add stuff first time

README.md

@@ -0,0 +1,5 @@
+Kickstart file for Fedora 42 (Dec 2025).
+
+You will need to replace the USERNAME, ENCRYPTED_PASSWORD and the sda values below to comply with your actual setup. To generate a secure hashed password: `mkpasswd -m sha-512`.
+
+Detailed instructions on how to use this can be found here: https://96-fromsofia.net/posts/fedora42-iso/

anaconda-ks.cfg

@@ -0,0 +1,82 @@
+#version=DEVEL
+
+## Locale settings
+keyboard --vckeymap=gb --xlayouts='gb' # Keyboard layouts
+lang en_GB.UTF-8 # System language
+timezone Europe/Berlin --utc # System timezone
+
+## Installer settings
+text # Install in text mode
+firstboot --enable # Run the Setup Agent on first boot 
+reboot --eject
+
+## Disk configuration
+ignoredisk --only-use=sda # Ignore all other disks - AMEND THIS ACCORDINGLY, sda IS USUALLY THE FIRST DISK
+clearpart --all --initlabel  # Partition clearing information
+autopart --type=lvm --encrypted --luks-version=luks2 # Auto configure the whole disk, use LVM and luks
+
+## User config
+user --groups=wheel --name=USERNAME --password=ENCRYPTED_PASS --iscrypted --gecos="USERNAME"
+rootpw --lock # Lock the root account
+
+## Packages to install
+%packages
+@^cinnamon-desktop-environment
+@c-development
+@container-management
+@desktop-accessibility
+@headless-management
+@sound-and-video
+@virtualization
+aide
+btop
+dnf-automatic
+
+%end
+
+## Post install config
+%post --log=/root/ks-post.log --erroronfail
+# Install any security updates available now
+yum -y update --security
+# Set the default target for boot
+systemctl set-default graphical.target
+# Automatic security updates
+echo -e "[commands]\napply_updates=True\nupgrade_type=security" > /etc/dnf/automatic.conf
+systemctl enable dnf-automatic.timer
+# Disable kernel crash dump collection for better memory
+systemctl disable kdump.service
+systemctl mask kdump.service
+# Disable sssd if no remote logins
+systemctl disable sssd
+# Password requirements
+echo "minlen = 10" >> /etc/security/pwquality.conf
+echo "minclass = 4" >> /etc/security/pwquality.conf
+# Set a lockout timeout for failed login attempts
+echo -e "deny = 7\nunlock_time = 1800\neven_deny_root\nroot_unlock_time = 1800\naudit\nsilent" >> /etc/security/faillock.conf
+# Prevent chrony from acting as a remote server
+echo -e "port 0\ncmdport 0" >> /etc/chrony.conf
+# Harden sudo
+echo -e "Defaults use_pty\nDefaults timestamp_timeout=30" > /etc/sudoers.d/custom
+# Enforce stronger ssh algorithms
+echo -e "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+# Enforce a more secure umask
+sed -i 's/umask 022/umask 027/g' /etc/bashrc
+sed -i 's/UMASK            022/UMASK               027/g' /etc/login.defs
+sed -i 's/002/027/g' /etc/profile.d/ccache.sh
+sed -i 's/002/027/g' /etc/profile.d/ccache.csh
+# Prevent logins with empty passwords
+sed -i 's/ nullok//g' /etc/authselect/system-auth
+sed -i 's/ nullok//g' /etc/authselect/password-auth
+# Set the default firewall policy
+sed -i 's/DefaultZone=public/DefaultZone=drop/g' /etc/firewalld/firewalld.conf
+# Show system logs/output when booting the system up
+sed -i 's/ rhgb quiet//g' /etc/default/grub
+grub2-mkconfig -o /boot/grub2/grub.cfg
+dracut --regenerate-all --force
+# Set permissions for user init files
+find /home/USERNAME -maxdepth 1 -type f -name '.*' -exec chmod u-s,g-wxs,o= {} \;
+find /root -maxdepth 1 -type f -name '.*' -exec chmod u-s,g-wxs,o= {} \;
+# Initialise the AIDE DB
+aide --init
+
+%end