#!/bin/bash

set -eufx

# ipa requires an UTF-8 locale
export LC_ALL=C.UTF-8

echo foobar | passwd --stdin root

dnf -y remove firewalld
dnf -y update
dnf -y install freeipa-server freeipa-server-dns bind bind-dyndb-ldap iptables

iptables -F

nmcli con add con-name "static-eth1" ifname eth1 type ethernet ip4 "10.111.112.100/20" ipv4.dns "10.111.112.100" gw4 "10.111.112.1"
nmcli con up "static-eth1"
hostnamectl set-hostname f0.cockpit.lan

# Let's make sure that ipa-server-install doesn't block on
# /dev/random.
#
rm -f /dev/random
ln -s /dev/urandom /dev/random

ipa-server-install -U -p foobarfoo -a foobarfoo -n cockpit.lan -r COCKPIT.LAN --setup-dns --no-forwarders

# Make sure any initial password change is overridden
printf 'foobarfoo\nfoobarfoo\nfoobarfoo\n' | kinit admin@COCKPIT.LAN

# Default password expiry of 90 days is impractical
ipa pwpolicy-mod --minlife=0 --maxlife=1000
# Change password to apply new password policy
printf 'foobarfoo\nfoobarfoo\n' | ipa user-mod --password admin
ipa user-show --all admin

# Allow "admins" IPA group members to run sudo
# This is an "unbreak my setup" step and ought to happen by default.
# See https://pagure.io/freeipa/issue/7538
ipa-advise enable-admins-sudo | sh -ex

ipa dnsconfig-mod --forwarder=8.8.8.8

ln -sf ../selinux/config /etc/sysconfig/selinux
echo 'SELINUX=permissive' > /etc/selinux/config

# reduce image size
dnf clean all
/var/lib/testvm/zero-disk.setup