# Generated by pykickstart v3.32
#version=RHEL7
# Install OS instead of upgrade
install
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# Reboot after installation
reboot
# Root password
rootpw --iscrypted --lock locked
# Use network installation
url --url="http://linuxsoft.cern.ch/cern/centos/7/os/x86_64"
# System language
lang en_US.UTF-8
# Firewall configuration
firewall --disabled
# Use text mode install
text
# SELinux configuration
selinux --enforcing

# Network information
network  --bootproto=dhcp --device=eth0
repo --name="koji-override-0" --baseurl=https://koji.cern.ch/kojifiles/repos/cc7-image-7x-build/724603/x86_64
# System timezone
timezone Europe/Zurich --isUtc
# System bootloader configuration
bootloader --location=none
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part / --fstype="ext4" --size=3000

%pre
ARCH=`uname -m`
cat >> /etc/rsyslog.conf  <<DELIM
\$template AnacondaTemplate, "<%PRI%>%TIMESTAMP:::date-rfc3339% image:cc7-base-docker-$ARCH %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
\$ActionForwardDefaultTemplate AnacondaTemplate

module(load="imfile" mode="inotify")
input(type="imfile"
  File="/tmp/anaconda.log"
  Tag="anaconda")
input(type="imfile"
  File="/tmp/dnf.librepo.log"
  Tag="dnf-librepo")
input(type="imfile"
  File="/tmp/packaging.log"
  Tag="packaging")
input(type="imfile"
  File="/tmp/ks-script-*.log"
  Tag="ks-pre")
input(type="imfile"
  File="/mnt/sysroot/root/ks-post.log"
  Tag="ks-post")

*.* @@linuxsoftadm.cern.ch:5014
DELIM
/usr/bin/systemctl restart rsyslog
%end

%post --logfile=/root/ks-post.log
# randomize root password and lock root account
dd if=/dev/urandom count=50 | md5sum | passwd --stdin root
passwd -l root

# create necessary devices
/sbin/MAKEDEV /dev/console

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-cern
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-kojiv2

# some packages get installed even though we ask for them not to be,
# and they don't have any external dependencies that should make
# anaconda install them
rpm -e kernel

yum -y remove bind-libs bind-libs-lite dhclient dhcp-common dhcp-libs \
  dracut-network e2fsprogs e2fsprogs-libs ebtables ethtool file \
  firewalld freetype gettext gettext-libs groff-base grub2 grub2-tools \
  grubby initscripts iproute iptables kexec-tools libcroco libgomp \
  libmnl libnetfilter_conntrack libnfnetlink libselinux-python lzo \
  libunistring os-prober python-decorator python-slip python-slip-dbus \
  snappy sysvinit-tools which linux-firmware

yum -y install centos-release-scl

# Make sure we're up to date
yum -y distro-sync

yum clean all

rm -rf /etc/firewalld
rm -rf /boot

#delete a few systemd things
rm -rf /etc/machine-id
rm -rf /usr/lib/systemd/system/multi-user.target.wants/getty.target
rm -rf /usr/lib/systemd/system/multi-user.target.wants/systemd-logind.service

# Add tsflags to keep yum from installing docs

sed -i '/distroverpkg=centos-release/a tsflags=nodocs' /etc/yum.conf

#Make it easier for systemd to run in Docker container
cp /usr/lib/systemd/system/dbus.service /etc/systemd/system/
sed -i 's/OOMScoreAdjust=-900//' /etc/systemd/system/dbus.service

#Mask mount units and getty service so that we don't get login prompt
systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service


#Generate installtime file record
/bin/date +%Y%m%d_%H%M > /etc/BUILDTIME


#  man pages and documentation
find /usr/share/{man,doc,info,gnome/help} \
        -type f | xargs /bin/rm


#  ldconfig
rm -rf /etc/ld.so.cache
rm -rf /var/cache/ldconfig/*
rm -rf /var/cache/yum/*
rm -f /tmp/ks-script*

rm -f /usr/lib/locale/locale-archive

#Setup locale properly
localedef -v -c -i en_US -f UTF-8 en_US.UTF-8


# Create repo for systemd-container
#cat >/etc/yum.repos.d/systemd.repo <<EOF
#[systemdcontainer]
#name=CentOS-\$releasever - systemd-container
#baseurl=http://linuxsoft.cern.ch/mirror/dev.centos.org/centos/7/systemd-container/
#gpgcheck=1
#enabled=1
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#
#EOF

# Clean up after the installer.
rm -f /etc/rpm/macros.imgcreate

# Fix /run/lock breakage since it's not tmpfs in docker
umount /run
systemd-tmpfiles --create --boot

############# CERN'ify ########################################################

cat > /etc/krb5.conf <<EOF
[libdefaults]
 default_realm = CERN.CH
 ticket_lifetime = 25h
 renew_lifetime = 120h
 forwardable = true
 proxiable = true
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 allow_weak_crypto = true
 chpw_prompt = true

[realms]
 CERN.CH = {
  default_domain = cern.ch
  kpasswd_server = cerndc.cern.ch
  admin_server = cerndc.cern.ch
  kdc = cerndc.cern.ch
  }

[domain_realm]
 .cern.ch = CERN.CH

pam = {
   external = true
   krb4_convert =  false
   krb4_convert_524 =  false
   krb4_use_as_req =  false
   ticket_lifetime = 25h
   use_shmem = sshd
 }

EOF

cat > /etc/openldap/ldap.conf <<EOF
#
# LDAP CERN Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE DC=cern,DC=ch
#note cerndc provides gssapi auth, xldap does not.
#HOST cerndc.cern.ch  # or xldap.cern.ch
#SIZELIMIT 12
#DEREF always

TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
SSL start_tls

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON	on

EOF
%end

%post --nochroot
# Make rsyslog send everything before the reboot
pkill -HUP rsyslogd
sleep 30s
rm -rf /mnt/sysroot/root/ks-post.log
%end

%packages --excludedocs --nocore
CERN-CA-certs
bash
bind-utils
centos-release
cern-wrappers
cyrus-sasl-gssapi
epel-release
firewalld
hepix
iproute
iputils
less
openldap-clients
rootfiles
shadow-utils
vim-minimal
yum-autoupdate
yum-plugin-ovl
-*firmware
-bind-license
-freetype
-gettext*
-kernel*
-libteam
-os-prober
-teamd
-yum-firstboot

%end