skipx
firewall --enabled --ssh

repo --name="AppStream" --baseurl=http://yum.oracle.com/repo/OracleLinux/OL9/appstream/x86_64
repo --name="UEK" --baseurl=http://yum.oracle.com/repo/OracleLinux/OL9/UEKR7/x86_64

%addon com_redhat_kdump --enable --reserve-mb='auto'

%end

%addon com_redhat_oscap
    content-type = scap-security-guide
    datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-ol9-xccdf-1.2.xml
    xccdf-id = scap_org.open-scap_cref_ssg-ol9-xccdf-1.2.xml
    profile = xccdf_org.ssgproject.content_profile_standard
%end

{% if ansible_host is defined and ansible_host | ipaddr %}
network --bootproto=static --gateway={{
    gateway | default((((ansible_host + '/255.255.255.0') | ansible.utils.ipaddr('network') | ansible.utils.ipaddr('int'))+1)|string|ansible.utils.ipaddr)
    }} --ip={{ ansible_host }} --nameserver={{
    nameserver | default((((ansible_host + '/255.255.255.0') | ansible.utils.ipaddr('network') | ansible.utils.ipaddr('int'))+1)|string|ansible.utils.ipaddr)
    }} --netmask={{ netmask | default('255.255.255.0') }}
{%- else %}
network --bootproto=dhcp --hostname={{ inventory_hostname }}
{%- endif %} --device=enp0s3 --onboot=on --hostname={{ inventory_hostname }}
user --name={{ ansible_user | default(lookup('pipe', 'whoami')) }} --groups=wheel --password={{ ansible_password | password_hash }} --iscrypted

# Keyboard layouts
keyboard --xlayouts='de'
# System language
lang en_US.UTF-8

# Use network installation
url --url="https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/x86_64"

%packages
@^server-product-environment
openscap
openscap-scanner
rsyslog
scap-security-guide

%end

%post --interpreter=/bin/bash

#---- Install our SSH key ----
mkdir -p -m0700 /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/

cat <<EOF >/home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/authorized_keys
{% for ssh_key in ssh_keys %}
{{ ssh_key }}
{% endfor %}
EOF

### set permissions
chmod 0600 /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/authorized_keys

### change owner
chown -R {{ ansible_user | default(lookup('pipe', 'whoami')) }}:{{ ansible_user | default(lookup('pipe', 'whoami')) }} /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh

### fix up selinux context
restorecon -R /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/

%end

# Run the Setup Agent on first boot
firstboot --enable

# Generated using Blivet version 3.4.0
ignoredisk --only-use=sda
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part pv.116 --fstype="lvmpv" --ondisk=sda --grow --size=25600
part /boot --fstype="xfs" --ondisk=sda --size=1024
volgroup ol --pesize=4096 pv.116
logvol /var/log --fstype="xfs" --size=2048 --name=var_log --vgname=ol
logvol /var/log/audit --fstype="xfs" --size=1024 --name=var_log_audit --vgname=ol
logvol / --fstype="xfs" --grow --name=root --vgname=ol --size 20480

# System timezone
timezone Europe/Berlin --utc

# Disable root password
rootpw --lock
{% if reboot_after_installation %}
# Reboot after installation
reboot
{% endif %}