-
Notifications
You must be signed in to change notification settings - Fork 159
/
Copy pathstartup.ps1
187 lines (158 loc) · 7.88 KB
/
startup.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# Copyright 2017 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
Set-StrictMode -Version Latest
# Helpers
function Test-RegistryKeyExists($path, $name)
{
$key = Get-Item -LiteralPath $path -ErrorAction SilentlyContinue
($key -and $null -ne $key.GetValue($name, $null)) -ne $false
}
function Get-FileFromUrl(
[string] $URL,
[string] $Output)
{
Add-Type -AssemblyName "System.Net.Http"
$client = New-Object System.Net.Http.HttpClient
$request = New-Object System.Net.Http.HttpRequestMessage -ArgumentList @([System.Net.Http.HttpMethod]::Get, $URL)
$responseMsg = $client.SendAsync($request)
$responseMsg.Wait()
if (!$responseMsg.IsCanceled)
{
$response = $responseMsg.Result
if ($response.IsSuccessStatusCode)
{
$downloadedFileStream = [System.IO.File]::Create($Output)
$copyStreamOp = $response.Content.CopyToAsync($downloadedFileStream)
$copyStreamOp.Wait()
$downloadedFileStream.Close()
if ($copyStreamOp.Exception -ne $null)
{
throw $copyStreamOp.Exception
}
}
}
}
# https://social.technet.microsoft.com/Forums/ie/en-US/29508e4e-a2b5-42eb-9729-6eca473716ae/disabling-password-complexity-via-command?forum=ITCG
function Disable-PasswordComplexity
{
param()
$secEditPath = [System.Environment]::ExpandEnvironmentVariables("%SystemRoot%\system32\secedit.exe")
$tempFile = [System.IO.Path]::GetTempFileName()
$exportArguments = '/export /cfg "{0}" /quiet' -f $tempFile
$importArguments = '/configure /db secedit.sdb /cfg "{0}" /quiet' -f $tempFile
Start-Process -FilePath $secEditPath -ArgumentList $exportArguments -Wait
$currentConfig = Get-Content -Path $tempFile
$currentConfig = $currentConfig -replace 'PasswordComplexity = .', 'PasswordComplexity = 0'
$currentConfig = $currentConfig -replace 'MinimumPasswordLength = .', 'MinimumPasswordLength = 0'
$currentConfig | Out-File -FilePath $tempFile
Start-Process -FilePath $secEditPath -ArgumentList $importArguments -Wait
Remove-Item -Path .\secedit.sdb
Remove-Item -Path $tempFile
}
# Wait till network comes up
while(-Not (Test-NetConnection 169.254.169.254 -Port 53 | ? { $_.TcpTestSucceeded })) {
Write-Host "waiting for network (metadata service) to come up"
sleep 3
}
while(-Not (Test-NetConnection 8.8.8.8 -Port 53 | ? { $_.TcpTestSucceeded })) {
Write-Host "waiting for network (external network) to come up"
sleep 3
}
# Disable password complexity, automatic updates, windows defender, windows firewall, error reporting, and UAC
#
# - Update can interrupt the builds
# - We don't care about security since this isn't going to be Internet-facing
# - No ports will ever be accessible externally
# - We can be trusted to run as a real Administrator
Write-Host "disabling security features"
Disable-PasswordComplexity
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name NoAutoUpdate -Value 1 -Force | Out-Null
new-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" -Name Disabled -Value 1 -Force | Out-Null
new-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" -Name DontShowUI -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" -Name EnableLUA -PropertyType DWord -Value 0 -Force | Out-Null
netsh advfirewall set allprofiles state off
netsh firewall set opmode mode=disable profile=ALL
Uninstall-WindowsFeature -Name Windows-Defender
# Disable unwanted services
Write-Host "disabling unused services"
Set-Service -Name 'NlaSvc' -StartupType 'Disabled'
Set-Service -Name 'LanmanServer' -StartupType 'Disabled'
Set-Service -Name 'MpsSvc' -StartupType 'Disabled'
Set-Service -Name 'BITS' -StartupType 'Disabled'
Set-Service -Name 'DPS' -StartupType 'Disabled'
Set-Service -Name 'MSDTC' -StartupType 'Disabled'
Set-Service -Name 'IKEEXT' -StartupType 'Disabled'
