ks-min.cfg

# Kickstart file automatically generated by anaconda.
install
cmdline

cdrom
lang en_US.UTF-8
keyboard us
skipx
network --device=eth0 --bootproto=dhcp --onboot=on
services --enabled=network
rootpw --iscrypted $1$Wc6Nxljt$LmD0wSpp611tCW90gUBaZ1
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --permissive
timezone --utc America/Detroit
bootloader --location=mbr --driveorder=vda
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
#clearpart --linux --drives=vda
clearpart --all --initlabel --drives=vda
part /boot --fstype ext3 --size=100 --ondisk=vda
part swap --size=512
part / --fstype ext4 --size=100 --grow
reboot

%packages --nobase
@Core
audit
curl
iptables
man
man-pages
sudo
-cups
-paps
-pango
-wireless-tools
-xorg-x11-filesystem
-Deployment_Guide-en-US
-dhcpv6-client
-elilo
-ethtools
-redhat-logos
-gnu-efi
-kudzu
-hald
-hdparm
-ppc64-utils
-s390utils
-ecryptfs-utils
-freeipmi
-libhugetlbfs
-mkinitrd
-policycoreutils
-udftools
-libselinux-python
-libsemanage
#-setools
-setserial
-tcl
-vim-enhanced
-kpartx
-mcstrans
-iscsi-initiator-utils # still gets installed due to mkinitrd dependency, turn-off deaemon later on

%post
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
%end


%post 

# add firewall configurations without installing 
# system-config-securitylevel since this pulls
# an additional 38 packages
cat >> /etc/sysconfig/iptables << EOF
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

# uncomment the following to allow printing
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

# uncomment to enable http & https
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

EOF

%end

%post
# add user
/usr/sbin/useradd -G wheel -p '$1$o43.Wb9/$WY.eujJgfIiAIolHf/eNB.' -m amitava

# adjust sudoers
sed -i -e '/^# %wheel[ \t]*ALL=(ALL)[ \t]*ALL$/ s/^# //' /etc/sudoers
%end

# use --log parameter to redirect script output to logfile
#%post --log=/root/mylog.log 
%post 
# disable root password based login
cat >> /etc/ssh/sshd_config << EOF
#PermitRootLogin without-password
PermitRootLogin no
UseDNS no
EOF

# set up ssh key fetching
if [ ! -d /home/amitava/.ssh ]; then
  mkdir -p /home/amitava/.ssh
  chmod 700 /home/amitava/.ssh
  touch /home/amitava/.ssh/authorized_keys
  chmod 600 /home/amitava/.ssh/authorized_keys
  chown -R amitava:amitava /home/amitava/.ssh
fi

# Fetch public key using HTTP
KEY_FILE=$(mktemp)

# make sure to pass askalert to the linux command argument
# boot: linux asknetwork ks=floppy 
# see - http://sexysexypenguins.com/2010/02/18/anaconda-is-awesome-how-to-force-a-network-request-with-local-media-using-kickstart/

curl http://ashee.github.com/id_rsa.pub 2>/dev/null > $KEY_FILE
if [ $? -eq 0 ]; then
  cat $KEY_FILE >> /home/amitava/.ssh/authorized_keys
fi
rm -f $KEY_FILE

%end

# turnoff unneeded service
%post
for svc in iscsi iscsid mcstrans lvm2-monitor
do
  /sbin/chkconfig $svc off
done
%end