djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Safeguarding WIP
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Danny Bessems
2021-04-08 17:03:19 +02:00
parent 0271f5f959
commit aee33cca51
2 changed files with 91 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
scripts/ADCS/payload/Apply-OVFProperties.ps1 → scripts/ADCS/payload/Apply-FirstBootConfig.ps1
View File

@ -30,21 +30,47 @@ foreach ($ovfProperty in $ovfProperties) {
}
# Check for mandatory values
If (!($ovfPropertyValues['guestinfo.hostname'] -and
$ovfPropertyValues['guestinfo.ipaddress'] -and
$ovfPropertyValues['guestinfo.dnsserver'] -and
$ovfPropertyValues['guestinfo.prefixlength'] -and
$ovfPropertyValues['guestinfo.gateway'])) {
Switch ($ovfPropertyValues['deployment.type']) {
'standalone-root' {
$MandatoryProperties, $MissingProperties = @('guestinfo.hostname', 'guestinfo.ipaddress', 'guestinfo.prefixlength', 'guestinfo.dnsserver', 'guestinfo.gateway', 'guestinfo.administratorpw', 'adcsconfig.organizationname', 'adcsconfig.foo'), @()
}
'enterprise-intermediate' {
$MandatoryProperties, $MissingProperties = @('guestinfo.hostname', 'guestinfo.ipaddress', 'guestinfo.prefixlength', 'guestinfo.dnsserver', 'guestinfo.gateway', 'guestinfo.administratorpw', 'adcsconfig.foo'), @()
}
'standalone-intermediate' {
$MandatoryProperties, $MissingProperties = @('guestinfo.hostname', 'guestinfo.ipaddress', 'guestinfo.prefixlength', 'guestinfo.dnsserver', 'guestinfo.gateway', 'guestinfo.administratorpw', 'adcsconfig.foo'), @()
}
default {
# Mandatory values missing, cannot provision.
$WriteEventLogSplat = @{
LogName = 'Application'
Source = 'OVF-Properties'
Source = 'FirstBoot'
EntryType = 'Error'
EventID = 66
Message = 'Mandatory values missing, cannot provision.'
Message = "Unexpected or no value set for property 'deployment.type', cannot provision."
}
Write-EventLog @WriteEventLogSplat
& schtasks.exe /Change /TN 'OVF-Properties' /DISABLE
& schtasks.exe /Change /TN 'FirstBoot' /DISABLE
Stop-Computer -Force
Exit
}
}
ForEach ($Property in $MandatoryProperties) {
If (!$ovfPropertyValues[$Property]) {
$MissingProperties += $Property
}
}
If ($MissingProperties.Length -gt 0) {
# Mandatory values missing, cannot provision.
$WriteEventLogSplat = @{
LogName = 'Application'
Source = 'FirstBoot'
EntryType = 'Error'
EventID = 66
Message = "Missing values for mandatory properties $(($MissingProperties | ForEach-Object {"'{0}'" -f $_}) -join ', '), cannot provision."
}
Write-EventLog @WriteEventLogSplat
& schtasks.exe /Change /TN 'FirstBoot' /DISABLE
Stop-Computer -Force
Exit
}
@ -125,24 +151,55 @@ If ((Get-WmiObject -Class 'Win32_NetworkAdapterConfiguration').IPAddress -NotCon
$ErrorActionPreference, $OldErrorActionPreference = $OldErrorActionPreference, $NULL
}
# Foo
# Install and configure certificate authority
If ((& certutil.exe | Select-String "Server:") -notmatch "$Env:ComputerName") {
# Change password of built-in Administrator
$BuiltinAdministrator = (Get-LocalUser | Where-Object {$_.SID -match '-500'})
$ConvertToSecureStringSplat = @{
String = $ovfPropertyValues['guestinfo.administratorpw']
AsPlainText = $True
Force = $True
}
$SetLocalUserSplat = @{
InputObject = $BuiltinAdministrator
Password = ConvertTo-SecureString @ConvertToSecureStringSplat
PasswordNeverExpires = $True
AccountNeverExpires = $True
### This setting is not allowed on the last administrator
#UserMayChangePassword = $False
Confirm = $False
}
Set-LocalUser @SetLocalUserSplat
Switch ($ovfPropertyValues['deployment.type']) {
'standalone-root' {
$InstallADCSCertificationAuthoritySplat = @{
CACommonName = "$($ovfPropertyValues['deployment.organizationname']) Root CA"
CAType = 'StandaloneRootCA'
}
Install-ADCSCertificationAuthority @InstallADCSCertificationAuthoritySplat
}
# Foo
# Bar
}
}
# Iterate through and invoke all payload scripts
#! TODO: add registry values to determine which scripts have already been invoked (in case of intermediate reboots)
$GetItemSplat = @{
Path = "$($PSScriptRoot)\Scripts\*.ps1"
}
Get-Item @GetItemSplat | ForEach-Object {
ForEach ($Script in (Get-Item @GetItemSplat)) {
Try {
$WriteEventLogSplat = @{
LogName = 'Application'
Source = 'OVF-Properties'
EntryType = 'Information'
EventID = 4
Message = "Running script: '$($_.FullName)'"
Message = "Running script: '$($Script.FullName)'"
}
Write-EventLog @WriteEventLogSplat
& $_.FullName -Parameter $ovfPropertyValues
& $Script.FullName -Parameter $ovfPropertyValues
}
Catch {
$WriteEventLogSplat = @{
@ -150,7 +207,10 @@ Get-Item @GetItemSplat | ForEach-Object {
Source = 'OVF-Properties'
EntryType = 'Error'
EventID = 66
Message = $_.Exception.Message
Message = @"
Error occurred while executing script '$($Script.Name)':
$($_.Exception.Message)
"@
}
Write-EventLog @WriteEventLogSplat
}

19
scripts/Update-OvfConfiguration.yml
View File

@ -27,7 +27,24 @@ PropertyCategories:
DefaultValue: ''
Configurations: '*'
UserConfigurable: true
- Name: 2) Networking
- Key: guestinfo.administratorpw
Type: password(7..)
Label: Local administrator password*
Description: Must meet password complexity rules
DefaultValue: password
Configurations:
- standalone-root
- standalone-intermediate
UserConfigurable: true
- Key: guestinfo.ntpserver
Type: string(1..)
Label: Time server*
Description: A comma-separated list of timeservers
DefaultValue: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org
Configurations:
- standalone-root
- standalone-intermediate
UserConfigurable: true- Name: 2) Networking
ProductProperties:
- Key: guestinfo.ipaddress
Type: ip