From 8bdcd20d9c84680ef340c6fd75af34f0555c29f9 Mon Sep 17 00:00:00 2001 From: Yannic Staudt Date: Wed, 16 Aug 2023 16:11:33 +0200 Subject: [PATCH 1/2] :wrench: huge update for the msvc / windows targets - changed the name to be windows-msvc... - added toolchains for windows-msvc-*-cxx20 and windows-msvc-*-cxxlatest - added a Windows Server 2022 based MSVC 17 / 2022 image --- build_engine_mapping.json | 10 +- flags/vs-cxx20.cmake | 20 +++ flags/vs19-cxxlatest.cmake | 20 +++ flags/vs22-cxxlatest.cmake | 20 +++ windows-msvc-2019-win64-cxx17.cmake | 18 ++ windows-msvc-2019-win64-cxxlatest.cmake | 18 ++ .../scripts/disable-windows-defender.ps1 | 25 +++ .../scripts/disable-windows-update.ps1 | 30 ++++ windows-msvc-2019.pkr.js/scripts/fix-tls.ps1 | 163 ++++++++++++++++++ .../scripts/install-git.ps1 | 58 +++++++ .../scripts/install-nuget.ps1 | 21 +++ .../scripts/install-openssh.ps1 | 53 ++++++ .../scripts/install-tipi.ps1 | 55 ++++++ .../scripts/install-vcredist.ps1 | 30 ++++ .../scripts/install-vs.ps1 | 133 ++++++++++++++ .../scripts/runtime/helpers.ps1 | 109 ++++++++++++ .../scripts/runtime/sync-tipi-distro.ps1 | 26 +++ .../scripts/setup-winrm.ps1 | 40 +++++ .../scripts/update-root-certificate-store.ps1 | 52 ++++++ .../windows-msvc-2019.pkr.js.mustache | 105 +++++++++++ windows-msvc-2022-win64-cxx17.cmake | 18 ++ windows-msvc-2022-win64-cxx20.cmake | 18 ++ windows-msvc-2022-win64-cxxlatest.cmake | 18 ++ .../scripts/disable-windows-defender.ps1 | 25 +++ .../scripts/disable-windows-update.ps1 | 30 ++++ windows-msvc-2022.pkr.js/scripts/fix-tls.ps1 | 163 ++++++++++++++++++ .../scripts/install-git.ps1 | 58 +++++++ .../scripts/install-nuget.ps1 | 21 +++ .../scripts/install-openssh.ps1 | 53 ++++++ .../scripts/install-tipi.ps1 | 55 ++++++ .../scripts/install-vcredist.ps1 | 30 ++++ .../scripts/install-vs.ps1 | 133 ++++++++++++++ .../scripts/runtime/helpers.ps1 | 109 ++++++++++++ .../scripts/runtime/sync-tipi-distro.ps1 | 26 +++ .../scripts/setup-winrm.ps1 | 40 +++++ .../scripts/update-root-certificate-store.ps1 | 52 ++++++ .../windows-msvc-2022.pkr.js.mustache | 105 +++++++++++ 37 files changed, 1959 insertions(+), 1 deletion(-) create mode 100644 flags/vs-cxx20.cmake create mode 100644 flags/vs19-cxxlatest.cmake create mode 100644 flags/vs22-cxxlatest.cmake create mode 100644 windows-msvc-2019-win64-cxx17.cmake create mode 100644 windows-msvc-2019-win64-cxxlatest.cmake create mode 100644 windows-msvc-2019.pkr.js/scripts/disable-windows-defender.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/disable-windows-update.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/fix-tls.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/install-git.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/install-nuget.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/install-openssh.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/install-tipi.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/install-vcredist.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/install-vs.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/runtime/helpers.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/runtime/sync-tipi-distro.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/setup-winrm.ps1 create mode 100644 windows-msvc-2019.pkr.js/scripts/update-root-certificate-store.ps1 create mode 100644 windows-msvc-2019.pkr.js/windows-msvc-2019.pkr.js.mustache create mode 100644 windows-msvc-2022-win64-cxx17.cmake create mode 100644 windows-msvc-2022-win64-cxx20.cmake create mode 100644 windows-msvc-2022-win64-cxxlatest.cmake create mode 100644 windows-msvc-2022.pkr.js/scripts/disable-windows-defender.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/disable-windows-update.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/fix-tls.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/install-git.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/install-nuget.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/install-openssh.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/install-tipi.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/install-vcredist.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/install-vs.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/runtime/helpers.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/runtime/sync-tipi-distro.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/setup-winrm.ps1 create mode 100644 windows-msvc-2022.pkr.js/scripts/update-root-certificate-store.ps1 create mode 100644 windows-msvc-2022.pkr.js/windows-msvc-2022.pkr.js.mustache diff --git a/build_engine_mapping.json b/build_engine_mapping.json index 2663e9c..a5f1290 100644 --- a/build_engine_mapping.json +++ b/build_engine_mapping.json @@ -1,4 +1,12 @@ { "vs-15-2017-win64-cxx17" : "Visual Studio 15 2017 Win64", - "vs-16-2019-win64-cxx17" : "Visual Studio 16 2019" + "vs-16-2019-win64-cxx17" : "Visual Studio 16 2019", + + "windows-msvc-2019-win64-cxx17" : "Visual Studio 16 2019", + "windows-msvc-2019-win64-cxx20" : "Visual Studio 16 2019", + "windows-msvc-2019-win64-cxxlatest" : "Visual Studio 16 2019", + + "windows-msvc-2022-win64-cxx17" : "Visual Studio 17 2022", + "windows-msvc-2022-win64-cxx20" : "Visual Studio 17 2022", + "windows-msvc-2022-win64-cxxlatest" : "Visual Studio 17 2022" } \ No newline at end of file diff --git a/flags/vs-cxx20.cmake b/flags/vs-cxx20.cmake new file mode 100644 index 0000000..1f07395 --- /dev/null +++ b/flags/vs-cxx20.cmake @@ -0,0 +1,20 @@ +# Copyright (c) 2013, 2018 Ruslan Baratov +# Copyright (c) 2023 tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_FLAGS_VS_CXX20_CMAKE_) + return() +else() + set(TIPI_FLAGS_VS_CXX20_CMAKE_ 1) +endif() + +include(polly_add_cache_flag) + +polly_add_cache_flag(CMAKE_CXX_FLAGS_INIT "/std:c++20") + +# Set CMAKE_CXX_STANDARD to cache to override project local value if present. +# FORCE added in case CMAKE_CXX_STANDARD already set in cache +# (e.g. set before 'project' by user). +set(CMAKE_CXX_STANDARD 20 CACHE STRING "C++ Standard (toolchain)" FORCE) +set(CMAKE_CXX_STANDARD_REQUIRED YES CACHE BOOL "C++ Standard required" FORCE) +set(CMAKE_CXX_EXTENSIONS NO CACHE BOOL "C++ Standard extensions" FORCE) diff --git a/flags/vs19-cxxlatest.cmake b/flags/vs19-cxxlatest.cmake new file mode 100644 index 0000000..9cb2544 --- /dev/null +++ b/flags/vs19-cxxlatest.cmake @@ -0,0 +1,20 @@ +# Copyright (c) 2013, 2018 Ruslan Baratov +# Copyright (c) 2023 tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_FLAGS_VS_CXXLATEST_CMAKE_) + return() +else() + set(TIPI_FLAGS_VS_CXXLATEST_CMAKE_ 1) +endif() + +include(polly_add_cache_flag) + +polly_add_cache_flag(CMAKE_CXX_FLAGS_INIT "/std:c++latest") + +# Set CMAKE_CXX_STANDARD to cache to override project local value if present. +# FORCE added in case CMAKE_CXX_STANDARD already set in cache +# (e.g. set before 'project' by user). +set(CMAKE_CXX_STANDARD 20 CACHE STRING "C++ Standard (toolchain)" FORCE) +set(CMAKE_CXX_STANDARD_REQUIRED YES CACHE BOOL "C++ Standard required" FORCE) +set(CMAKE_CXX_EXTENSIONS NO CACHE BOOL "C++ Standard extensions" FORCE) diff --git a/flags/vs22-cxxlatest.cmake b/flags/vs22-cxxlatest.cmake new file mode 100644 index 0000000..56573f4 --- /dev/null +++ b/flags/vs22-cxxlatest.cmake @@ -0,0 +1,20 @@ +# Copyright (c) 2013, 2018 Ruslan Baratov +# Copyright (c) 2023 tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_FLAGS_VS_CXXLATEST_CMAKE_) + return() +else() + set(TIPI_FLAGS_VS_CXXLATEST_CMAKE_ 1) +endif() + +include(polly_add_cache_flag) + +polly_add_cache_flag(CMAKE_CXX_FLAGS_INIT "/std:c++latest") + +# Set CMAKE_CXX_STANDARD to cache to override project local value if present. +# FORCE added in case CMAKE_CXX_STANDARD already set in cache +# (e.g. set before 'project' by user). +set(CMAKE_CXX_STANDARD 23 CACHE STRING "C++ Standard (toolchain)" FORCE) +set(CMAKE_CXX_STANDARD_REQUIRED YES CACHE BOOL "C++ Standard required" FORCE) +set(CMAKE_CXX_EXTENSIONS NO CACHE BOOL "C++ Standard extensions" FORCE) diff --git a/windows-msvc-2019-win64-cxx17.cmake b/windows-msvc-2019-win64-cxx17.cmake new file mode 100644 index 0000000..de2e4ec --- /dev/null +++ b/windows-msvc-2019-win64-cxx17.cmake @@ -0,0 +1,18 @@ +# Copyright (c) 2020-2023, tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_WINDOWS_MSVC_2019_WIN64_CXX17_CMAKE_) + return() +else() + set(TIPI_WINDOWS_MSVC_2019_WIN64_CXX17_CMAKE_ 1) +endif() + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_init.cmake") + +polly_init( + "Visual Studio 16 2019 Win64 / C++17" + "Visual Studio 16 2019" +) + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_common.