From 91a969ae75ac8eba0089ad2bc272bdd1b4e0bf91 Mon Sep 17 00:00:00 2001 From: bin456789 Date: Sat, 12 Oct 2024 23:07:01 +0800 Subject: [PATCH] =?UTF-8?q?core:=20=E6=94=AF=E6=8C=81=E4=BF=AE=E6=94=B9=20?= =?UTF-8?q?ssh=20rdp=20web=20=E7=AB=AF=E5=8F=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.en.md | 20 +++++- README.md | 20 +++++- cloud-init.yaml | 6 +- debian.cfg | 10 ++- logviewer-nginx.conf | 4 +- reinstall.sh | 86 +++++++++++++++++++--- trans.sh | 140 +++++++++++++++++++++++++++++++----- windows-allow-ping.bat | 21 ++++++ windows-change-rdp-port.bat | 47 ++++++++++++ windows.xml | 8 ++- 10 files changed, 323 insertions(+), 39 deletions(-) create mode 100644 windows-allow-ping.bat create mode 100644 windows-change-rdp-port.bat diff --git a/README.en.md b/README.en.md index b3c4eb5..7946dc4 100644 --- a/README.en.md +++ b/README.en.md @@ -126,7 +126,10 @@ certutil -urlcache -f -split https://jihulab.com/bin456789/reinstall/-/raw/main/ - On virtual machines, the appropriate official slimmed-down kernel will be automatically installed. - To install Red Hat, you need to provide the `qcow2` image link obtained from . - Username `root`, password `123@@@`. It may take a few minutes for the password to take effect on the first boot. -- When switching to key-based authentication, you also need to modify the files inside `/etc/ssh/sshd_config.d/` +- After reinstalling, if you need to change SSH port or switch to key-based login, be sure to modify the files inside `/etc/ssh/sshd_config.d/`. +- Optional parameters: + - `--ssh-port PORT` to change the SSH port + - `--hold 2` to prevent entering the system after installation. You can connect via SSH to modify system content, with the system mounted at `/os` (this feature is not supported on Debian/Kali). ```bash bash reinstall.sh centos 9 @@ -158,6 +161,8 @@ bash reinstall.sh centos 9 Experimental Features +The following features are experimental and may not support modifying the SSH port or other options. + Install Debian using a cloud image, suitable for machines with slower CPUs ```bash @@ -183,6 +188,10 @@ bash reinstall.sh ubuntu --installer - Supports `raw`, `vhd` images or those compressed with `xz` or `gzip`. - When deploy a Windows image, the system disk will be expanded, and machines with static IPs will have their IPs configured. However, it may take a few minutes after the first boot for the configuration to take effect. - When deploy a Linux image, the script will not modify any contents of the image. +- Optional parameters: + - `--rdp-port PORT` to change the RDP port (Windows only). + - `--allow-ping` to allow ping responses (Windows only). + - `--hold 2` to prevent entering the system after DD completion. You can connect via SSH to modify system content, with the system mounted at `/os`. ```bash bash reinstall.sh dd --img https://example.com/xxx.xz @@ -218,8 +227,12 @@ bash reinstall.sh netboot.xyz - Username `administrator`, password `123@@@` - If remote login fails, try using the username `.