knowledge-base/snippets/netbird-claude-install.ps1

# netbird-claude-install.ps1
# Установка Netbird на Windows + регистрация в tenant netbird.io (группа Claude-Diag)
# + включение RDP и WinRM для удалённой диагностики через Netbird-интерфейс.
#
# Запуск: PowerShell от администратора
#   iwr -useb https://git.dttb.ru/oleg/knowledge-base/raw/branch/main/snippets/netbird-claude-install.ps1 | iex
# Или скачать и выполнить локально:
#   powershell -ExecutionPolicy Bypass -File .\netbird-claude-install.ps1
#
# Идемпотентно: можно запускать повторно.

$ErrorActionPreference = "Stop"

# ===== TLS 1.2+ (PowerShell 5.1 на 2012R2/2016 по умолчанию TLS 1.0) =====
try {
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]'Tls12,Tls13'
} catch {
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
}

# ===== Параметры =====
$SETUP_KEY    = "83301E74-6F86-4CBD-AF77-0C65730103CA"   # Claude-Diag, истекает 2026-05-21
$NETBIRD_CIDR = "100.70.0.0/16"                          # адресное пространство tenant'а
$NETBIRD_EXE  = "C:\Program Files\Netbird\netbird.exe"

# ===== 1. Проверка прав =====
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Error "Нужен PowerShell от администратора."
    exit 1
}

Write-Host "=== Netbird Claude-Diag setup ===" -ForegroundColor Cyan

# ===== 2. Установка Netbird =====
if (-not (Test-Path $NETBIRD_EXE)) {
    Write-Host "[1/5] Скачиваю Netbird MSI..."
    $msi = "$env:TEMP\netbird.msi"
    Invoke-WebRequest -UseBasicParsing -Uri "https://pkgs.netbird.io/windows/x64" -OutFile $msi
    Write-Host "[2/5] Устанавливаю (silent)..."
    Start-Process msiexec.exe -ArgumentList "/i `"$msi`" /qn" -Wait
    Start-Sleep 5
} else {
    Write-Host "[1-2/5] Netbird уже установлен: $NETBIRD_EXE"
}

# ===== 3. Регистрация =====
Write-Host "[3/5] Регистрация в tenant с Claude-Diag ключом..."
& $NETBIRD_EXE up --setup-key $SETUP_KEY
Start-Sleep 3

# ===== 4. RDP =====
Write-Host "[4/5] Включаю RDP..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop" -ErrorAction SilentlyContinue

# ===== 5. WinRM + firewall только для Netbird-подсети =====
Write-Host "[5/5] Включаю WinRM и правила firewall для $NETBIRD_CIDR..."
try {
    Enable-PSRemoting -Force -SkipNetworkProfileCheck | Out-Null
} catch {
    winrm quickconfig -force -q | Out-Null
}
Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true -Force
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $true -Force

$rules = @(
    @{Name = "Claude-Diag-RDP";        Port = 3389},
    @{Name = "Claude-Diag-WinRM-HTTP"; Port = 5985},
    @{Name = "Claude-Diag-WinRM-HTTPS";Port = 5986}
)
foreach ($r in $rules) {
    Get-NetFirewallRule -DisplayName $r.Name -ErrorAction SilentlyContinue | Remove-NetFirewallRule
    New-NetFirewallRule -DisplayName $r.Name `
        -Direction Inbound -Protocol TCP -LocalPort $r.Port `
        -RemoteAddress $NETBIRD_CIDR -Action Allow | Out-Null
}

# ===== Итог =====
Write-Host ""
Write-Host "=== Статус ===" -ForegroundColor Green
& $NETBIRD_EXE status

$nbIp = (Get-NetIPAddress -AddressFamily IPv4 -ErrorAction SilentlyContinue |
         Where-Object {$_.IPAddress -like "100.70.*"} | Select-Object -First 1).IPAddress

Write-Host ""
Write-Host "=== Данные для Claude ===" -ForegroundColor Yellow
Write-Host "Netbird IP : $nbIp"
Write-Host "Hostname   : $env:COMPUTERNAME"
Write-Host "User       : $env:USERNAME"
Write-Host "RDP        : mstsc /v:$nbIp  (логин $env:USERNAME)"
Write-Host "WinRM      : 5985/tcp (HTTP), 5986/tcp (HTTPS) — доступны с 100.70.0.0/16"
Write-Host ""
Write-Host "Пришли Claude: IP $nbIp + пароль пользователя $env:USERNAME"