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/flags/vs-cxx17.cmake") diff --git a/windows-msvc-2019-win64-cxxlatest.cmake b/windows-msvc-2019-win64-cxxlatest.cmake new file mode 100644 index 0000000..d289be2 --- /dev/null +++ b/windows-msvc-2019-win64-cxxlatest.cmake @@ -0,0 +1,18 @@ +# Copyright (c) 2020-2023, tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_WINDOWS_MSVC_2019_WIN64_CXX20_CMAKE_) + return() +else() + set(TIPI_WINDOWS_MSVC_2019_WIN64_CXX20_CMAKE_ 1) +endif() + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_init.cmake") + +polly_init( + "Visual Studio 16 2019 Win64 / C++20 (latest)" + "Visual Studio 16 2019" +) + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_common.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/flags/vs19-cxxlatest.cmake") diff --git a/windows-msvc-2019.pkr.js/scripts/disable-windows-defender.ps1 b/windows-msvc-2019.pkr.js/scripts/disable-windows-defender.ps1 new file mode 100644 index 0000000..0232451 --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/disable-windows-defender.ps1 @@ -0,0 +1,25 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +Try { + # we do LOTs of file access... windows defender is a HUGE break + # in that regard... disabling it for good measure + # + # benchmarked: + # -50% file copy time when copying the distro from c:/ to d:/ + # with disabling defender alone. + Set-MpPreference -DisableRealtimeMonitoring $true + +} Catch { + Write-Error "Failed to disable windows defender" + $host.SetShouldExit(-1) + throw +} + +Write-Output "Disabled Windows Defender Realtime Threat Protection" \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/disable-windows-update.ps1 b/windows-msvc-2019.pkr.js/scripts/disable-windows-update.ps1 new file mode 100644 index 0000000..bf36f1f --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/disable-windows-update.ps1 @@ -0,0 +1,30 @@ +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +$service = Get-WmiObject Win32_Service -Filter 'Name="wuauserv"' + +if (!$service) { + Write-Error "Failed to retrieve the wauserv service" + exit 1 +} + +if ($service.StartMode -ne "Disabled") { + $result = $service.ChangeStartMode("Disabled").ReturnValue + if($result) { + Write-Error "Failed to disable the 'wuauserv' service. The return value was $result." + exit 1 + } +} + +if ($service.State -eq "Running") { + $result = $service.StopService().ReturnValue + if ($result) { + Write-Error "Failed to stop the 'wuauserv' service. The return value was $result." + exit 1 + } +} + +Write-Output "Automatic Windows Updates disabled." \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/fix-tls.ps1 b/windows-msvc-2019.pkr.js/scripts/fix-tls.ps1 new file mode 100644 index 0000000..df08937 --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/fix-tls.ps1 @@ -0,0 +1,163 @@ +# This script hardens TLS configuration by disabling weak and broken protocols +# and enabling useful protocols like TLS 1.1 and 1.2. + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +$weakProtocols = @( + 'Multi-Protocol Unified Hello', + 'PCT 1.0', + 'SSL 2.0', + 'SSL 3.0' +) + +$strongProtocols = @( + 'TLS 1.0', + 'TLS 1.1', + 'TLS 1.2' +) + +$weakCiphers = @( + 'DES 56/56', + 'NULL', + 'RC2 128/128', + 'RC2 40/128', + 'RC2 56/128', + 'RC4 40/128', + 'RC4 56/128', + 'RC4 64/128', + 'RC4 128/128' +) + +$strongCiphers = @( + 'AES 128/128', + 'AES 256/256', + 'Triple DES 168/168' +) + +$weakHashes = @( + 'MD5', + 'SHA' +) + +$strongHashes = @( + 'SHA 256', + 'SHA 384', + 'SHA 512' +) + +$strongKeyExchanges = @( + 'Diffie-Hellman', + 'ECDH', + 'PKCS' +) + +$cipherOrder = @( + 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA' +) + +# Reset the protocols key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Force | Out-Null + +# Disable weak protocols +Foreach ($protocol in $weakProtocols) { + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null +} + +# Enable strong protocols +Foreach ($protocol in $strongProtocols) { + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null +} + +# Reset the ciphers key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null + +# Disable Weak Ciphers +Foreach ($cipher in $weakCiphers) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher) + $key.SetValue('Enabled', 0, 'DWord') + $key.Close() +} + +# Enable Strong Ciphers +Foreach ($cipher in $strongCiphers) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Reset the hashes key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null + +# Disable weak hashes +Foreach ($hash in $weakHashes) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Enable Hashes +Foreach ($hash in $strongHashes) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Reset the KeyExchangeAlgorithms key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null + +# Enable KeyExchangeAlgorithms +Foreach ($keyExchange in $strongKeyExchanges) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey($keyExchange) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$keyExchange" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Set cipher order +$cipherOrderString = [string]::join(',', $cipherOrder) +New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherOrderString -PropertyType 'String' -Force | Out-Null + +# add ssl/tls default policy in the system's powershell profile + +$systemPS_ProfilePath = "$PSHOME\Profile.ps1" + +if (!(Test-Path -Path $systemPS_ProfilePath)) { + New-Item -ItemType File -Path $systemPS_ProfilePath -Force +} + +Write-Output '[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12' > $systemPS_ProfilePath + + +Write-Output "TLS hardened." \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/install-git.ps1 b/windows-msvc-2019.pkr.js/scripts/install-git.ps1 new file mode 100644 index 0000000..617200a --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/install-git.ps1 @@ -0,0 +1,58 @@ +################################################################################ +## File: Install-Git.ps1 +## Desc: Install Git for Windows +################################################################################ + +# source the helpers +. ("c:\temp\helpers.ps1") + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +function getSimpleValue([string] $url, [string] $filename ) { + $fullpath = "${env:Temp}\$filename" + Invoke-WebRequest -Uri $url -OutFile $fullpath + $value = Get-Content $fullpath -Raw + + return $value +} + +# Install the latest version of Git for Windows +#$gitTag = getSimpleValue -url "https://gitforwindows.org/latest-tag.txt" -filename "gitlatesttag.txt" +#$gitVersion = getSimpleValue -url "https://gitforwindows.org/latest-version.txt" -filename "gitlatestversion.txt"; + +# there's an installer bug in the current latest, manually sticking the the previous release for now +$gitTag = "v2.32.0.windows.2" +$gitVersion = "2.32.0.2" + + +$installerFile = "Git-$gitVersion-64-bit.exe"; +$downloadUrl = "https://github.com/git-for-windows/git/releases/download/$gitTag/$installerFile"; +Install-Binary -Url $downloadUrl ` + -Name $installerFile ` + -ArgumentList ( + "/VERYSILENT", + "/NORESTART", ` + "/NOCANCEL", ` + "/SP-", ` + "/CLOSEAPPLICATIONS", ` + "/RESTARTAPPLICATIONS", ` + "/o:PathOption=CmdTools", ` + "/o:BashTerminalOption=ConHost", ` + "/o:EnableSymlinks=Enabled", ` + "/COMPONENTS=gitlfs") + +# Disable GCM machine-wide +[Environment]::SetEnvironmentVariable("GCM_INTERACTIVE", "Never", [System.EnvironmentVariableTarget]::Machine) + +# add git bin dir to machine path +$context = [EnvironmentVariableTarget]::Machine +$PATH_orig = [Environment]::GetEnvironmentVariable("Path", $context) + +$PATH_new = "C:\Program Files\Git\bin;" + $PATH_orig # prepending so the latest install wins the path race +$PATH_new = $PATH_new -replace ';{2,}',';' # clean the path of eventual double ;; entries +[Environment]::SetEnvironmentVariable("Path", $PATH_new, $context) + +# Add well-known SSH host keys to ssh_known_hosts +ssh-keyscan -t rsa github.com >> "C:\Program Files\Git\etc\ssh\ssh_known_hosts" +ssh-keyscan -t rsa ssh.dev.azure.com >> "C:\Program Files\Git\etc\ssh\ssh_known_hosts" \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/install-nuget.ps1 b/windows-msvc-2019.pkr.js/scripts/install-nuget.ps1 new file mode 100644 index 0000000..e66909b --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/install-nuget.ps1 @@ -0,0 +1,21 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force +} Catch { + Write-Error "Failed to install NuGet package manager." + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed NuGet." \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/install-openssh.ps1 b/windows-msvc-2019.pkr.js/scripts/install-openssh.ps1 new file mode 100644 index 0000000..dbea46a --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/install-openssh.ps1 @@ -0,0 +1,53 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + + # install portable SSH instead of the Windows feature because we + # need to target 2016 + $repo = "https://github.com/PowerShell/Win32-OpenSSH" + $version = "V8.6.0.0p1-Beta" + $url = "${repo}/releases/download/${version}/OpenSSH-Win64.zip" + + # TODO: check sha! + Write-Output "Downloading OpenSSH from: $url" + Invoke-WebRequest -Uri $url -Outfile "OpenSSH-Win64.zip" + Expand-Archive ".