From 2f27cc0868fa1e095546f80a66a687953e79321a Mon Sep 17 00:00:00 2001 From: tsvetkov Date: Fri, 27 Feb 2026 00:25:45 +0000 Subject: [PATCH] add stuff first time --- README.md | 5 +++ anaconda-ks.cfg | 82 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 README.md create mode 100644 anaconda-ks.cfg diff --git a/README.md b/README.md new file mode 100644 index 0000000..62a253d --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +Kickstart file for Fedora 42 (Dec 2025). + +You will need to replace the USERNAME, ENCRYPTED_PASSWORD and the sda values below to comply with your actual setup. To generate a secure hashed password: `mkpasswd -m sha-512`. + +Detailed instructions on how to use this can be found here: https://96-fromsofia.net/posts/fedora42-iso/ diff --git a/anaconda-ks.cfg b/anaconda-ks.cfg new file mode 100644 index 0000000..9d55321 --- /dev/null +++ b/anaconda-ks.cfg @@ -0,0 +1,82 @@ +#version=DEVEL + +## Locale settings +keyboard --vckeymap=gb --xlayouts='gb' # Keyboard layouts +lang en_GB.UTF-8 # System language +timezone Europe/Berlin --utc # System timezone + +## Installer settings +text # Install in text mode +firstboot --enable # Run the Setup Agent on first boot +reboot --eject + +## Disk configuration +ignoredisk --only-use=sda # Ignore all other disks - AMEND THIS ACCORDINGLY, sda IS USUALLY THE FIRST DISK +clearpart --all --initlabel # Partition clearing information +autopart --type=lvm --encrypted --luks-version=luks2 # Auto configure the whole disk, use LVM and luks + +## User config +user --groups=wheel --name=USERNAME --password=ENCRYPTED_PASS --iscrypted --gecos="USERNAME" +rootpw --lock # Lock the root account + +## Packages to install +%packages +@^cinnamon-desktop-environment +@c-development +@container-management +@desktop-accessibility +@headless-management +@sound-and-video +@virtualization +aide +btop +dnf-automatic + +%end + +## Post install config +%post --log=/root/ks-post.log --erroronfail +# Install any security updates available now +yum -y update --security +# Set the default target for boot +systemctl set-default graphical.target +# Automatic security updates +echo -e "[commands]\napply_updates=True\nupgrade_type=security" > /etc/dnf/automatic.conf +systemctl enable dnf-automatic.timer +# Disable kernel crash dump collection for better memory +systemctl disable kdump.service +systemctl mask kdump.service +# Disable sssd if no remote logins +systemctl disable sssd +# Password requirements +echo "minlen = 10" >> /etc/security/pwquality.conf +echo "minclass = 4" >> /etc/security/pwquality.conf +# Set a lockout timeout for failed login attempts +echo -e "deny = 7\nunlock_time = 1800\neven_deny_root\nroot_unlock_time = 1800\naudit\nsilent" >> /etc/security/faillock.conf +# Prevent chrony from acting as a remote server +echo -e "port 0\ncmdport 0" >> /etc/chrony.conf +# Harden sudo +echo -e "Defaults use_pty\nDefaults timestamp_timeout=30" > /etc/sudoers.d/custom +# Enforce stronger ssh algorithms +echo -e "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config +# Enforce a more secure umask +sed -i 's/umask 022/umask 027/g' /etc/bashrc +sed -i 's/UMASK 022/UMASK 027/g' /etc/login.defs +sed -i 's/002/027/g' /etc/profile.d/ccache.sh +sed -i 's/002/027/g' /etc/profile.d/ccache.csh +# Prevent logins with empty passwords +sed -i 's/ nullok//g' /etc/authselect/system-auth +sed -i 's/ nullok//g' /etc/authselect/password-auth +# Set the default firewall policy +sed -i 's/DefaultZone=public/DefaultZone=drop/g' /etc/firewalld/firewalld.conf +# Show system logs/output when booting the system up +sed -i 's/ rhgb quiet//g' /etc/default/grub +grub2-mkconfig -o /boot/grub2/grub.cfg +dracut --regenerate-all --force +# Set permissions for user init files +find /home/USERNAME -maxdepth 1 -type f -name '.*' -exec chmod u-s,g-wxs,o= {} \; +find /root -maxdepth 1 -type f -name '.*' -exec chmod u-s,g-wxs,o= {} \; +# Initialise the AIDE DB +aide --init + +%end