forked from puppetlabs/bolt
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
59 additions
and
183 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,158 +1,6 @@ | ||
$InformationPreference = 'Continue' | ||
$ErrorActionPreference = 'Stop' | ||
|
||
function Set-CACert | ||
{ | ||
$uri = 'https://curl.haxx.se/ca/cacert.pem' | ||
$CACertFile = Join-Path -Path $ENV:AppData -ChildPath 'RubyCACert.pem' | ||
|
||
$retryArgs = @{ | ||
SuccessMessage = "Succeeded in downloading CA bundle from $uri" | ||
FailMessage = "Failed to download CA bundle from $uri" | ||
Retries = 5 | ||
Timeout = 1 | ||
Script = { | ||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | ||
Invoke-WebRequest -Uri $uri -UseBasicParsing -OutFile $CACertFile | Out-Null | ||
} | ||
} | ||
|
||
# only download CA file if not present - throw on failures | ||
If (-Not (Test-Path -Path $CACertFile)) { Invoke-ScriptBlockWithRetry @retryArgs } | ||
|
||
Write-Information "Setting CA Certificate store set to $CACertFile.." | ||
$ENV:SSL_CERT_FILE = $CACertFile | ||
[System.Environment]::SetEnvironmentVariable('SSL_CERT_FILE', $CACertFile, [System.EnvironmentVariableTarget]::Machine) | ||
} | ||
|
||
function Install-Puppetfile | ||
{ | ||
Set-CACert | ||
|
||
# Forge connections may fail intermittently | ||
$retryArgs = @{ | ||
SuccessMessage = 'Succeeded in installing Puppetfile' | ||
FailMessage = 'Failed to install required modules from Forge' | ||
Retries = 10 | ||
Timeout = 2 | ||
Script = { bundle exec r10k puppetfile install } | ||
} | ||
|
||
Invoke-ScriptBlockWithRetry @retryArgs | ||
} | ||
|
||
function New-RandomPassword | ||
{ | ||
Add-Type -AssemblyName System.Web | ||
"&aA4" + [System.Web.Security.Membership]::GeneratePassword(10, 3) | ||
} | ||
|
||
function New-LocalAdmin($userName, $password) | ||
{ | ||
$userArgs = @{ | ||
Name = $userName | ||
Password = (ConvertTo-SecureString -String $password -Force -AsPlainText) | ||
} | ||
|
||
$user = New-LocalUser @userArgs | ||
Write-Information ($user | Format-List | Out-String) | ||
Add-LocalGroupMember -Group 'Remote Management Users' -Member $user | ||
Add-LocalGroupMember -Group Administrators -Member $user | ||
} | ||
|
||
function Install-Certificate($path, $password) | ||
{ | ||
$importArgs = @{ | ||
FilePath = $path | ||
CertStoreLocation = 'cert:\\LocalMachine\\My' | ||
Password = (ConvertTo-SecureString -String $password -Force -AsPlainText) | ||
} | ||
|
||
return (Import-PfxCertificate @importArgs) | ||
} | ||
|
||
#function Grant-WinRMHttpsAccess($certThumbprint) | ||
#{ | ||
# $winRMArgs = @{ | ||
# ResourceURI = 'winrm/config/Listener' | ||
# SelectorSet = @{ Address = '*'; Transport = 'HTTPS'; } | ||
# ValueSet = @{ Hostname = 'boltserver'; CertificateThumbprint = $certThumbprint } | ||
# } | ||
# $instance = Set-WSManInstance @winRMArgs | ||
# Write-Information ($instance | Format-List | Out-String) | ||
#} | ||
|
||
#function Set-WinRMHostConfiguration | ||
#{ | ||
# # configure WinRM to use cert.pfx for SSL | ||
# $cert = Install-Certificate -Path 'spec/fixtures/ssl/cert.pfx' -Password 'bolt' | ||
# Write-Information ($cert | Format-List | Out-String) | ||
# Grant-WinRMHttpsAccess -CertThumbprint $cert.Thumbprint | ||
#} | ||
|
||
function Invoke-ScriptBlockWithRetry([ScriptBlock]$script, $failMessage, $successMessage, $retries = 15, $timeout = 1) | ||
{ | ||
$retried = 0 | ||
|
||
Do | ||
{ | ||
try { | ||
$script.Invoke() | ||
Write-Information "$successMessage after $($retried + 1) attempt(s)" | ||
return $true | ||
} | ||
catch | ||
{ | ||
$retried++ | ||
Start-Sleep -Seconds $timeout | ||
} | ||
} While ($retried -lt $retries) | ||
|
||
throw "ERROR: $failMessage in $retried retries`n$($Error[0])" | ||
|
||
} | ||
|
||
#function Test-WinRMConfiguration($userName, $password, $retries = 15, $timeout = 1) | ||
#{ | ||