\OpenSSH-Win64.zip" "C:\Program Files" + Rename-Item -Path "C:\Program Files\OpenSSH-Win64" -NewName "OpenSSH" + + & "C:\Program Files\OpenSSH\install-sshd.ps1" + + # Start the service + Start-Service sshd + Set-Service -Name sshd -StartupType 'Automatic' + + Start-Service ssh-agent + Set-Service -Name ssh-agent -StartupType 'Automatic' + + # Enable host firewall rule if it doesn't exist + New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' ` + -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 + + # Set powershell as the OpenSSH login shell + New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" ` + -Name DefaultShell ` + -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ` + -PropertyType String -Force + + +} Catch { + Write-Error "Failed to install OpenSSH." + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed OpenSSH." \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/install-tipi.ps1 b/windows-msvc-2019.pkr.js/scripts/install-tipi.ps1 new file mode 100644 index 0000000..08d8b24 --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/install-tipi.ps1 @@ -0,0 +1,55 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + # force distro mode all so we have all the requisite tools preinstalled + $env:TIPI_DISTRO_MODE = "all" + Write-Output "Installing tipi in distro mode '$env:TIPI_DISTRO_MODE'" + + # do a system install because otherwise it's the image-creation user who'll get tipi + # installe in his user profile & PATH... which will be deleted on imaging completion + # which would result in the tipi.build customer not having a working installation + $env:TIPI_INSTALL_SYSTEM = "True" + Write-Output "Installing tipi in system install mode: $env:TIPI_INSTALL_SYSTEM" + + # have the target folder created and read/writable for everyone + $provisioningTimeTarget = "C:\.tipi" + mkdir $provisioningTimeTarget + icacls $provisioningTimeTarget /grant Users:F + + # we need that for a few more days I guess + $env:TIPI_HOME_DIR = $provisioningTimeTarget + + # install tipi + . { Invoke-WebRequest -useb https://raw.githubusercontent.com/tipi-build/cli/master/install/install_for_windows.ps1 } | Invoke-Expression + + try { + # clean up the download folder to have less clutter / smaller images + Get-ChildItem "$provisioningTimeTarget\downloads\*" -Recurse -Force ` + | Sort-Object -Property FullName -Descending ` + | ForEach-Object { + Remove-Item -Path $_.FullName -Force -ErrorAction Stop; + } + } + catch { + Write-Host " XXX Failed to clean download folder" + Write-Host ($_ | ConvertTo-Json) -ErrorAction Continue + } + +} Catch { + Write-Error "Failed to install tipicli :'(" -ErrorAction Continue + Write-Error ($_ | ConvertTo-Json) -ErrorAction Continue + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed tipicli." diff --git a/windows-msvc-2019.pkr.js/scripts/install-vcredist.ps1 b/windows-msvc-2019.pkr.js/scripts/install-vcredist.ps1 new file mode 100644 index 0000000..78d0df9 --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/install-vcredist.ps1 @@ -0,0 +1,30 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +Try { + + $tmpPath = "C:\Temp\VcRedist" + New-Item -ItemType Directory -Force -Path $tmpPath + + Install-Module -Name VcRedist -Force -Confirm:$False + $redistList = Get-VcList | Get-VcRedist -Path $tmpPath + + Install-VcRedist -Path $tmpPath -VcList $redistList -Silent + + Remove-Item -Recurse -Force $tmpPath + +} Catch { + Write-Error "Failed to install vc redist runtimes." + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed VcRedist." \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/install-vs.ps1 b/windows-msvc-2019.pkr.js/scripts/install-vs.ps1 new file mode 100644 index 0000000..2b6c508 --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/install-vs.ps1 @@ -0,0 +1,133 @@ +################################################################################ +## File: Install-VS.ps1 +## Desc: Install Visual Studio +################################################################################ + +# source the helpers +. ("c:\temp\helpers.ps1") + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Function Install-VisualStudio +{ + <# + .SYNOPSIS + A helper function to install Visual Studio. + + .DESCRIPTION + Prepare system environment, and install Visual Studio bootstrapper with selected workloads. + + .PARAMETER BootstrapperUrl + The URL from which the bootstrapper will be downloaded. Required parameter. + + .PARAMETER WorkLoads + The string that contain workloads that will be passed to the installer. + #> + + Param + ( + [Parameter(Mandatory)] + [String] $BootstrapperUrl, + [String] $WorkLoads + ) + + Write-Host "Downloading Bootstrapper ..." + $BootstrapperName = [IO.Path]::GetFileName($BootstrapperUrl) + $bootstrapperFilePath = Start-DownloadWithRetry -Url $BootstrapperUrl -Name $BootstrapperName + + try + { + Write-Host "Enable short name support on Windows needed for Xamarin Android AOT, defaults appear to have been changed in Azure VMs" + $shortNameEnableProcess = Start-Process -FilePath fsutil.exe -ArgumentList ('8dot3name', 'set', '0') -Wait -PassThru + + $shortNameEnableExitCode = $shortNameEnableProcess.ExitCode + if ($shortNameEnableExitCode -ne 0) + { + Write-Host "Enabling short name support on Windows failed. This needs to be enabled prior to VS 2017 install for Xamarin Andriod AOT to work." + exit $shortNameEnableExitCode + } + + Write-Host "Starting Install ..." + $bootstrapperArgumentList = ('/c', $bootstrapperFilePath, $WorkLoads, '--quiet', '--norestart', '--wait', '--nocache' ) + $process = Start-Process -FilePath cmd.exe -ArgumentList $bootstrapperArgumentList -Wait -PassThru + + $exitCode = $process.ExitCode + if ($exitCode -eq 0 -or $exitCode -eq 3010) + { + Write-Host "Installation successful" + return $exitCode + } + else + { + $setupErrorLogPath = "$env:TEMP\dd_setup_*_errors.log" + if (Test-Path -Path $setupErrorLogPath) + { + $logErrors = Get-Content -Path $setupErrorLogPath -Raw + Write-Host "$logErrors" + } + + Write-Host "Non zero exit code returned by the installation process : $exitCode" + exit $exitCode + } + } + catch + { + Write-Host "Failed to install Visual Studio; $($_.Exception.Message)" + exit -1 + } +} + +function Get-VsCatalogJsonPath { + $instanceFolder = Get-Item "C:\ProgramData\Microsoft\VisualStudio\Packages\_Instances\*" | Select-Object -First 1 + return Join-Path $instanceFolder.FullName "catalog.json" +} + +function Get-VisualStudioPath { + return (Get-VSSetupInstance | Select-VSSetupInstance -Product *).InstallationPath +} + +function Get-VisualStudioPackages { + return (Get-VSSetupInstance | Select-VSSetupInstance -Product *).Packages +} + +function Get-VisualStudioComponents { + Get-VisualStudioPackages | Where-Object type -in 'Component', 'Workload' | + Sort-Object Id, Version | Select-Object @{n = 'Package'; e = {$_.Id}}, Version | + Where-Object { $_.Package -notmatch "[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}" } +} + +$workLoads = @( + "--add Microsoft.VisualStudio.Workload.VCTools" + "--includeOptional" + "--includeRecommended" + "--remove Component.CPython3.x64" +) +$workLoadsArgument = [String]::Join(" ", $workLoads) + +$releaseInPath = "Enterprise" +$subVersion = "16" +$bootstrapperUrl = "https://aka.ms/vs/${subVersion}/release/vs_${releaseInPath}.exe" + +# Install VS +Install-VisualStudio -BootstrapperUrl $bootstrapperUrl -WorkLoads $workLoadsArgument + +# Find the version of VS installed for this instance +# Only supports a single instance +$vsProgramData = Get-Item -Path "C:\ProgramData\Microsoft\VisualStudio\Packages\_Instances" +$instanceFolders = Get-ChildItem -Path $vsProgramData.FullName + +if ($instanceFolders -is [array]) +{ + Write-Host "More than one instance installed" + exit 1 +} + +$vsInstallRoot = Get-VisualStudioPath + +# Initialize Visual Studio Experimental Instance +& "$vsInstallRoot\Common7\IDE\devenv.exe" /RootSuffix Exp /ResetSettings General.vssettings /Command File.Exit + +# Updating content of MachineState.json file to disable autoupdate of VSIX extensions +$newContent = '{"Extensions":[{"Key":"1e906ff5-9da8-4091-a299-5c253c55fdc9","Value":{"ShouldAutoUpdate":false}},{"Key":"Microsoft.VisualStudio.Web.AzureFunctions","Value":{"ShouldAutoUpdate":false}}],"ShouldAutoUpdate":false,"ShouldCheckForUpdates":false}' +Set-Content -Path "$vsInstallRoot\Common7\IDE\Extensions\MachineState.json" -Value $newContent \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/runtime/helpers.ps1 b/windows-msvc-2019.pkr.js/scripts/runtime/helpers.ps1 new file mode 100644 index 0000000..a8135ff --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/runtime/helpers.ps1 @@ -0,0 +1,109 @@ +function Install-Binary +{ + <# + .SYNOPSIS + A helper function to install executables. + + .DESCRIPTION + Download and install .exe or .msi binaries from specified URL. + + .PARAMETER Url + The URL from which the binary will be downloaded. Required parameter. + + .PARAMETER Name + The Name with which binary will be downloaded. Required parameter. + + .PARAMETER ArgumentList + The list of arguments that will be passed to the installer. Required for .exe binaries. + + .EXAMPLE + Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet") + #> + + Param + ( + [Parameter(Mandatory)] + [String] $Url, + [Parameter(Mandatory)] + [String] $Name, + [String[]] $ArgumentList + ) + + Write-Host "Downloading $Name..." + $filePath = Start-DownloadWithRetry -Url $Url -Name $Name + + # MSI binaries should be installed via msiexec.exe + $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "") + if ($fileExtension -eq "msi") + { + $ArgumentList = ('/i', $filePath, '/QN', '/norestart') + $filePath = "msiexec.exe" + } + + try + { + Write-Host "Starting Install $Name..." + $process = Start-Process -FilePath $filePath -ArgumentList $ArgumentList -Wait -PassThru + + $exitCode = $process.ExitCode + if ($exitCode -eq 0 -or $exitCode -eq 3010) + { + Write-Host "Installation successful" + } + else + { + Write-Host "Non zero exit code returned by the installation process: $exitCode" + exit $exitCode + } + } + catch + { + Write-Host "Failed to install the $fileExtension ${Name}: $($_.Exception.Message)" + exit 1 + } +} + +function Start-DownloadWithRetry +{ + Param + ( + [Parameter(Mandatory)] + [string] $Url, + [string] $Name, + [string] $DownloadPath = "${env:Temp}", + [int] $Retries = 20 + ) + + if ([String]::IsNullOrEmpty($Name)) { + $Name = [IO.Path]::GetFileName($Url) + } + + $filePath = Join-Path -Path $DownloadPath -ChildPath $Name + + #Default retry logic for the package. + while ($Retries -gt 0) + { + try + { + Write-Host "Downloading package from: $Url to path $filePath ." + (New-Object System.Net.WebClient).DownloadFile($Url, $filePath) + break + } + catch + { + Write-Host "There is an error during package downloading:`n $_" + $Retries-- + + if ($Retries -eq 0) + { + Write-Host "File can't be downloaded. Please try later or check that file exists by url: $Url" + exit 1 + } + + Write-Host "Waiting 30 seconds before retrying. Retries left: $Retries" + Start-Sleep -Seconds 30 + } + } + + return $filePath +} \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/runtime/sync-tipi-distro.ps1 b/windows-msvc-2019.pkr.js/scripts/runtime/sync-tipi-distro.ps1 new file mode 100644 index 0000000..22ae58a --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/runtime/sync-tipi-distro.ps1 @@ -0,0 +1,26 @@ +$source = "C:\.tipi" +$dest = "D:\.tipi" + +# copy everything +# --------------- + +# NOTE: this was terribly slow, taking a good 5minutes to "sync". Replaced with... +# Copy-Item -Path $source -Destination $dest -Recurse + +# ... some ROBOCOPY goodness +# +# Details: +# /S: Copies subdirectories +# /E: includes empty directories. +# /Z: Copies files in restartable mode +# /ZB: Copies files in restartable mode. If file access is denied, switches to backup mode. +# /R:5: retries on failed copies (instead of 1MIO) +# /W:5: wait (in seconds) between retries +# /NP: hides progress display +# /MT:128: thread count for copies. Scales fairly well => higher is seemingly better (defaults to 8) +# /log:*PATH* : redirects the output to a log file (huge perf gain here...) +Robocopy /S /E /Z /ZB /R:5 /W:5 /NP /MT:128 /log:c:\temp\distro-copy.log $source $dest + +# make sure everyone can read/write *stuff* +# ----------------------------------------- +icacls $dest /grant Users:F \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/setup-winrm.ps1 b/windows-msvc-2019.pkr.js/scripts/setup-winrm.ps1 new file mode 100644 index 0000000..b0098ea --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/setup-winrm.ps1 @@ -0,0 +1,40 @@ +Write-Output "Running User Data Script" +Write-Host "(host) Running User Data Script" + +Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore + +# Don't set this before Set-ExecutionPolicy as it throws an error +$ErrorActionPreference = "stop" + +# Remove HTTP listener +Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse + +$Cert = New-SelfSignedCertificate ` + -CertstoreLocation Cert:\LocalMachine\My ` + -DnsName "packer" + +New-Item ` + -Path WSMan:\LocalHost\Listener ` + -Transport HTTPS ` + -Address * ` + -CertificateThumbPrint $Cert.Thumbprint ` + -Force + +# WinRM +write-output "Setting up WinRM" +write-host "(host) setting up WinRM" + +cmd.exe /c winrm quickconfig -q +cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}' +cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}' +cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}' +cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}' +cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}' +cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}' +cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}' +cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}" +cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes +cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986" +cmd.exe /c net stop winrm +cmd.exe /c sc config winrm start= auto +cmd.exe /c net start winrm \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/scripts/update-root-certificate-store.ps1 b/windows-msvc-2019.pkr.js/scripts/update-root-certificate-store.ps1 new file mode 100644 index 0000000..4ea3291 --- /dev/null +++ b/windows-msvc-2019.pkr.js/scripts/update-root-certificate-store.ps1 @@ -0,0 +1,52 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator clevel shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + + #$storeFile = "c:\Temp\roots.sst" + #md c:\Temp + #certutil.exe -generateSSTFromWU $storeFile + #$sst = ( Get-ChildItem -Path $storeFile ) + #$sst | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root + #updroots.exe roots.sst + + Write-Output "Preparing fetching root CA info from Windows Update" + + $certsPath = "c:\Temp\certs" + $rootCertsPath = "c:\Temp\certs\root.sst" + md $certsPath + + Write-Output "Fetching now..." + #certutil -syncwithWU $certsPath + certutil.exe -generateSSTFromWU $rootCertsPath + + Write-Output "Importing certificate updates into machine root store" + $sst = ( Get-ChildItem -Path $rootCertsPath ) + $sst | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root + #$files = Get-ChildItem -Path 'C:\certs\*' -Include '*.crt' + + #Foreach ($file in $files) { + # $importfile = "$file" + # certutil -addstore -f Root "$importfile" + # Write-Output $importfile + #} + + Write-Output "Cleaning up disk" + rd $certsPath -Recurse + +} Catch { + Write-Error "Failed to update the root certificate store" + $host.SetShouldExit(-1) + throw +} + +Write-Output "Updated the root certificate store from Windows update" \ No newline at end of file diff --git a/windows-msvc-2019.pkr.js/windows-msvc-2019.pkr.js.mustache b/windows-msvc-2019.pkr.js/windows-msvc-2019.pkr.js.mustache new file mode 100644 index 0000000..ab1b63e --- /dev/null +++ b/windows-msvc-2019.pkr.js/windows-msvc-2019.pkr.js.mustache @@ -0,0 +1,105 @@ +{ + "variables": { + "client_id": "{{client_id}}", + "client_secret": "{{client_secret}}", + "subscription_id": "{{subscription_id}}", + "tenant_id": "{{tenant_id}}", + "resource_group": "{{resource_group_name}}", + "build_resource_group": "{{build_resource_group_name}}", + "image_name": "{{output_image_name}}", + "shared_image_gallery_resource_group": "tipi-images", + "shared_image_gallery_name": "tipi_image_gallery", + "shared_image_gallery_image_version": "0.0.1" + }, + {{! Changing the mustache delimiters to <% ... %> in order to preserve function of the packer-templating which uses curlies as well }} + {{=<% %>=}} + "sensitive-variables": [ + "install_password", + "client_secret" + ], + "builders": [ + { + "name": "azure", + "type": "azure-arm", + "client_id": "{{user `client_id`}}", + "client_secret": "{{user `client_secret`}}", + "subscription_id": "{{user `subscription_id`}}", + "tenant_id": "{{user `tenant_id`}}", + "managed_image_resource_group_name": "{{user `resource_group`}}", + "build_resource_group_name": "{{user `build_resource_group`}}", + "os_type": "Windows", + "managed_image_name": "{{user `image_name`}}", + "vm_size": "Standard_D48d_v4", + "image_publisher": "MicrosoftWindowsServer", + "image_offer": "WindowsServer", + "image_sku": "2022-Datacenter", + "communicator": "winrm", + "winrm_use_ssl": true, + "winrm_insecure": true, + "winrm_timeout": "30m", + "winrm_username": "packer", + "shared_image_gallery_destination": { + "resource_group": "{{user `shared_image_gallery_resource_group`}}", + "gallery_name": "{{user `shared_image_gallery_name`}}", + "image_name": "{{user `image_name`}}", + "image_version": "{{user `shared_image_gallery_image_version`}}", + "replication_regions": ["Central US", "East US", "North Europe", "West Europe"], + "storage_account_type": "Standard_LRS" + }, + "shared_image_gallery_timeout": "1h30m", + "shared_image_gallery_replica_count": 1, + "azure_tags": { + "tipi_deployment": "<% tipi_deployment %>", + "tipi_userid": "<% tipi_userid %>" + } + } + ], + "provisioners": [ + { + "type": "file", + "source": "./scripts/runtime/sync-tipi-distro.ps1", + "destination": "c:\\Temp\\sync-tipi-distro.ps1" + }, + { + "type": "file", + "source": "./scripts/runtime/helpers.ps1", + "destination": "c:\\Temp\\helpers.ps1" + }, + { + "type": "powershell", + "elevated_user": "packer", + "elevated_password": "{{.WinRMPassword}}", + "scripts": [ + "./scripts/fix-tls.ps1", + "./scripts/update-root-certificate-store.ps1", + "./scripts/install-nuget.ps1", + "./scripts/install-openssh.ps1", + "./scripts/install-git.ps1", + "./scripts/install-vcredist.ps1", + "./scripts/install-vs.ps1", + "./scripts/disable-windows-update.ps1", + "./scripts/disable-windows-defender.ps1" + ] + }, + { + "type": "windows-restart" + }, + { + "type": "powershell", + "elevated_user": "packer", + "elevated_password": "{{.WinRMPassword}}", + "environment_vars": ["TIPI_INSTALL_VERSION={{tipi_cli_version}}"], + "scripts": [ + "./scripts/install-tipi.ps1" + ] + }, + { + "type": "powershell", + "inline": [ + "& $env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /quiet /quit", + "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10 } else { break } }" + ] + } + ] + ,"_tipi_version":"{{tipi_version_hash}}" +} \ No newline at end of file diff --git a/windows-msvc-2022-win64-cxx17.cmake b/windows-msvc-2022-win64-cxx17.cmake new file mode 100644 index 0000000..cb62a53 --- /dev/null +++ b/windows-msvc-2022-win64-cxx17.cmake @@ -0,0 +1,18 @@ +# Copyright (c) 2020-2023, tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_WINDOWS_MSVC_2022_WIN64_CXX17_CMAKE_) + return() +else() + set(TIPI_WINDOWS_MSVC_2022_WIN64_CXX17_CMAKE_ 1) +endif() + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_init.cmake") + +polly_init( + "Visual Studio 17 2022 Win64 / C++17" + "Visual Studio 17 2022" +) + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_common.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/flags/vs-cxx17.cmake") diff --git a/windows-msvc-2022-win64-cxx20.cmake b/windows-msvc-2022-win64-cxx20.cmake new file mode 100644 index 0000000..5cf4edf --- /dev/null +++ b/windows-msvc-2022-win64-cxx20.cmake @@ -0,0 +1,18 @@ +# Copyright (c) 2020-2023, tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_WINDOWS_MSVC_2022_WIN64_CXX20_CMAKE_) + return() +else() + set(TIPI_WINDOWS_MSVC_2022_WIN64_CXX20_CMAKE_ 1) +endif() + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_init.cmake") + +polly_init( + "Visual Studio 17 2022 Win64 / C++20" + "Visual Studio 17 2022" +) + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_common.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/flags/vs-cxx20.cmake") diff --git a/windows-msvc-2022-win64-cxxlatest.cmake b/windows-msvc-2022-win64-cxxlatest.cmake new file mode 100644 index 0000000..fe31973 --- /dev/null +++ b/windows-msvc-2022-win64-cxxlatest.cmake @@ -0,0 +1,18 @@ +# Copyright (c) 2020-2023, tipi technologies Ltd +# All rights reserved. + +if(DEFINED TIPI_WINDOWS_MSVC_2022_WIN64_CXXLATEST_CMAKE_) + return() +else() + set(TIPI_WINDOWS_MSVC_2022_WIN64_CXXLATEST_CMAKE_ 1) +endif() + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_init.cmake") + +polly_init( + "Visual Studio 17 2022 Win64 / C++latest" + "Visual Studio 17 2022" +) + +include("${CMAKE_CURRENT_LIST_DIR}/utilities/polly_common.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/flags/vs22-cxxlatest.cmake") diff --git a/windows-msvc-2022.pkr.js/scripts/disable-windows-defender.ps1 b/windows-msvc-2022.pkr.js/scripts/disable-windows-defender.ps1 new file mode 100644 index 0000000..0232451 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/disable-windows-defender.ps1 @@ -0,0 +1,25 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +Try { + # we do LOTs of file access... windows defender is a HUGE break + # in that regard... disabling it for good measure + # + # benchmarked: + # -50% file copy time when copying the distro from c:/ to d:/ + # with disabling defender alone. + Set-MpPreference -DisableRealtimeMonitoring $true + +} Catch { + Write-Error "Failed to disable windows defender" + $host.SetShouldExit(-1) + throw +} + +Write-Output "Disabled Windows Defender Realtime Threat Protection" \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/disable-windows-update.ps1 b/windows-msvc-2022.pkr.js/scripts/disable-windows-update.ps1 new file mode 100644 index 0000000..bf36f1f --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/disable-windows-update.ps1 @@ -0,0 +1,30 @@ +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +$service = Get-WmiObject Win32_Service -Filter 'Name="wuauserv"' + +if (!$service) { + Write-Error "Failed to retrieve the wauserv service" + exit 1 +} + +if ($service.StartMode -ne "Disabled") { + $result = $service.ChangeStartMode("Disabled").ReturnValue + if($result) { + Write-Error "Failed to disable the 'wuauserv' service. The return value was $result." + exit 1 + } +} + +if ($service.State -eq "Running") { + $result = $service.StopService().ReturnValue + if ($result) { + Write-Error "Failed to stop the 'wuauserv' service. The return value was $result." + exit 1 + } +} + +Write-Output "Automatic Windows Updates disabled." \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/fix-tls.ps1 b/windows-msvc-2022.pkr.js/scripts/fix-tls.ps1 new file mode 100644 index 0000000..df08937 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/fix-tls.ps1 @@ -0,0 +1,163 @@ +# This script hardens TLS configuration by disabling weak and broken protocols +# and enabling useful protocols like TLS 1.1 and 1.2. + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +$weakProtocols = @( + 'Multi-Protocol Unified Hello', + 'PCT 1.0', + 'SSL 2.0', + 'SSL 3.0' +) + +$strongProtocols = @( + 'TLS 1.0', + 'TLS 1.1', + 'TLS 1.2' +) + +$weakCiphers = @( + 'DES 56/56', + 'NULL', + 'RC2 128/128', + 'RC2 40/128', + 'RC2 56/128', + 'RC4 40/128', + 'RC4 56/128', + 'RC4 64/128', + 'RC4 128/128' +) + +$strongCiphers = @( + 'AES 128/128', + 'AES 256/256', + 'Triple DES 168/168' +) + +$weakHashes = @( + 'MD5', + 'SHA' +) + +$strongHashes = @( + 'SHA 256', + 'SHA 384', + 'SHA 512' +) + +$strongKeyExchanges = @( + 'Diffie-Hellman', + 'ECDH', + 'PKCS' +) + +$cipherOrder = @( + 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA' +) + +# Reset the protocols key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Force | Out-Null + +# Disable weak protocols +Foreach ($protocol in $weakProtocols) { + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null +} + +# Enable strong protocols +Foreach ($protocol in $strongProtocols) { + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null + New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null +} + +# Reset the ciphers key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null + +# Disable Weak Ciphers +Foreach ($cipher in $weakCiphers) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher) + $key.SetValue('Enabled', 0, 'DWord') + $key.Close() +} + +# Enable Strong Ciphers +Foreach ($cipher in $strongCiphers) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Reset the hashes key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null + +# Disable weak hashes +Foreach ($hash in $weakHashes) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Enable Hashes +Foreach ($hash in $strongHashes) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Reset the KeyExchangeAlgorithms key +New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null + +# Enable KeyExchangeAlgorithms +Foreach ($keyExchange in $strongKeyExchanges) { + $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey($keyExchange) + New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$keyExchange" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null + $key.Close() +} + +# Set cipher order +$cipherOrderString = [string]::join(',', $cipherOrder) +New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherOrderString -PropertyType 'String' -Force | Out-Null + +# add ssl/tls default policy in the system's powershell profile + +$systemPS_ProfilePath = "$PSHOME\Profile.ps1" + +if (!