\administrator`. - The machine with a static IP will automatically configure the IP. It may take a few minutes to take effect on the first boot. +- Optional parameters: + - `--rdp-port PORT` to change the RDP port + - `--allow-ping` to allow ping responses + - `--hold 2` to allow SSH connections for modifying the hard disk content before rebooting into the official Windows installation program, with the hard disk mounted at `/os`. -![Installing Windows](https://github.com/bin456789/reinstall/assets/7548515/07c1aea2-1ce3-4967-904f-aaf9d6eec3f7) +![Windows Installation](https://github.com/bin456789/reinstall/assets/7548515/07c1aea2-1ce3-4967-904f-aaf9d6eec3f7) #### Method 1: Allow the script to automatically find the ISO @@ -365,9 +378,10 @@ Most ARM machines support ISO installation of Windows 11 24H2, but some machines - ✔️Azure: B2pts_v2 - ✔️Alibaba Cloud: g8y, c8y, r8y (may occasionally get stuck on the boot logo during restart; force restart to resolve) - ✔️Alibaba Cloud: g6r, c6r -- ✔️Oracle Cloud: A1.Flex (manual loading of the graphics driver is required after installation) +- ✔️Oracle Cloud A1.Flex (Success depends on the machine's creation date; newer instances are more likely to install successfully. You will also need to manually load the GPU drivers after installation.) - ✔️AWS: T4g - ✔️Scaleway: COPARM1 +- ✔️Gcore - ❌Google Cloud: t2a (lacking network card driver)
diff --git a/README.md b/README.md index 2b71720..f6dc798 100644 --- a/README.md +++ b/README.md @@ -126,7 +126,10 @@ certutil -urlcache -f -split https://jihulab.com/bin456789/reinstall/-/raw/main/ - 在虚拟机上,会自动安装合适的官方精简内核 - 安装 Red Hat 需填写 得到的 `qcow2` 镜像链接 - 用户名 `root` 密码 `123@@@`,可能首次开机几分钟后密码才生效 -- 改为密钥登录时,还要修改 `/etc/ssh/sshd_config.d/` 里面的文件 +- 重装后如需修改 SSH 端口 / 改成密钥登录,还要注意修改 `/etc/ssh/sshd_config.d/` 里面的文件 +- 可选参数 + - `--ssh-port PORT` 修改 SSH 端口 + - `--hold 2` 安装结束后不进入系统。可连接 SSH 修改系统内容,系统挂载在 `/os` (此功能不支持 Debian / Kali) ```bash bash reinstall.sh centos 9 @@ -158,6 +161,8 @@ bash reinstall.sh centos 9 实验性功能 +以下功能为实验性质,可能不支持修改 ssh 端口等其它选项 + 用云镜像安装 Debian,适合于 CPU 较慢的机器 ```bash @@ -183,6 +188,10 @@ bash reinstall.sh ubuntu --installer - 支持 `raw` `vhd` 或者经过 `xz` `gzip` 压缩的镜像 - DD Windows 镜像时,会扩展系统盘,静态 IP 的机器会配置好 IP,可能首次开机几分钟后才生效 - DD Linux 镜像时,脚本不会修改镜像的任何内容 +- 可选参数 + - `--rdp-port PORT` 修改 RDP 端口 (仅限 Windows) + - `--allow-ping` 允许被 Ping (仅限 Windows) + - `--hold 2` DD 结束后不进入系统。可连接 SSH 修改系统内容,系统挂载在 `/os` ```bash bash reinstall.sh dd --img https://example.com/xxx.xz @@ -218,8 +227,12 @@ bash reinstall.sh netboot.xyz - 用户名 `administrator` 密码 `123@@@` - 如果远程登录失败,尝试使用用户名 `.\administrator` - 静态机器会自动配置好 IP,可能首次开机几分钟后才生效 +- 可选参数 + - `--rdp-port PORT` 更改 RDP 端口 + - `--allow-ping` 允许被 Ping + - `--hold 2` 在重启进入 Windows 官方安装程序前,可连接 SSH 修改硬盘内容,硬盘挂载在 `/os` -![Windows 安装中](https://github.com/bin456789/reinstall/assets/7548515/07c1aea2-1ce3-4967-904f-aaf9d6eec3f7) +![Windows 安装界面](https://github.com/bin456789/reinstall/assets/7548515/07c1aea2-1ce3-4967-904f-aaf9d6eec3f7) #### 方法 1: 让脚本自动查找 ISO @@ -365,9 +378,10 @@ Windows Server 2025 SERVERDATACENTER - ✔️Azure B2pts_v2 - ✔️阿里云 g8y c8y r8y (有几率重启时卡开机 Logo,强制重启即可) - ✔️阿里云 g6r c6r -- ✔️甲骨文云 A1.Flex (安装后需要手动加载显卡驱动) +- ✔️甲骨文云 A1.Flex (视乎机器的创建日期,越新的越有可能成功安装,安装后还需要手动加载显卡驱动) - ✔️AWS T4g - ✔️Scaleway COPARM1 +- ✔️Gcore - ❌谷歌云 t2a (缺少网卡驱动)
diff --git a/cloud-init.yaml b/cloud-init.yaml index 89c92f8..39fd797 100644 --- a/cloud-init.yaml +++ b/cloud-init.yaml @@ -21,10 +21,14 @@ runcmd: # 下面这行删除 clout-init 创建的 sshd_config - test $(wc -l >/etc/ssh/sshd_config.d/50-cloud-init.conf && rm -f /etc/ssh/sshd_config - echo "PermitRootLogin yes" >/etc/ssh/sshd_config.d/01-permitrootlogin.conf || sed -Ei 's/^#?PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config + - echo "Port @SSH_PORT@" >/etc/ssh/sshd_config.d/01-change-ssh-port.conf || sed -Ei 's/^#?Port .