# $retryArgs = @{ | ||
# FailMessage = 'Failed to establish WinRM connection over SSL' | ||
# SuccessMessage = "Successfully established WinRM connection with $userName" | ||
# Retries = $retries | ||
# Timeout = $timeout | ||
# Script = { | ||
# $pass = ConvertTo-SecureString $password -AsPlainText -Force | ||
# $sessionArgs = @{ | ||
# ComputerName = 'localhost' | ||
# Credential = New-Object System.Management.Automation.PSCredential ($userName, $pass) | ||
# UseSSL = $true | ||
# SessionOption = New-PSSessionOption -SkipRevocationCheck -SkipCACheck | ||
# } | ||
# | ||
# if (New-PSSession @sessionArgs) { return $true } | ||
# } | ||
# } | ||
# | ||
# Invoke-ScriptBlockWithRetry @retryArgs | ||
#} | ||
|
||
# Ensure Puppet Ruby 5 / 6 takes precedence over system Ruby | ||
function Set-ActiveRubyFromPuppet | ||
{ | ||
# https://github.com/puppetlabs/puppet-specifications/blob/master/file_paths.md | ||
$path = @( | ||
"${ENV:ProgramFiles}\Puppet Labs\Puppet\sys\ruby\bin", | ||
"${ENV:ProgramFiles}\Puppet Labs\Puppet\puppet\bin", | ||
$ENV:Path | ||
) -join ';' | ||
|
||
[System.Environment]::SetEnvironmentVariable('Path', $path, [System.EnvironmentVariableTarget]::Machine) | ||
} | ||
|
||
$Pass = New-RandomPassword | ||
$User = @{ UserName = $ENV:BOLT_WINRM_USER; Password = $Pass } | ||
New-LocalAdmin @User | ||
#Enable-PSRemoting | ||
#Set-WSManQuickConfig -Force | ||
#Set-WinRMHostConfiguration | ||
#Test-WinRMConfiguration @User | Out-Null | ||
#Write-Output "::set-env name=BOLT_WINRM_PASSWORD::$pass" | ||
Enable-PSRemoting | ||
winrm "set" "winrm/config/client/auth" "@{Basic=`"true`"}" | ||
winrm "set" "winrm/config/client" "@{AllowUnencrypted=`"true`"}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
FROM mcr.microsoft.com/windows/servercore:ltsc2019 | ||
|
||
COPY fixtures/scripts/windev/setup.ps1 ./ | ||
COPY fixtures/scripts/windev/agent.ps1 ./ | ||
RUN powershell ./setup.ps1 | ||
RUN powershell ./agent.ps1 | ||
CMD ["powershell", "Start-Sleep", "-s 1000000"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
FROM mcr.microsoft.com/windows/servercore:ltsc2019 | ||
|
||
ADD fixtures/ssl/cert.pfx C:\cert.pfx | ||
ADD fixtures/scripts/windev/setup.ps1 C:\setup.ps1 | ||
RUN powershell C:\setup.ps1 | ||
# TODO: Remove file? Do we care? | ||
COPY fixtures/ssl/cert.pfx ./ | ||
COPY fixtures/scripts/windev/setup.ps1 ./ | ||
RUN powershell ./setup.ps1 | ||
CMD ["powershell", "Start-Sleep", "-s 1000000"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,23 @@ | ||
# Disable password complexity requirements | ||
secedit /export /cfg c:\secpol.cfg | ||
(gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg | ||
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY | ||
rm -force c:\secpol.cfg -confirm:$false | ||
|
||
# add the bolt user account | ||
($user = New-LocalUser -Name bolt -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText)) | Format-List | ||
New-LocalUser -Name bolt -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText) | ||
# add the bolt user to the 'Remote Management Users' group | ||
Add-LocalGroupMember -Group 'Remote Management Users' -Member $user | ||
Add-LocalGroupMember -Group 'Administrators' -Member $user | ||
Add-LocalGroupMember -Group 'Remote Management Users' -Member "bolt" | ||
Add-LocalGroupMember -Group 'Administrators' -Member "bolt" | ||
|
||
# import the certificate to be used for the winrm-ssl | ||
($cert = Import-PfxCertificate -FilePath C:\\cert.pfx -CertStoreLocation cert:\\LocalMachine\\My -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText)) | Format-List | ||
|
||
# add the winrm-ssl listener | ||
New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address='*';Transport='HTTPS'} -ValueSet @{Hostname='boltserver';CertificateThumbprint=$cert.Thumbprint} | Format-List | ||
|
||
# add a firewall rule allowing access to the winrm-ssl port (TCP port 5986) | ||
New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow | Format-List | ||
Enable-PSRemoting | ||
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force | ||
winrm "set" "winrm/config/service/auth" "@{Basic=`"true`"}" | ||
winrm "set" "winrm/config/service/auth" "@{Certificate=`"true`"}" | ||
#winrm "set" "winrm/config/service/" "@{AllowUnencrypted=`"true`"}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters