kit

bootstrap.ps1.in (3602B)

---

 # kit guest bootstrap, run once by FirstLogonCommands from the seed media.
 # Brings up networking and an SSH server with no Windows Update dependency:
 #   1. Install the virtio NetKVM network driver from the attached virtio-win CD.
 #   2. Install OpenSSH server from the OpenSSH-ARM64.zip bundled on the seed CD.
 #   3. Authorize the host's SSH key and open the firewall.
 # The AT-sign placeholders below are substituted at seed-build time.
 $ErrorActionPreference = 'Continue'
 Start-Transcript -Path C:\kit-bootstrap.log -Append | Out-Null
 
 function Find-OnAnyDrive([string]$rel) {
   foreach ($v in (Get-PSDrive -PSProvider FileSystem -ErrorAction SilentlyContinue)) {
     $p = Join-Path $v.Root $rel
     if (Test-Path -LiteralPath $p) { return (Get-Item -LiteralPath $p).FullName }
   }
   return $null
 }
 
 try {
   # --- 1. virtio network driver (NetKVM) ---------------------------------
   $netinf = Find-OnAnyDrive 'NetKVM\w11\ARM64\netkvm.inf'
   if ($netinf) {
     Write-Output "kit: installing NetKVM driver from $netinf"
     & pnputil.exe /add-driver $netinf /install
   } else {
     Write-Output 'kit: WARNING NetKVM driver not found on any drive'
   }
 
   # --- 2. OpenSSH server (offline, from the seed CD) ---------------------
   $zip = Join-Path $PSScriptRoot 'OpenSSH-ARM64.zip'
   $dest = 'C:\Program Files\OpenSSH'
   if (Test-Path -LiteralPath $zip) {
     Write-Output "kit: installing OpenSSH from $zip"
     if (Test-Path $dest) { Remove-Item $dest -Recurse -Force }
     Expand-Archive -LiteralPath $zip -DestinationPath 'C:\Program Files' -Force
     if (Test-Path 'C:\Program Files\OpenSSH-ARM64') {
       Rename-Item 'C:\Program Files\OpenSSH-ARM64' $dest
     }
     & powershell -NoProfile -ExecutionPolicy Bypass -File (Join-Path $dest 'install-sshd.ps1')
   } else {
     Write-Output 'kit: OpenSSH zip not found; trying Windows capability'
     Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 -ErrorAction SilentlyContinue
   }
 
   Set-Service -Name sshd -StartupType Automatic
   New-NetFirewallRule -Name 'kit-sshd' -DisplayName 'kit OpenSSH Server' `
     -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 `
     -ErrorAction SilentlyContinue | Out-Null
 
   # --- 3. Authorize the host key ----------------------------------------
   $pub = @'
 @SSH_PUBKEY@
 '@
   $pub = $pub.Trim()
   $sshProgramData = 'C:\ProgramData\ssh'
   New-Item -ItemType Directory -Force -Path $sshProgramData | Out-Null
   # sshd treats members of the Administrators group specially: it reads
   # administrators_authorized_keys (not the per-user file) and requires the
   # file be writable only by Administrators/SYSTEM.
   $ak = Join-Path $sshProgramData 'administrators_authorized_keys'
   # Write with a trailing newline (no -NoNewline) so a later append can't
   # concatenate onto this key's line.
   Set-Content -LiteralPath $ak -Value $pub -Encoding ascii
   icacls $ak /inheritance:r /grant 'Administrators:F' /grant 'SYSTEM:F' | Out-Null
 
   $userSsh = 'C:\Users\@KIT_USER@\.ssh'
   New-Item -ItemType Directory -Force -Path $userSsh | Out-Null
   Set-Content -LiteralPath (Join-Path $userSsh 'authorized_keys') -Value $pub -Encoding ascii
 
   Start-Service sshd -ErrorAction SilentlyContinue
   Restart-Service sshd -ErrorAction SilentlyContinue
 
   Set-Content -LiteralPath C:\kit-ready.txt `
     -Value ('kit-ready ' + (Get-Date -Format o)) -Encoding ascii
   Write-Output 'kit: bootstrap complete'
 } catch {
   Write-Output ('kit: bootstrap ERROR ' + ($_ | Out-String))
   $_ | Out-String | Set-Content -LiteralPath C:\kit-bootstrap-error.log
 } finally {
   Stop-Transcript | Out-Null
 }