

# =============================================================================
# Minimal
# =============================================================================
cat >"$KICKSTART_DIR/minimal.ks" <<'EOF'
# Fedora 42 Minimal Live ISO
# Ultra-minimal bootable system

url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64

lang en_US.UTF-8
keyboard us
timezone UTC --utc

rootpw --plaintext changeme

network --bootproto=dhcp --device=link --activate --onboot=yes

bootloader --location=mbr --timeout=5

clearpart --all --initlabel
autopart --type=plain --nohome

%packages --excludedocs
@core
kernel
systemd
dnf
bash
coreutils
util-linux
NetworkManager
openssh-server
openssh-clients
vim-minimal
less
-plymouth
-plymouth-*
-firewalld
-sssd*
-abrt*
%end

%post --erroronfail
systemctl disable dnf-makecache.timer
systemctl disable dnf-makecache.service
systemctl enable sshd
systemctl enable NetworkManager

mkdir -p /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/size.conf << JEOF
[Journal]
SystemMaxUse=50M
RuntimeMaxUse=20M
JEOF

dnf clean all
rm -rf /var/cache/dnf/*
%end

reboot
EOF

echo "[OK] Created $KICKSTART_DIR/minimal.ks"

# =============================================================================
# Kiosk / PoS
# =============================================================================
cat >"$KICKSTART_DIR/kiosk.ks" <<'EOF'
# Fedora 42 Kiosk/PoS Live ISO
# Single-application kiosk system with Wayland

url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64

lang en_US.UTF-8
keyboard us
timezone UTC --utc

rootpw --plaintext changeme
user --name=kiosk --groups=wheel --plaintext --password=kiosk

network --bootproto=dhcp --device=link --activate --onboot=yes

bootloader --location=mbr --timeout=1 --append="quiet splash"

clearpart --all --initlabel
autopart --type=plain --nohome

%packages --excludedocs
@core
kernel
systemd
NetworkManager
cage
weston
firefox
dejavu-sans-fonts
dejavu-sans-mono-fonts
pipewire
pipewire-pulseaudio
plymouth
plymouth-system-theme
-abrt*
-sssd*
%end

%post --erroronfail
# Autologin on tty1
mkdir -p /etc/systemd/system/getty@tty1.service.d
cat > /etc/systemd/system/getty@tty1.service.d/autologin.conf << AEOF
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin kiosk --noclear %I \$TERM
AEOF

# Kiosk startup - launches Cage with Firefox
cat > /home/kiosk/.bash_profile << 'BEOF'
if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
    exec cage -- firefox --kiosk https://localhost
fi
BEOF
chown kiosk:kiosk /home/kiosk/.bash_profile

# Lock kiosk user password
passwd -l kiosk

# Limit virtual consoles
mkdir -p /etc/systemd/logind.conf.d
cat > /etc/systemd/logind.conf.d/kiosk.conf << LEOF
[Login]
NAutoVTs=1
ReserveVT=0
LEOF

systemctl enable NetworkManager
systemctl set-default multi-user.target

dnf clean all
%end

reboot
EOF

echo "[OK] Created $KICKSTART_DIR/kiosk.ks"

# =============================================================================
# Workstation (Sway)
# =============================================================================
cat >"$KICKSTART_DIR/workstation.ks" <<'EOF'
# Fedora 42 Lightweight Workstation Live ISO
# Minimal GUI with Sway (Wayland)

url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64

lang en_US.UTF-8
keyboard us
timezone UTC --utc

rootpw --plaintext changeme
user --name=user --groups=wheel --plaintext --password=user

network --bootproto=dhcp --device=link --activate --onboot=yes

bootloader --location=mbr --timeout=5

clearpart --all --initlabel
autopart --type=plain

%packages --excludedocs
@core
kernel
systemd
NetworkManager
sway
swaylock
swayidle
swaybg
waybar
foot
wofi
vim
htop
git
curl
wget
dejavu-sans-fonts
dejavu-sans-mono-fonts
google-noto-emoji-fonts
pipewire
pipewire-pulseaudio
wireplumber
thunar
firefox
-plymouth*
-abrt*
-sssd*
%end

%post --erroronfail
systemctl enable NetworkManager

mkdir -p /home/user/.config/sway
cat > /home/user/.config/sway/config << 'SEOF'
set $mod Mod4
set $term foot
set $menu wofi --show drun

bindsym $mod+Return exec $term
bindsym $mod+d exec $menu
bindsym $mod+Shift+q kill
bindsym $mod+Shift+e exit

floating_modifier $mod normal
bindsym $mod+Shift+c reload

bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right

bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right

bindsym $mod+1 workspace 1
bindsym $mod+2 workspace 2
bindsym $mod+3 workspace 3
bindsym $mod+Shift+1 move container to workspace 1
bindsym $mod+Shift+2 move container to workspace 2
bindsym $mod+Shift+3 move container to workspace 3

bar {
    position top
    status_command waybar
}

include /etc/sway/config.d/*
SEOF
chown -R user:user /home/user/.config

cat >> /home/user/.bash_profile << 'BEOF'
if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then
    exec sway
fi
BEOF

dnf clean all
%end

reboot
EOF

echo "[OK] Created $KICKSTART_DIR/workstation.ks"

# =============================================================================
# Security toolkit
# =============================================================================
cat >"$KICKSTART_DIR/security.ks" <<'EOF'
# Fedora 42 Security/Forensics Toolkit Live ISO

url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64

lang en_US.UTF-8
keyboard us
timezone UTC --utc

rootpw --plaintext changeme
user --name=analyst --groups=wheel --plaintext --password=analyst

network --bootproto=dhcp --device=link --activate --onboot=yes

bootloader --location=mbr --timeout=5

clearpart --all --initlabel
autopart --type=plain

%packages --excludedocs
@core
kernel
systemd
NetworkManager
nmap
tcpdump
wireshark-cli
openssl
gnupg2
aide
rkhunter
lynis
sleuthkit
testdisk
foremost
vim
tmux
htop
strace
ltrace
gdb
curl
wget
netcat
socat
bind-utils
whois
traceroute
mtr
python3
python3-pip
bash-completion
podman
buildah
cryptsetup
-plymouth*
-abrt*
%end

%post --erroronfail
systemctl enable NetworkManager

# Security hardening
echo "* hard core 0" >> /etc/security/limits.conf

cat > /etc/sysctl.d/99-security.conf << SEOF
kernel.core_pattern=|/bin/false
kernel.dmesg_restrict=1
kernel.randomize_va_space=2
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
SEOF

mkdir -p /home/analyst/workspace/{captures,evidence,reports}
chown -R analyst:analyst /home/analyst/workspace

dnf clean all
%end

reboot
EOF

echo "[OK] Created $KICKSTART_DIR/security.ks"

echo "[INFO] All kickstart templates generated"