(Test-Path -Path $systemPS_ProfilePath)) { + New-Item -ItemType File -Path $systemPS_ProfilePath -Force +} + +Write-Output '[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12' > $systemPS_ProfilePath + + +Write-Output "TLS hardened." \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/install-git.ps1 b/windows-msvc-2022.pkr.js/scripts/install-git.ps1 new file mode 100644 index 0000000..f149175 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/install-git.ps1 @@ -0,0 +1,58 @@ +################################################################################ +## File: Install-Git.ps1 +## Desc: Install Git for Windows +################################################################################ + +# source the helpers +. ("c:\temp\helpers.ps1") + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +function getSimpleValue([string] $url, [string] $filename ) { + $fullpath = "${env:Temp}\$filename" + Invoke-WebRequest -Uri $url -OutFile $fullpath + $value = Get-Content $fullpath -Raw + + return $value +} + +# Install the latest version of Git for Windows +#$gitTag = getSimpleValue -url "https://gitforwindows.org/latest-tag.txt" -filename "gitlatesttag.txt" +#$gitVersion = getSimpleValue -url "https://gitforwindows.org/latest-version.txt" -filename "gitlatestversion.txt"; + +# there's an installer bug in the current latest, manually sticking the the previous release for now +$gitTag = "v2.41.0.windows.3" +$gitVersion = "2.41.0.3" + + +$installerFile = "Git-$gitVersion-64-bit.exe"; +$downloadUrl = "https://github.com/git-for-windows/git/releases/download/$gitTag/$installerFile"; +Install-Binary -Url $downloadUrl ` + -Name $installerFile ` + -ArgumentList ( + "/VERYSILENT", + "/NORESTART", ` + "/NOCANCEL", ` + "/SP-", ` + "/CLOSEAPPLICATIONS", ` + "/RESTARTAPPLICATIONS", ` + "/o:PathOption=CmdTools", ` + "/o:BashTerminalOption=ConHost", ` + "/o:EnableSymlinks=Enabled", ` + "/COMPONENTS=gitlfs") + +# Disable GCM machine-wide +[Environment]::SetEnvironmentVariable("GCM_INTERACTIVE", "Never", [System.EnvironmentVariableTarget]::Machine) + +# add git bin dir to machine path +$context = [EnvironmentVariableTarget]::Machine +$PATH_orig = [Environment]::GetEnvironmentVariable("Path", $context) + +$PATH_new = "C:\Program Files\Git\bin;" + $PATH_orig # prepending so the latest install wins the path race +$PATH_new = $PATH_new -replace ';{2,}',';' # clean the path of eventual double ;; entries +[Environment]::SetEnvironmentVariable("Path", $PATH_new, $context) + +# Add well-known SSH host keys to ssh_known_hosts +ssh-keyscan -t rsa github.com >> "C:\Program Files\Git\etc\ssh\ssh_known_hosts" +ssh-keyscan -t rsa ssh.dev.azure.com >> "C:\Program Files\Git\etc\ssh\ssh_known_hosts" \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/install-nuget.ps1 b/windows-msvc-2022.pkr.js/scripts/install-nuget.ps1 new file mode 100644 index 0000000..e66909b --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/install-nuget.ps1 @@ -0,0 +1,21 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force +} Catch { + Write-Error "Failed to install NuGet package manager." + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed NuGet." \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/install-openssh.ps1 b/windows-msvc-2022.pkr.js/scripts/install-openssh.ps1 new file mode 100644 index 0000000..08f4370 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/install-openssh.ps1 @@ -0,0 +1,53 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + + # install portable SSH instead of the Windows feature because we + # need to target 2016 + $repo = "https://github.com/PowerShell/Win32-OpenSSH" + $version = "v9.2.2.0p1-Beta" + $url = "${repo}/releases/download/${version}/OpenSSH-Win64.zip" + + # TODO: check sha! + Write-Output "Downloading OpenSSH from: $url" + Invoke-WebRequest -Uri $url -Outfile "OpenSSH-Win64.zip" + Expand-Archive ".\OpenSSH-Win64.zip" "C:\Program Files" + Rename-Item -Path "C:\Program Files\OpenSSH-Win64" -NewName "OpenSSH" + + & "C:\Program Files\OpenSSH\install-sshd.ps1" + + # Start the service + Start-Service sshd + Set-Service -Name sshd -StartupType 'Automatic' + + Start-Service ssh-agent + Set-Service -Name ssh-agent -StartupType 'Automatic' + + # Enable host firewall rule if it doesn't exist + New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' ` + -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 + + # Set powershell as the OpenSSH login shell + New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" ` + -Name DefaultShell ` + -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ` + -PropertyType String -Force + + +} Catch { + Write-Error "Failed to install OpenSSH." + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed OpenSSH." \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/install-tipi.ps1 b/windows-msvc-2022.pkr.js/scripts/install-tipi.ps1 new file mode 100644 index 0000000..08d8b24 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/install-tipi.ps1 @@ -0,0 +1,55 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + # force distro mode all so we have all the requisite tools preinstalled + $env:TIPI_DISTRO_MODE = "all" + Write-Output "Installing tipi in distro mode '$env:TIPI_DISTRO_MODE'" + + # do a system install because otherwise it's the image-creation user who'll get tipi + # installe in his user profile & PATH... which will be deleted on imaging completion + # which would result in the tipi.build customer not having a working installation + $env:TIPI_INSTALL_SYSTEM = "True" + Write-Output "Installing tipi in system install mode: $env:TIPI_INSTALL_SYSTEM" + + # have the target folder created and read/writable for everyone + $provisioningTimeTarget = "C:\.tipi" + mkdir $provisioningTimeTarget + icacls $provisioningTimeTarget /grant Users:F + + # we need that for a few more days I guess + $env:TIPI_HOME_DIR = $provisioningTimeTarget + + # install tipi + . { Invoke-WebRequest -useb https://raw.githubusercontent.com/tipi-build/cli/master/install/install_for_windows.ps1 } | Invoke-Expression + + try { + # clean up the download folder to have less clutter / smaller images + Get-ChildItem "$provisioningTimeTarget\downloads\*" -Recurse -Force ` + | Sort-Object -Property FullName -Descending ` + | ForEach-Object { + Remove-Item -Path $_.FullName -Force -ErrorAction Stop; + } + } + catch { + Write-Host " XXX Failed to clean download folder" + Write-Host ($_ | ConvertTo-Json) -ErrorAction Continue + } + +} Catch { + Write-Error "Failed to install tipicli :'(" -ErrorAction Continue + Write-Error ($_ | ConvertTo-Json) -ErrorAction Continue + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed tipicli." diff --git a/windows-msvc-2022.pkr.js/scripts/install-vcredist.ps1 b/windows-msvc-2022.pkr.js/scripts/install-vcredist.ps1 new file mode 100644 index 0000000..78d0df9 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/install-vcredist.ps1 @@ -0,0 +1,30 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator level shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +Try { + + $tmpPath = "C:\Temp\VcRedist" + New-Item -ItemType Directory -Force -Path $tmpPath + + Install-Module -Name VcRedist -Force -Confirm:$False + $redistList = Get-VcList | Get-VcRedist -Path $tmpPath + + Install-VcRedist -Path $tmpPath -VcList $redistList -Silent + + Remove-Item -Recurse -Force $tmpPath + +} Catch { + Write-Error "Failed to install vc redist runtimes." + $host.SetShouldExit(-1) + throw +} + +Write-Output "Installed VcRedist." \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/install-vs.ps1 b/windows-msvc-2022.pkr.js/scripts/install-vs.ps1 new file mode 100644 index 0000000..ad9e581 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/install-vs.ps1 @@ -0,0 +1,133 @@ +################################################################################ +## File: Install-VS.ps1 +## Desc: Install Visual Studio +################################################################################ + +# source the helpers +. ("c:\temp\helpers.ps1") + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Function Install-VisualStudio +{ + <# + .SYNOPSIS + A helper function to install Visual Studio. + + .DESCRIPTION + Prepare system environment, and install Visual Studio bootstrapper with selected workloads. + + .PARAMETER BootstrapperUrl + The URL from which the bootstrapper will be downloaded. Required parameter. + + .PARAMETER WorkLoads + The string that contain workloads that will be passed to the installer. + #> + + Param + ( + [Parameter(Mandatory)] + [String] $BootstrapperUrl, + [String] $WorkLoads + ) + + Write-Host "Downloading Bootstrapper ..." + $BootstrapperName = [IO.Path]::GetFileName($BootstrapperUrl) + $bootstrapperFilePath = Start-DownloadWithRetry -Url $BootstrapperUrl -Name $BootstrapperName + + try + { + Write-Host "Enable short name support on Windows needed for Xamarin Android AOT, defaults appear to have been changed in Azure VMs" + $shortNameEnableProcess = Start-Process -FilePath fsutil.exe -ArgumentList ('8dot3name', 'set', '0') -Wait -PassThru + + $shortNameEnableExitCode = $shortNameEnableProcess.ExitCode + if ($shortNameEnableExitCode -ne 0) + { + Write-Host "Enabling short name support on Windows failed. This needs to be enabled prior to VS 2017 install for Xamarin Andriod AOT to work." + exit $shortNameEnableExitCode + } + + Write-Host "Starting Install ..." + $bootstrapperArgumentList = ('/c', $bootstrapperFilePath, $WorkLoads, '--quiet', '--norestart', '--wait', '--nocache' ) + $process = Start-Process -FilePath cmd.exe -ArgumentList $bootstrapperArgumentList -Wait -PassThru + + $exitCode = $process.ExitCode + if ($exitCode -eq 0 -or $exitCode -eq 3010) + { + Write-Host "Installation successful" + return $exitCode + } + else + { + $setupErrorLogPath = "$env:TEMP\dd_setup_*_errors.log" + if (Test-Path -Path $setupErrorLogPath) + { + $logErrors = Get-Content -Path $setupErrorLogPath -Raw + Write-Host "$logErrors" + } + + Write-Host "Non zero exit code returned by the installation process : $exitCode" + exit $exitCode + } + } + catch + { + Write-Host "Failed to install Visual Studio; $($_.Exception.Message)" + exit -1 + } +} + +function Get-VsCatalogJsonPath { + $instanceFolder = Get-Item "C:\ProgramData\Microsoft\VisualStudio\Packages\_Instances\*" | Select-Object -First 1 + return Join-Path $instanceFolder.FullName "catalog.json" +} + +function Get-VisualStudioPath { + return (Get-VSSetupInstance | Select-VSSetupInstance -Product *).InstallationPath +} + +function Get-VisualStudioPackages { + return (Get-VSSetupInstance | Select-VSSetupInstance -Product *).Packages +} + +function Get-VisualStudioComponents { + Get-VisualStudioPackages | Where-Object type -in 'Component', 'Workload' | + Sort-Object Id, Version | Select-Object @{n = 'Package'; e = {$_.Id}}, Version | + Where-Object { $_.Package -notmatch "[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}" } +} + +$workLoads = @( + "--add Microsoft.VisualStudio.Workload.VCTools" + "--includeOptional" + "--includeRecommended" + "--remove Component.CPython3.x64" +) +$workLoadsArgument = [String]::Join(" ", $workLoads) + +$releaseInPath = "Enterprise" +$subVersion = "17" +$bootstrapperUrl = "https://aka.ms/vs/${subVersion}/release/vs_${releaseInPath}.exe" + +# Install VS +Install-VisualStudio -BootstrapperUrl $bootstrapperUrl -WorkLoads $workLoadsArgument + +# Find the version of VS installed for this instance +# Only supports a single instance +$vsProgramData = Get-Item -Path "C:\ProgramData\Microsoft\VisualStudio\Packages\_Instances" +$instanceFolders = Get-ChildItem -Path $vsProgramData.FullName + +if ($instanceFolders -is [array]) +{ + Write-Host "More than one instance installed" + exit 1 +} + +$vsInstallRoot = Get-VisualStudioPath + +# Initialize Visual Studio Experimental Instance +& "$vsInstallRoot\Common7\IDE\devenv.exe" /RootSuffix Exp /ResetSettings General.vssettings /Command File.Exit + +# Updating content of MachineState.json file to disable autoupdate of VSIX extensions +$newContent = '{"Extensions":[{"Key":"1e906ff5-9da8-4091-a299-5c253c55fdc9","Value":{"ShouldAutoUpdate":false}},{"Key":"Microsoft.VisualStudio.Web.AzureFunctions","Value":{"ShouldAutoUpdate":false}}],"ShouldAutoUpdate":false,"ShouldCheckForUpdates":false}' +Set-Content -Path "$vsInstallRoot\Common7\IDE\Extensions\MachineState.json" -Value $newContent \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/runtime/helpers.ps1 b/windows-msvc-2022.pkr.js/scripts/runtime/helpers.ps1 new file mode 100644 index 0000000..a8135ff --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/runtime/helpers.ps1 @@ -0,0 +1,109 @@ +function Install-Binary +{ + <# + .SYNOPSIS + A helper function to install executables. + + .DESCRIPTION + Download and install .exe or .msi binaries from specified URL. + + .PARAMETER Url + The URL from which the binary will be downloaded. Required parameter. + + .PARAMETER Name + The Name with which binary will be downloaded. Required parameter. + + .PARAMETER ArgumentList + The list of arguments that will be passed to the installer. Required for .exe binaries. + + .EXAMPLE + Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet") + #> + + Param + ( + [Parameter(Mandatory)] + [String] $Url, + [Parameter(Mandatory)] + [String] $Name, + [String[]] $ArgumentList + ) + + Write-Host "Downloading $Name..." + $filePath = Start-DownloadWithRetry -Url $Url -Name $Name + + # MSI binaries should be installed via msiexec.exe + $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "") + if ($fileExtension -eq "msi") + { + $ArgumentList = ('/i', $filePath, '/QN', '/norestart') + $filePath = "msiexec.exe" + } + + try + { + Write-Host "Starting Install $Name..." + $process = Start-Process -FilePath $filePath -ArgumentList $ArgumentList -Wait -PassThru + + $exitCode = $process.ExitCode + if ($exitCode -eq 0 -or $exitCode -eq 3010) + { + Write-Host "Installation successful" + } + else + { + Write-Host "Non zero exit code returned by the installation process: $exitCode" + exit $exitCode + } + } + catch + { + Write-Host "Failed to install the $fileExtension ${Name}: $($_.Exception.Message)" + exit 1 + } +} + +function Start-DownloadWithRetry +{ + Param + ( + [Parameter(Mandatory)] + [string] $Url, + [string] $Name, + [string] $DownloadPath = "${env:Temp}", + [int] $Retries = 20 + ) + + if ([String]::IsNullOrEmpty($Name)) { + $Name = [IO.Path]::GetFileName($Url) + } + + $filePath = Join-Path -Path $DownloadPath -ChildPath $Name + + #Default retry logic for the package. + while ($Retries -gt 0) + { + try + { + Write-Host "Downloading package from: $Url to path $filePath ." + (New-Object System.Net.WebClient).DownloadFile($Url, $filePath) + break + } + catch + { + Write-Host "There is an error during package downloading:`n $_" + $Retries-- + + if ($Retries -eq 0) + { + Write-Host "File can't be downloaded. Please try later or check that file exists by url: $Url" + exit 1 + } + + Write-Host "Waiting 30 seconds before retrying. Retries left: $Retries" + Start-Sleep -Seconds 30 + } + } + + return $filePath +} \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/runtime/sync-tipi-distro.ps1 b/windows-msvc-2022.pkr.js/scripts/runtime/sync-tipi-distro.ps1 new file mode 100644 index 0000000..22ae58a --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/runtime/sync-tipi-distro.ps1 @@ -0,0 +1,26 @@ +$source = "C:\.tipi" +$dest = "D:\.tipi" + +# copy everything +# --------------- + +# NOTE: this was terribly slow, taking a good 5minutes to "sync". Replaced with... +# Copy-Item -Path $source -Destination $dest -Recurse + +# ... some ROBOCOPY goodness +# +# Details: +# /S: Copies subdirectories +# /E: includes empty directories. +# /Z: Copies files in restartable mode +# /ZB: Copies files in restartable mode. If file access is denied, switches to backup mode. +# /R:5: retries on failed copies (instead of 1MIO) +# /W:5: wait (in seconds) between retries +# /NP: hides progress display +# /MT:128: thread count for copies. Scales fairly well => higher is seemingly better (defaults to 8) +# /log:*PATH* : redirects the output to a log file (huge perf gain here...) +Robocopy /S /E /Z /ZB /R:5 /W:5 /NP /MT:128 /log:c:\temp\distro-copy.log $source $dest + +# make sure everyone can read/write *stuff* +# ----------------------------------------- +icacls $dest /grant Users:F \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/setup-winrm.ps1 b/windows-msvc-2022.pkr.js/scripts/setup-winrm.ps1 new file mode 100644 index 0000000..b0098ea --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/setup-winrm.ps1 @@ -0,0 +1,40 @@ +Write-Output "Running User Data Script" +Write-Host "(host) Running User Data Script" + +Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore + +# Don't set this before Set-ExecutionPolicy as it throws an error +$ErrorActionPreference = "stop" + +# Remove HTTP listener +Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse + +$Cert = New-SelfSignedCertificate ` + -CertstoreLocation Cert:\LocalMachine\My ` + -DnsName "packer" + +New-Item ` + -Path WSMan:\LocalHost\Listener ` + -Transport HTTPS ` + -Address * ` + -CertificateThumbPrint $Cert.Thumbprint ` + -Force + +# WinRM +write-output "Setting up WinRM" +write-host "(host) setting up WinRM" + +cmd.exe /c winrm quickconfig -q +cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}' +cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}' +cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}' +cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}' +cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}' +cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}' +cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}' +cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}" +cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes +cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986" +cmd.exe /c net stop winrm +cmd.exe /c sc config winrm start= auto +cmd.exe /c net start winrm \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/scripts/update-root-certificate-store.ps1 b/windows-msvc-2022.pkr.js/scripts/update-root-certificate-store.ps1 new file mode 100644 index 0000000..4ea3291 --- /dev/null +++ b/windows-msvc-2022.pkr.js/scripts/update-root-certificate-store.ps1 @@ -0,0 +1,52 @@ +Set-StrictMode -Version latest +$ErrorActionPreference = "Stop" + +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if (!