%pre

ARCH=$(uname -p)

KS_REPO_LIST=/tmp/ks-repo-list.cfg
touch $KS_REPO_LIST

release_ver=$(awk -F= '/^VERSION_ID=/ {print $2}' /etc/os-release | tr -d \") # ie "7.3"
major_ver=$(echo "$release_ver" | awk -F. '{print $1}') # "7"

os_id=$(awk -F= '/^ID=/ {print $2}' /etc/os-release | tr -d \")

# @arg name
# @arg url
# @arg type (optional, defaults to 'mirrorlist')
function add_repo() {
  if [ -n "$3" ]; then repo_type=$3; else repo_type="mirrorlist"; fi
  echo "repo --name=$1 --${repo_type}=$2" >> $KS_REPO_LIST
}

add_repo minimal    "file:///run/install/sources/mount-0000-cdrom/minimal" baseurl
add_repo baseos     "http://download.rockylinux.org/pub/rocky/${release_ver}/BaseOS/$ARCH/os" baseurl
add_repo appstream  "http://download.rockylinux.org/pub/rocky/${release_ver}/AppStream/$ARCH/os" baseurl
add_repo extras     "http://download.rockylinux.org/pub/rocky/${release_ver}/extras/$ARCH/os" baseurl
add_repo epel       "https://mirrors.fedoraproject.org/metalink?repo=epel-$major_ver&arch=\$basearch" metalink

%end

%include /tmp/ks-repo-list.cfg

text

# install
cdrom
lang en_US.UTF-8
keyboard us
network --bootproto=dhcp
rootpw vagrant
firewall --disabled
selinux --permissive
timezone UTC
bootloader --location=mbr
text
skipx

zerombr
clearpart --all --initlabel

# hardening requirements:
# os-14: Check mountpoints for noexec mount options
# os-15: Check mountpoints for nosuid mount options
# os-16: Check mountpoints for nodev mount options

part /boot --ondisk=sda --fstype="xfs"  --size=1024 --fsoptions="defaults,noexec,nosuid,nodev"
part pv.00 --ondisk=sda --size=8192 --grow
volgroup vg00 pv.00

# partition layout:
# /boot     1G
# swap      2G
# /tmp      2G
# /var      1G
# /var/log  2G
# /var/log/audit 0.5G
# /opt      3.5G
# /         min 1G, grow to fill remaining

logvol swap --vgname=vg00 --fstype="swap" --size=2048 --name=swap
logvol /tmp --vgname=vg00 --fstype="xfs"  --size=2048 --name=lv_tmp --label=tmp --fsoptions="defaults,nodev,nosuid"

# cloud-init needs exec for the scripts in /var
logvol /var             --vgname=vg00 --fstype="xfs" --size=2048 --name=lv_var      --label=var     --fsoptions="defaults,nodev,nosuid"
logvol /var/log         --vgname=vg00 --fstype="xfs" --size=1024 --name=lv_log      --label=log     --fsoptions="defaults,nodev,noexec,nosuid"
logvol /var/log/audit   --vgname=vg00 --fstype="xfs" --size=512  --name=lv_audit    --label=audit   --fsoptions="defaults,nodev,noexec,nosuid"
logvol /opt             --vgname=vg00 --fstype="xfs" --size=3588 --name=lv_opt      --label=opt     --fsoptions="defaults,nodev,nosuid"

logvol / --vgname=vg00 --fstype="xfs" --size=1024 --name=lv_root --label=root --grow


authselect minimal
firstboot --disabled
eula --agreed
services --enabled=NetworkManager,sshd --disabled=cups
user --name=vagrant --plaintext --password=vagrant --groups=wheel
reboot

%addon com_redhat_kdump --disable
%end

%packages --excludedocs
@^minimal-environment
@Development Tools
epel-release
elfutils-libelf-devel
# redhat-lsb # not available in rhel 9

python3-boto3

cloud-init

openssh-clients
sudo
net-tools
yum-utils
vim
wget
curl
rsync
tar
zsh

# chef needs this to properly inventory the box
dmidecode

# Disable graphical booting
# https://docs.centos.org/en-US/8-docs/advanced-install/assembly_kickstart-commands-and-options-reference/#bootloader-required_kickstart-commands-for-handling-storage
-plymouth*

# unnecessary firmware
-aic94xx-firmware
-atmel-firmware
-b43-openfwwf
-bfa-firmware
-ipw*-firmware
-ivtv-firmware
-iwl*-firmware
-libertas-usb8388-firmware
-ql*-firmware
-rt61pci-firmware
-rt73usb-firmware
-xorg-x11-drv-ati-firmware
-zd1211-firmware
%end

%post
yum update -y

# update root certs
curl https://curl.haxx.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust

# Import OS GPG key
rpm --import https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9

# Allow wheel group (vagrant user) pasword-less sudo
sed -i \
    -e 's/^%wheel/# &/' \
    -e '/^#\s*%wheel.*NOPASSWD:\s*ALL$/s/^#\s*//' \
        /etc/sudoers

# Disable sshd DNS lookups
# https://www.vagrantup.com/docs/boxes/base.html#ssh-tweaks
sed -i '/^#\s*UseDNS no/s/^#\s*//' /etc/ssh/sshd_config

# Disable sudo tty requirement
sed -i 's/^Defaults requiretty/Defaults !requiretty/' /etc/sudoers

yum clean all

# fix the busted lvm configuration ... ?
# see https://bugzilla.redhat.com/show_bug.cgi?id=1965941
sed -i 's/# use_devicesfile = 1/use_devicesfile = 0/' /etc/lvm/lvm.conf

%end