d85906f18c
- Skip 'netbird up --setup-key' если хост уже Connected к tenant (иначе создаётся дубль peer) - Залить публичный ed25519-ключ Mac в C:\\ProgramData\\ssh\\administrators_authorized_keys + правильные ACL (SYSTEM+Administrators) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
180 lines
8.9 KiB
PowerShell
180 lines
8.9 KiB
PowerShell
# netbird-claude-install.ps1
|
||
# Установка Netbird на Windows + регистрация в tenant netbird.io (группа Claude-Diag)
|
||
# + создание пользователя claude/Kl@udeD1ag!2026
|
||
# + OpenSSH Server, RDP, WinRM для удалённой диагностики через Netbird.
|
||
#
|
||
# Запуск: PowerShell от администратора
|
||
# iwr -useb https://git.dttb.ru/oleg/knowledge-base/raw/branch/main/snippets/netbird-claude-install.ps1 | iex
|
||
# Или скачать и выполнить локально:
|
||
# powershell -ExecutionPolicy Bypass -File .\netbird-claude-install.ps1
|
||
#
|
||
# Идемпотентно: можно запускать повторно.
|
||
|
||
$ErrorActionPreference = "Continue" # не падаем на одной ошибке — нужен максимум сделанного
|
||
|
||
# ===== TLS 1.2+ (PowerShell 5.1 на 2012R2/2016 по умолчанию TLS 1.0) =====
|
||
try {
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]'Tls12,Tls13'
|
||
} catch {
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
}
|
||
|
||
# ===== Параметры =====
|
||
$SETUP_KEY = "83301E74-6F86-4CBD-AF77-0C65730103CA" # Claude-Diag, истекает 2026-05-21
|
||
$NETBIRD_CIDR = "100.70.0.0/16" # адресное пространство tenant'а
|
||
$NETBIRD_EXE = "C:\Program Files\Netbird\netbird.exe"
|
||
$CLAUDE_USER = "claude"
|
||
$CLAUDE_PASS = "Kl@udeD1ag!2026"
|
||
|
||
# ===== 1. Проверка прав =====
|
||
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
|
||
if (-not $isAdmin) {
|
||
Write-Error "Нужен PowerShell от администратора."
|
||
exit 1
|
||
}
|
||
|
||
Write-Host "=== Netbird Claude-Diag setup ===" -ForegroundColor Cyan
|
||
|
||
# ===== 2. Установка Netbird =====
|
||
if (-not (Test-Path $NETBIRD_EXE)) {
|
||
Write-Host "[1/7] Скачиваю Netbird MSI..."
|
||
$msi = "$env:TEMP\netbird.msi"
|
||
Invoke-WebRequest -UseBasicParsing -Uri "https://pkgs.netbird.io/windows/x64" -OutFile $msi
|
||
Write-Host "[2/7] Устанавливаю (silent)..."
|
||
Start-Process msiexec.exe -ArgumentList "/i `"$msi`" /qn" -Wait
|
||
Start-Sleep 5
|
||
} else {
|
||
Write-Host "[1-2/7] Netbird уже установлен: $NETBIRD_EXE"
|
||
}
|
||
|
||
# ===== 3. Регистрация =====
|
||
# Если уже подключён к tenant (например, через свой setup-key в другой группе) — не перерегистрировать
|
||
$nbStatus = & $NETBIRD_EXE status 2>$null | Out-String
|
||
if ($nbStatus -match "Management:\s*Connected" -or $nbStatus -match "Signal:\s*Connected") {
|
||
Write-Host "[3/7] Netbird уже подключён, перерегистрацию пропускаем"
|
||
} else {
|
||
Write-Host "[3/7] Регистрация в tenant с Claude-Diag ключом..."
|
||
& $NETBIRD_EXE up --setup-key $SETUP_KEY 2>&1 | Out-Host
|
||
Start-Sleep 3
|
||
}
|
||
|
||
# ===== 4. Пользователь claude =====
|
||
Write-Host "[4/7] Создаю/обновляю пользователя $CLAUDE_USER..."
|
||
$securePass = ConvertTo-SecureString $CLAUDE_PASS -AsPlainText -Force
|
||
$existing = Get-LocalUser -Name $CLAUDE_USER -ErrorAction SilentlyContinue
|
||
if (-not $existing) {
|
||
New-LocalUser -Name $CLAUDE_USER -Password $securePass -PasswordNeverExpires:$true `
|
||
-AccountNeverExpires:$true -UserMayNotChangePassword:$true `
|
||
-FullName "Claude Diagnostics" -Description "Remote diagnostics via Netbird" | Out-Null
|
||
} else {
|
||
Set-LocalUser -Name $CLAUDE_USER -Password $securePass -PasswordNeverExpires:$true
|
||
}
|
||
# Группа Administrators — пробуем оба варианта (en-US и ru-RU имена)
|
||
foreach ($grp in @("Administrators","Администраторы")) {
|
||
try {
|
||
Add-LocalGroupMember -Group $grp -Member $CLAUDE_USER -ErrorAction Stop 2>$null
|
||
} catch {
|
||
# member already in group или группа не та локаль — ок
|
||
}
|
||
}
|
||
# Через SID — самый надёжный способ для русской Windows
|
||
try {
|
||
$adminGroup = (Get-LocalGroup | Where-Object { $_.SID -eq "S-1-5-32-544" }).Name
|
||
Add-LocalGroupMember -Group $adminGroup -Member $CLAUDE_USER -ErrorAction SilentlyContinue
|
||
} catch {}
|
||
|
||
# ===== 5. RDP =====
|
||
Write-Host "[5/7] Включаю RDP..."