$RunningAsAdmin) { + Write-Error "Must be executed in Administrator clevel shell." + exit 1 +} + +# Force TLS1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +Try { + + #$storeFile = "c:\Temp\roots.sst" + #md c:\Temp + #certutil.exe -generateSSTFromWU $storeFile + #$sst = ( Get-ChildItem -Path $storeFile ) + #$sst | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root + #updroots.exe roots.sst + + Write-Output "Preparing fetching root CA info from Windows Update" + + $certsPath = "c:\Temp\certs" + $rootCertsPath = "c:\Temp\certs\root.sst" + md $certsPath + + Write-Output "Fetching now..." + #certutil -syncwithWU $certsPath + certutil.exe -generateSSTFromWU $rootCertsPath + + Write-Output "Importing certificate updates into machine root store" + $sst = ( Get-ChildItem -Path $rootCertsPath ) + $sst | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root + #$files = Get-ChildItem -Path 'C:\certs\*' -Include '*.crt' + + #Foreach ($file in $files) { + # $importfile = "$file" + # certutil -addstore -f Root "$importfile" + # Write-Output $importfile + #} + + Write-Output "Cleaning up disk" + rd $certsPath -Recurse + +} Catch { + Write-Error "Failed to update the root certificate store" + $host.SetShouldExit(-1) + throw +} + +Write-Output "Updated the root certificate store from Windows update" \ No newline at end of file diff --git a/windows-msvc-2022.pkr.js/windows-msvc-2022.pkr.js.mustache b/windows-msvc-2022.pkr.js/windows-msvc-2022.pkr.js.mustache new file mode 100644 index 0000000..ab1b63e --- /dev/null +++ b/windows-msvc-2022.pkr.js/windows-msvc-2022.pkr.js.mustache @@ -0,0 +1,105 @@ +{ + "variables": { + "client_id": "{{client_id}}", + "client_secret": "{{client_secret}}", + "subscription_id": "{{subscription_id}}", + "tenant_id": "{{tenant_id}}", + "resource_group": "{{resource_group_name}}", + "build_resource_group": "{{build_resource_group_name}}", + "image_name": "{{output_image_name}}", + "shared_image_gallery_resource_group": "tipi-images", + "shared_image_gallery_name": "tipi_image_gallery", + "shared_image_gallery_image_version": "0.0.1" + }, + {{! Changing the mustache delimiters to <% ... %> in order to preserve function of the packer-templating which uses curlies as well }} + {{=<% %>=}} + "sensitive-variables": [ + "install_password", + "client_secret" + ], + "builders": [ + { + "name": "azure", + "type": "azure-arm", + "client_id": "{{user `client_id`}}", + "client_secret": "{{user `client_secret`}}", + "subscription_id": "{{user `subscription_id`}}", + "tenant_id": "{{user `tenant_id`}}", + "managed_image_resource_group_name": "{{user `resource_group`}}", + "build_resource_group_name": "{{user `build_resource_group`}}", + "os_type": "Windows", + "managed_image_name": "{{user `image_name`}}", + "vm_size": "Standard_D48d_v4", + "image_publisher": "MicrosoftWindowsServer", + "image_offer": "WindowsServer", + "image_sku": "2022-Datacenter", + "communicator": "winrm", + "winrm_use_ssl": true, + "winrm_insecure": true, + "winrm_timeout": "30m", + "winrm_username": "packer", + "shared_image_gallery_destination": { + "resource_group": "{{user `shared_image_gallery_resource_group`}}", + "gallery_name": "{{user `shared_image_gallery_name`}}", + "image_name": "{{user `image_name`}}", + "image_version": "{{user `shared_image_gallery_image_version`}}", + "replication_regions": ["Central US", "East US", "North Europe", "West Europe"], + "storage_account_type": "Standard_LRS" + }, + "shared_image_gallery_timeout": "1h30m", + "shared_image_gallery_replica_count": 1, + "azure_tags": { + "tipi_deployment": "<% tipi_deployment %>", + "tipi_userid": "<% tipi_userid %>" + } + } + ], + "provisioners": [ + { + "type": "file", + "source": "./scripts/runtime/sync-tipi-distro.ps1", + "destination": "c:\\Temp\\sync-tipi-distro.ps1" + }, + { + "type": "file", + "source": "./scripts/runtime/helpers.ps1", + "destination": "c:\\Temp\\helpers.ps1" + }, + { + "type": "powershell", + "elevated_user": "packer", + "elevated_password": "{{.WinRMPassword}}", + "scripts": [ + "./scripts/fix-tls.ps1", + "./scripts/update-root-certificate-store.ps1", + "./scripts/install-nuget.ps1", + "./scripts/install-openssh.ps1", + "./scripts/install-git.ps1", + "./scripts/install-vcredist.ps1", + "./scripts/install-vs.ps1", + "./scripts/disable-windows-update.ps1", + "./scripts/disable-windows-defender.ps1" + ] + }, + { + "type": "windows-restart" + }, + { + "type": "powershell", + "elevated_user": "packer", + "elevated_password": "{{.WinRMPassword}}", + "environment_vars": ["TIPI_INSTALL_VERSION={{tipi_cli_version}}"], + "scripts": [ + "./scripts/install-tipi.ps1" + ] + }, + { + "type": "powershell", + "inline": [ + "& $env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /quiet /quit", + "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10 } else { break } }" + ] + } + ] + ,"_tipi_version":"{{tipi_version_hash}}" +} \ No newline at end of file From 53ffe525d0bf0cd1207138368321d2034040e4f8 Mon Sep 17 00:00:00 2001 From: Yannic Staudt Date: Wed, 23 Aug 2023 19:06:03 +0200 Subject: [PATCH 2/2] :wrench: fixing the new environment image definitions --- windows-msvc-2019.pkr.js/scripts/install-vs.ps1 | 5 +++-- ...vc-2019.pkr.js.mustache => windows-msvc-2019.js.mustache} | 0 windows-msvc-2022.pkr.js/scripts/install-vs.ps1 | 3 ++- ...vc-2022.pkr.js.mustache => windows-msvc-2022.js.mustache} | 0 4 files changed, 5 insertions(+), 3 deletions(-) rename windows-msvc-2019.pkr.js/{windows-msvc-2019.pkr.js.mustache => windows-msvc-2019.js.mustache} (100%) rename windows-msvc-2022.pkr.js/{windows-msvc-2022.pkr.js.mustache => windows-msvc-2022.js.mustache} (100%) diff --git a/windows-msvc-2019.pkr.js/scripts/install-vs.ps1 b/windows-msvc-2019.pkr.js/scripts/install-vs.ps1 index 2b6c508..f569847 100644 --- a/windows-msvc-2019.pkr.js/scripts/install-vs.ps1 +++ b/windows-msvc-2019.pkr.js/scripts/install-vs.ps1 @@ -98,14 +98,15 @@ function Get-VisualStudioComponents { } $workLoads = @( - "--add Microsoft.VisualStudio.Workload.VCTools" + "--add Microsoft.VisualStudio.Workload.VCTools" + "--add Microsoft.VisualStudio.Workload.NativeDesktop" "--includeOptional" "--includeRecommended" "--remove Component.CPython3.x64" ) $workLoadsArgument = [String]::Join(" ", $workLoads) -$releaseInPath = "Enterprise" +$releaseInPath = "BuildTools" $subVersion = "16" $bootstrapperUrl = "https://aka.ms/vs/${subVersion}/release/vs_${releaseInPath}.exe" diff --git a/windows-msvc-2019.pkr.js/windows-msvc-2019.pkr.js.mustache b/windows-msvc-2019.pkr.js/windows-msvc-2019.js.mustache similarity index 100% rename from windows-msvc-2019.pkr.js/windows-msvc-2019.pkr.js.mustache rename to windows-msvc-2019.pkr.js/windows-msvc-2019.js.mustache diff --git a/windows-msvc-2022.pkr.js/scripts/install-vs.ps1 b/windows-msvc-2022.pkr.js/scripts/install-vs.ps1 index ad9e581..f50d0d0 100644 --- a/windows-msvc-2022.pkr.js/scripts/install-vs.ps1 +++ b/windows-msvc-2022.pkr.js/scripts/install-vs.ps1 @@ -99,13 +99,14 @@ function Get-VisualStudioComponents { $workLoads = @( "--add Microsoft.VisualStudio.Workload.VCTools" + "--add Microsoft.VisualStudio.Workload.NativeDesktop" "--includeOptional" "--includeRecommended" "--remove Component.CPython3.x64" ) $workLoadsArgument = [String]::Join(" ", $workLoads) -$releaseInPath = "Enterprise" +$releaseInPath = "BuildTools" $subVersion = "17" $bootstrapperUrl = "https://aka.ms/vs/${subVersion}/release/vs_${releaseInPath}.exe" diff --git a/windows-msvc-2022.pkr.js/windows-msvc-2022.pkr.js.mustache b/windows-msvc-2022.pkr.js/windows-msvc-2022.js.mustache similarity index 100% rename from windows-msvc-2022.pkr.js/windows-msvc-2022.pkr.js.mustache rename to windows-msvc-2022.pkr.js/windows-msvc-2022.js.mustache