Merge pull request #2 from ajcarberry/feature-initial

Feature initial. False start on the last merge. This is actually the first commit with working code.
ajcarberry · Jul 2, 2019 · 1948b1d · 1948b1d
2 parents f53b54d + ba005bc
commit 1948b1d
Show file tree

Hide file tree

Showing 22 changed files with 370 additions and 218 deletions.
diff --git a/README.md b/README.md
@@ -1 +1,70 @@
-# packer-windows-2019
+# Packer - Windows Server 2019
+
+This build configuration installs and configures Windows Server 2019 (both Base and Core) x86_64 base image using a fairly standard preseed config file, some shell scripts, and Ansible, and then generates both a Vagrant box file for VirtualBox and an AWS AMI.
+
+This can be modified to use more Ansible roles, plays, and included playbooks to fully configure (or partially) configure a box file suitable for deployment for development environments. By default, the image created will have Ansible and Docker pre-installed
+
+## Requirements
+
+The following software must be installed/present on your local machine before you can use Packer to build the Vagrant box file:
+
+  - [Packer](http://www.packer.io/)
+  - [Vagrant](http://vagrantup.com/)
+  - [VirtualBox](https://www.virtualbox.org/)
+  - [Ansible](http://docs.ansible.com/intro_installation.html)
+
+> **Note**: By default, this config builds an AMI. For Packer to communicate with AWS, you must also setup your AWS access key and secret key using a [shared credential file](https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials); remove the `amazon-ebs` builder from the Packer config or include the `-only=virtualbox-iso` flag when running a packer build.
+
+> **Note**: This config includes a post-processor that pushes the template box to Vagrant Cloud. For this to work you must set a `VAGRANT_CLOUD_TOKEN` environment variable; remove the `vagrant-cloud` post-processor from the Packer config to build the box locally and not push it to Vagrant Cloud.
+
+## Configuration Variables
+
+Available variables are listed below:
+
+version: ''
+
+The version variable is used by Packer to help with tagging and naming. This is a cosmetic functionality to help you track you image version history. As seen below, this can be defined upon execution of the packer build command.  
+
+profile: 'default'
+
+The AWS profile to build the AMI using. As mentioned above, for Packer to communicate with AWS, you must also setup your AWS access key and secret key using a [shared credential file](https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials). Unless overridden upon execution of the packer build command, we will use the credentials and config defined for your default profile,
+
+## Usage
+
+Make sure all the required software (listed above) is installed, then cd to the directory containing this README.md file, and run:
+
+    $ packer build -var 'profile=customprofile' -var 'version=customversion' win2019-core.json
+
+or
+
+    $ packer build -var 'profile=customprofile' -var 'version=customversion' win2019-gui.json
+
+After a few minutes, Packer should tell you the box was generated successfully, and the AMI was uploaded to AWS.
+
+## Testing built boxes
+
+There's an included Vagrantfile that allows quick testing of the built Vagrant boxes. From this same directory, run the following command after building the box:
+
+    $ vagrant up
+
+> **Note**: If Vagrant runs into any issues mounting the VirtualBox shared folders, you can try to work around this issue by install the vagrant-vbguest plugin - `vagrant plugin install vagrant-vbguest`
+
+## License
+
+GNU GPL v3
+
+## Author Information
+
+Alex Carberry
+
+## Future Features
+
+  - Install virtualization quest tools
+  - Compatible as an Ansible host (client)
+  - "Cleanup"
+  - "Debloat" the OS
+  - Configure Windows Updates
+  - Configure Windows Defender
+  - Configure RDP
+  - Manage UAC
+  - Disable screensaver
diff --git a/Vagrantfile b/Vagrantfile
@@ -0,0 +1,29 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "file://builds/windows-2019.box"
+  #config.vm.box = "file://builds/windows-2019-core.box"
+  config.vm.define "packerWindows" do |virtualbox|
+  end
+
+  config.vm.network "private_network", ip: "172.16.1.5"
+
+  config.vm.provider :virtualbox do |vb|
+    vb.gui = false
+    vb.name = "packerWindows"
+    vb.memory = 2048
+    vb.cpus = 1
+    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
+    vb.customize ["modifyvm", :id, "--ioapic", "on"]
+  end
+
+  # Enable provisioning with Ansible
+  config.vm.provision "ansible_local" do |ansible|
+    ansible.become = true
+    ansible.galaxy_roles_path = "/etc/ansible/roles"
+    ansible.galaxy_command = "sudo ansible-galaxy install --role-file=%{role_file} --roles-path=%{roles_path} --force"
+    ansible.galaxy_role_file = "requirements.yml"
+    ansible.playbook = "ansible/main.yml"
+  end
+end
diff --git a/ansible/main.yml b/ansible/main.yml
@@ -4,8 +4,7 @@
   gather_facts: yes
 