Set-Service -Name 'RemoteRegistry' -StartupType 'Disabled'
Set-Service -Name 'lmhosts' -StartupType 'Disabled'
# Download buildlet
Write-Host "downloading stage0"
$builder_dir = "C:\golang"
$bootstrap_exe_path = "$builder_dir\bootstrap.exe"
mkdir $builder_dir
Get-FileFromUrl -URL 'https://storage.googleapis.com/go-builder-data/buildlet-stage0.windows-amd64' -Output $bootstrap_exe_path
# OpenSSH (from https://github.com/PowerShell/Win32-OpenSSH/releases)
Write-Host "downloading OpenSSH"
$openssh_tar = "$builder_dir\openssh.tar.gz"
Get-FileFromUrl -URL 'https://storage.googleapis.com/go-builder-data/win32-openssh-0.0.18.0.tar.gz' -Output "$openssh_tar"
Write-Host "extracting OpenSSH"
$extract_args=@("--untar-file=$openssh_tar", "--untar-dest-dir=$builder_dir")
& $bootstrap_exe_path $extract_args
Write-Host "Installing OpenSSH"
$openssh_dir = "$builder_dir\OpenSSH-Win32"
cd $openssh_dir
& "$openssh_dir\install-sshd.ps1"
& "$openssh_dir\ssh-keygen.exe" "-A"
& "$openssh_dir\FixHostFilePermissions.ps1" -Confirm:$false
Set-Service -Name 'sshd' -StartupType 'Automatic'
Set-Service -Name 'ssh-agent' -StartupType 'Automatic'
# Download and unpack GCC
Write-Host "downloading GCC"
$dep_dir = "C:\godep"
$gcc32_tar = "$dep_dir\gcc32.tar.gz"
$gcc64_tar = "$dep_dir\gcc64.tar.gz"
mkdir $dep_dir
Get-FileFromUrl -URL "https://storage.googleapis.com/go-builder-data/llvm-mingw-20220323-msvcrt-i686.tar.gz" -Output "$gcc32_tar"
Get-FileFromUrl -URL "https://storage.googleapis.com/go-builder-data/llvm-mingw-20220323-msvcrt-x86_64.tar.gz" -Output "$gcc64_tar"
Write-Host "extracting GCC"
$extract32_args=@("--untar-file=$gcc32_tar", "--untar-dest-dir=$dep_dir")
& $bootstrap_exe_path $extract32_args
$extract64_args=@("--untar-file=$gcc64_tar", "--untar-dest-dir=$dep_dir")
& $bootstrap_exe_path $extract64_args
$builder_dir = "C:\golang"
$bootstrap_exe_path = "$builder_dir\bootstrap.exe"
# Download and install Visual Studio Build Tools (MSVC)
# https://docs.microsoft.com/en-us/visualstudio/install/build-tools-container
Write-Host "downloading Visual Studio Build Tools"
$vs_buildtools = "$builder_dir\vs_buildtools.exe"
Get-FileFromUrl -URL "https://storage.googleapis.com/go-builder-data/vs_buildtools.exe" -Output "$vs_buildtools"
Write-Host "installing Visual Studio Build Tools"
& $vs_buildtools --quiet --wait --norestart --nocache --installPath "$dep_dir\vs" --all
# Download and install the root certificate used for crypto/x509 testing
Write-Host "downloading crypto/x509 test root"
$test_root = "$builder_dir\test_root.pem"
Get-FileFromUrl -URL "https://storage.googleapis.com/go-builder-data/platform_root_cert.pem" -Output "$test_root"
Write-Host "installing crypto/x509 test root"
Import-Certificate -FilePath "$test_root" -CertStoreLocation "Cert:\LocalMachine\Root"
# Create a buildlet user
Write-Host "creating buildlet user"
$buildlet_user = "gopher"
$buildlet_password = "gopher"
net user $buildlet_user $buildlet_password /ADD
net localgroup administrators $buildlet_user /ADD
# Run the bootstrap program on login
Write-Host "setting stage0 to run on start"
$bootstrap_cmd = "cmd /k ""cd $builder_dir && $bootstrap_exe_path"""
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Buildlet" -PropertyType ExpandString -Value $bootstrap_cmd -Force
# Setup autologon and reboot
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
if ((Test-RegistryKeyExists $RegPath "DefaultUsername") -eq $false) {
Write-Host "configuring auto login"
Remove-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoLogonCount' -Force | Out-Null
Set-ItemProperty $RegPath "AutoAdminLogon" -Value "1" -type String
Set-ItemProperty $RegPath "DefaultUsername" -Value "$buildlet_user" -type String
Set-ItemProperty $RegPath "DefaultPassword" -Value "$buildlet_password" -type String
Set-ItemProperty $RegPath "LogonCount" -Value "99999999" -type String
Write-Host "rebooting"
shutdown /r /t 0
}