|
||
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0 -ErrorAction SilentlyContinue
|
||
Enable-NetFirewallRule -DisplayGroup "Remote Desktop" -ErrorAction SilentlyContinue
|
||
|
||
# ===== 6. WinRM + OpenSSH Server =====
|
||
Write-Host "[6/7] WinRM + OpenSSH Server..."
|
||
# Сначала перевести Public-сети в Private (иначе Set-Item WSMan ругается)
|
||
try {
|
||
Get-NetConnectionProfile -ErrorAction SilentlyContinue | `
|
||
Where-Object { $_.NetworkCategory -eq 'Public' } | `
|
||
Set-NetConnectionProfile -NetworkCategory Private -ErrorAction SilentlyContinue
|
||
} catch {}
|
||
try {
|
||
Enable-PSRemoting -Force -SkipNetworkProfileCheck | Out-Null
|
||
} catch {
|
||
try { winrm quickconfig -force -q | Out-Null } catch {}
|
||
}
|
||
try { Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true -Force -ErrorAction SilentlyContinue } catch {}
|
||
try { Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $true -Force -ErrorAction SilentlyContinue } catch {}
|
||
# LocalAccountTokenFilterPolicy — чтобы локальный admin claude мог в WinRM
|
||
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
|
||
-Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWord -Force | Out-Null
|
||
|
||
# OpenSSH Server (Win10 1809+ / Win11 — встроен как Capability)
|
||
try {
|
||
$sshCap = Get-WindowsCapability -Online -Name "OpenSSH.Server*" -ErrorAction SilentlyContinue | Select-Object -First 1
|
||
if ($sshCap -and $sshCap.State -ne "Installed") {
|
||
Add-WindowsCapability -Online -Name $sshCap.Name | Out-Null
|
||
}
|
||
Set-Service -Name sshd -StartupType Automatic -ErrorAction SilentlyContinue
|
||
Start-Service -Name sshd -ErrorAction SilentlyContinue
|
||
} catch {
|
||
Write-Host " OpenSSH установка не удалась (возможно домашняя редакция Windows)" -ForegroundColor Yellow
|
||
}
|
||
|
||
# Установить дефолтный shell на PowerShell для удобства
|
||
try {
|
||
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell `
|
||
-Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force | Out-Null
|
||
} catch {}
|
||
|
||
# Mac-ключ Олега в administrators_authorized_keys (для админов sshd читает только этот файл)
|
||
$macKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPonNRAAJRK5wISltjR65MmeP7fQjf5HmYdQD9mlZ07F ai@mac-20260112"
|
||
$authKeys = "C:\ProgramData\ssh\administrators_authorized_keys"
|
||
try {
|
||
if (-not (Test-Path "C:\ProgramData\ssh")) {
|
||
New-Item -ItemType Directory -Path "C:\ProgramData\ssh" -Force | Out-Null
|
||
}
|
||
$current = if (Test-Path $authKeys) { Get-Content $authKeys -Raw -ErrorAction SilentlyContinue } else { "" }
|
||
if ($current -notmatch [regex]::Escape($macKey)) {
|
||
Add-Content -Path $authKeys -Value $macKey -Encoding ASCII
|
||
}
|
||
# Жёсткие права: только SYSTEM и Administrators (требование sshd для admin-ключей)
|
||
icacls $authKeys /inheritance:r /grant "SYSTEM:F" /grant "BUILTIN\Administrators:F" 2>&1 | Out-Null
|
||
} catch {
|
||
Write-Host " Не удалось установить Mac-ключ в administrators_authorized_keys" -ForegroundColor Yellow
|
||
}
|
||
|
||
# ===== 7. Firewall rules — только для NetBird CIDR =====
|
||
Write-Host "[7/7] Firewall rules для $NETBIRD_CIDR..."
|
||
$rules = @(
|
||
@{Name = "Claude-Diag-RDP"; Port = 3389},
|
||
@{Name = "Claude-Diag-WinRM-HTTP"; Port = 5985},
|
||
@{Name = "Claude-Diag-WinRM-HTTPS";Port = 5986},
|
||
@{Name = "Claude-Diag-SSH"; Port = 22}
|
||
)
|
||
foreach ($r in $rules) {
|
||
Get-NetFirewallRule -DisplayName $r.Name -ErrorAction SilentlyContinue | Remove-NetFirewallRule
|
||
New-NetFirewallRule -DisplayName $r.Name `
|
||
-Direction Inbound -Protocol TCP -LocalPort $r.Port `
|
||
-RemoteAddress $NETBIRD_CIDR -Action Allow `
|
||
-Profile Any | Out-Null
|
||
}
|
||
|
||
# ===== Итог =====
|
||
Write-Host ""
|
||
Write-Host "=== Статус ===" -ForegroundColor Green
|
||
& $NETBIRD_EXE status
|
||
|
||
$nbIp = (Get-NetIPAddress -AddressFamily IPv4 -ErrorAction SilentlyContinue |
|
||
Where-Object {$_.IPAddress -like "100.70.*"} | Select-Object -First 1).IPAddress
|
||
|
||
Write-Host ""
|
||
Write-Host "=== Данные для Claude ===" -ForegroundColor Yellow
|
||
Write-Host "Netbird IP : $nbIp"
|
||
Write-Host "Hostname : $env:COMPUTERNAME"
|
||
Write-Host "User local : $env:USERNAME"
|
||
Write-Host "User claude: $CLAUDE_USER / $CLAUDE_PASS (Administrator)"
|
||
Write-Host "RDP : mstsc /v:$nbIp"
|
||
Write-Host "WinRM : 5985/tcp HTTP, 5986/tcp HTTPS"
|
||
Write-Host "SSH : ssh ${CLAUDE_USER}@$nbIp"
|
||
Write-Host ""
|
||
Write-Host "Пришли Claude: IP $nbIp + кто это"
|