bunny-lab/Borealis-Github-Replica
1
0
Fork 0
mirror of https://github.com/bunny-lab-io/Borealis.git synced 2025-10-26 23:41:58 -06:00
Code Issues Packages Projects Releases Wiki Activity

Misc Adjustments

Browse Source
This commit is contained in:
Nicole Rappe
2025-09-30 21:31:07 -06:00
parent 34e7d1b018
commit 93ed77f1a7
7 changed files with 314 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
Data/Agent/Roles/Borealis.WinRM.Localhost.psm1 Normal file
View File

@@ -0,0 +1,99 @@
function Ensure-LocalhostWinRMHttps {
[CmdletBinding()]
param(
[string]$DnsName = $env:COMPUTERNAME
)
try {
Set-Service WinRM -StartupType Automatic -ErrorAction Stop
Start-Service WinRM -ErrorAction Stop
} catch {}
# Find or create a cert
try {
$cert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -match "CN=$DnsName" -and $_.NotAfter -gt (Get-Date).AddMonths(1) } |
Sort-Object NotAfter -Descending | Select-Object -First 1
} catch { $cert = $null }
if (-not $cert) {
try {
$cert = New-SelfSignedCertificate -DnsName $DnsName -CertStoreLocation Cert:\LocalMachine\My -KeyLength 2048 -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(3)
} catch { $cert = $null }
}
$thumb = if ($cert) { $cert.Thumbprint } else { '' }
# Create listener only if not present
try {
$listener = Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate -ErrorAction SilentlyContinue |
Where-Object { $_.Transport -eq 'HTTPS' -and $_.Address -eq '127.0.0.1' -and $_.Port -eq '5986' }
} catch { $listener = $null }
if (-not $listener -and $thumb) {
$cmd = "winrm create winrm/config/Listener?Address=127.0.0.1+Transport=HTTPS @{Hostname=`"$DnsName`"; CertificateThumbprint=`"$thumb`"; Port=`"5986`"}"
cmd /c $cmd | Out-Null
}
# Harden auth and encryption
try { winrm set winrm/config/service/auth @{Basic="false"; Kerberos="true"; Negotiate="true"; CredSSP="false"} | Out-Null } catch {}
try { winrm set winrm/config/service @{AllowUnencrypted="false"} | Out-Null } catch {}
}
function Ensure-BorealisServiceUser {
[CmdletBinding()]
param(
[Parameter(Mandatory)][string]$UserName,
[Parameter(Mandatory)][string]$PlaintextPassword
)
$localName = $UserName -replace '^\.\\',''
$secure = ConvertTo-SecureString $PlaintextPassword -AsPlainText -Force
$u = Get-LocalUser -Name $localName -ErrorAction SilentlyContinue
if (-not $u) {
try {
New-LocalUser -Name $localName -Password $secure -PasswordNeverExpires:$true -AccountNeverExpires:$true | Out-Null
} catch {}
} else {
try { Set-LocalUser -Name $localName -Password $secure } catch {}
try { Enable-LocalUser -Name $localName } catch {}
}
try {
$admins = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
if (-not ($admins | Where-Object { $_.Name -match "\\$localName$" })) {
Add-LocalGroupMember -Group "Administrators" -Member $localName -ErrorAction SilentlyContinue
}
} catch {}
}
function Write-LocalInventory {
[CmdletBinding()]
param(
[Parameter(Mandatory)][string]$Path,
[Parameter(Mandatory)][string]$UserName,
[Parameter(Mandatory)][string]$Password,
[ValidateSet('ntlm','negotiate','basic')][string]$Transport = 'ntlm'
)
@"
[local]
localhost
[local:vars]
ansible_connection=winrm
ansible_host=127.0.0.1
ansible_port=5986
ansible_winrm_scheme=https
ansible_winrm_transport=$Transport
ansible_user=$UserName
ansible_password=$Password
ansible_winrm_server_cert_validation=ignore
"@ | Set-Content -Path $Path -Encoding UTF8
# Lock down ACL to SYSTEM when running as SYSTEM
try {
$acl = New-Object System.Security.AccessControl.FileSecurity
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($sid,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetOwner($sid); $acl.SetAccessRuleProtection($true,$false); $acl.AddAccessRule($rule)
Set-Acl -Path $Path -AclObject $acl
} catch {}
}
Export-ModuleMember -Function Ensure-LocalhostWinRMHttps,Ensure-BorealisServiceUser,Write-LocalInventory