   roles:
-    -
+    - ajcarberry.packer-windows
 
   tasks:
     - name: Install standalone packages.
-
diff --git a/requirements.yml b/requirements.yml
@@ -0,0 +1,5 @@
+---
+
+- src: https://github.com/ajcarberry/ansible-role-packer-windows
+  version: master
+  name: ajcarberry.packer-windows
diff --git a/scripts/compile-dotnet-assemblies.bat b/scripts/compile-dotnet-assemblies.bat
diff --git a/scripts/debloat-windows.ps1 b/scripts/debloat-windows.ps1
diff --git a/scripts/dis-updates.bat b/scripts/dis-updates.bat
diff --git a/scripts/disable-screensaver.ps1 b/scripts/disable-screensaver.ps1
diff --git a/scripts/disable-winrm.ps1 b/scripts/disable-winrm.ps1
@@ -1,8 +1,10 @@
+# First, make sure WinRM can't be connected to
 netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block
-netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
-$winrmService = Get-Service -Name WinRM
-if ($winrmService.Status -eq "Running"){
-    Disable-PSRemoting -Force
-}
-Stop-Service winrm
+
+# Delete any existing WinRM listeners
+winrm delete winrm/config/listener?Address=*+Transport=HTTP  2>$Null
+winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null
+
+#Stop WinRM Service
+Stop-Service -Name WinRM
 Set-Service -Name winrm -StartupType Disabled
diff --git a/scripts/enable-rdp.bat b/scripts/enable-rdp.bat
diff --git a/scripts/enable-winrm.bat b/scripts/enable-winrm.bat
diff --git a/scripts/enable-winrm.ps1 b/scripts/enable-winrm.ps1
@@ -5,13 +5,22 @@ $Connections | ForEach-Object { $_.GetNetwork().SetCategory(1) }
 Enable-PSRemoting -Force
 winrm quickconfig -q
 winrm quickconfig -transport:http
-winrm set winrm/config '@{MaxTimeoutms="1800000"}'
+winrm set winrm/config '@{MaxTimeoutms="7200000"}'
 winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="800"}'
 winrm set winrm/config/service '@{AllowUnencrypted="true"}'
+winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
 winrm set winrm/config/service/auth '@{Basic="true"}'
 winrm set winrm/config/client/auth '@{Basic="true"}'
 winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}'
+
+# Configure UAC to allow privilege elevation in remote shells
+$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+$Setting = 'LocalAccountTokenFilterPolicy'
+Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
+
+# Configure and restart the WinRM Service; Enable the required firewall exception
+Stop-Service -Name WinRM
+Set-Service -Name WinRM -StartupType Automatic
 netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes
-netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow
-Set-Service winrm -startuptype "auto"
-Restart-Service winrm
+netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
+Start-Service -Name WinRM
diff --git a/scripts/set-winrm-automatic.bat b/scripts/set-winrm-automatic.bat
diff --git a/scripts/uac-disable.bat b/scripts/uac-disable.bat
diff --git a/scripts/uac-enable.bat b/scripts/uac-enable.bat
diff --git a/scripts/vm-guest-tools.bat b/scripts/vm-guest-tools.bat
diff --git a/floppy/autounattend.xml → unattended/base/autounattend.xml b/floppy/autounattend.xml → unattended/base/autounattend.xml
diff --git a/floppy/bootstrap.txt → unattended/bootstrap.txt b/floppy/bootstrap.txt → unattended/bootstrap.txt
@@ -1,8 +1,4 @@
 <powershell>
-# Set administrator password
-net user Administrator SuperS3cr3t!
-wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
-
 # First, make sure WinRM can't be connected to
 netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block
 
@@ -12,7 +8,7 @@ winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null
 
 # Create a new WinRM listener and configure
 winrm create winrm/config/listener?Address=*+Transport=HTTP
-winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
+winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
 winrm set winrm/config '@{MaxTimeoutms="7200000"}'
 winrm set winrm/config/service '@{AllowUnencrypted="true"}'
 winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
@@ -27,6 +23,7 @@ Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
 # Configure and restart the WinRM Service; Enable the required firewall exception
 Stop-Service -Name WinRM
 Set-Service -Name WinRM -StartupType Automatic
+netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes
 netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
 Start-Service -Name WinRM
 </powershell>