*/Port @SSH_PORT@/' /etc/ssh/sshd_config # 已创建的 ssh 连接会沿用旧的配置(未开启密码登录),这时即使输入正确的密码,也会提示 Access Denied # systemctl restart sshd 只会重启监听进程,不会关闭已创建的连接(子进程) - pkill sshd || true - - systemctl restart sshd || systemctl restart ssh + # daemon-reload 会刷新 /run/systemd/generator/ssh.socket.d/addresses.conf + - systemctl daemon-reload + - for s in ssh.socket ssh.service sshd.socket sshd.service; do systemctl is-enabled $s && systemctl restart $s && break; done + - sed -i -e '/^[[:space:]]*password:/d' -e '/[[:space:]]*root:/d' /etc/cloud/cloud.cfg.d/99_fallback.cfg - touch /etc/cloud/cloud-init.disabled # ubuntu 镜像运行 echo -e '\nDone' ,-e 会被显示出来 - printf '\n%s\n' 'reinstall done' >/dev/tty0 || true diff --git a/debian.cfg b/debian.cfg index 4d527fe..3201d1c 100644 --- a/debian.cfg +++ b/debian.cfg @@ -162,8 +162,16 @@ d-i partman/early_command string true; \ # if [ "$link_grub_dir" = 1 ]; then mkdir /target/boot/grub2; echo 'chainloader (hd0)+1' >/target/boot/grub2/grub.cfg; fi; \ d-i preseed/late_command string true; \ eval "$(grep -o 'extra_link_grub_dir=[^ ]*' /proc/cmdline | sed 's/^extra_//')"; \ + eval "$(grep -o 'extra_ssh_port=[^ ]*' /proc/cmdline | sed 's/^extra_//')"; \ + if [ "$link_grub_dir" = 1 ]; then ln -s grub /target/boot/grub2; fi; \ in-target systemctl enable ssh; \ + echo "PermitRootLogin yes" >/target/etc/ssh/sshd_config.d/01-permitrootlogin.conf || \ - echo "PermitRootLogin yes" >>/target/etc/ssh/sshd_config + echo "PermitRootLogin yes" >>/target/etc/ssh/sshd_config; \ + + if [ -n "$ssh_port" ] && ! [ "$ssh_port" = 22 ]; then \ + echo "Port $ssh_port" >/target/etc/ssh/sshd_config.d/01-change-ssh-port.conf || \ + echo "Port $ssh_port" >>/target/etc/ssh/sshd_config; \ + fi diff --git a/logviewer-nginx.conf b/logviewer-nginx.conf index b04a247..dea7f23 100644 --- a/logviewer-nginx.conf +++ b/logviewer-nginx.conf @@ -1,6 +1,6 @@ server { - listen 80; - listen [::]:80; + listen @WEB_PORT@; + listen [::]:@WEB_PORT@; root /; gzip on; diff --git a/reinstall.sh b/reinstall.sh index 9f105d8..bd53e09 100644 --- a/reinstall.sh +++ b/reinstall.sh @@ -59,6 +59,11 @@ Usage: $reinstall____ centos 9 windows --image-name='windows xxx yyy' --iso='http://xxx.com/xxx.iso' netboot.xyz + Options: [--ssh-port PORT] + [--rdp-port PORT] + [--web-port PORT] + [--allow-ping] + Manual: https://github.com/bin456789/reinstall EOF @@ -194,6 +199,14 @@ is_use_firmware() { [ "$nextos_distro" = debian ] && ! is_virt } +is_digit() { + [[ "$1" =~ ^[0-9]+$ ]] +} + +is_port_valid() { + is_digit "$1" && [ "$1" -ge 1 ] && [ "$1" -le 65535 ] +} + get_host_by_url() { cut -d/ -f3 <<<$1 } @@ -2315,6 +2328,11 @@ find_grub_extlinux_cfg() { fi } +# 空格、&、用户输入的网址要加引号,否则 grub 无法正确识别 +is_need_quote() { + [[ "$1" = *' '* ]] || [[ "$1" = *'&'* ]] || [[ "$1" = http* ]] +} + # 转换 finalos_a=1 为 finalos.a=1 ,排除 finalos_mirrorlist build_finalos_cmdline() { if vars=$(compgen -v finalos_); then @@ -2322,7 +2340,9 @@ build_finalos_cmdline() { value=${!key} key=${key#finalos_} if [ -n "$value" ] && [ $key != "mirrorlist" ]; then - finalos_cmdline+=" finalos_$key='$value'" + is_need_quote "$value" && + finalos_cmdline+=" finalos_$key='$value'" || + finalos_cmdline+=" finalos_$key=$value" fi done fi @@ -2334,10 +2354,13 @@ build_extra_cmdline() { # 会将 extra.xxx=yyy 写入新系统的 /etc/modprobe.d/local.conf # https://answers.launchpad.net/ubuntu/+question/249456 # https://salsa.debian.org/installer-team/rootskel/-/blob/master/src/lib/debian-installer-startup.d/S02module-params?ref_type=heads - for key in confhome hold force cloud_image main_disk; do + for key in confhome hold force force_old_windows_setup cloud_image main_disk \ + ssh_port rdp_port web_port allow_ping password; do value=${!key} if [ -n "$value" ]; then - extra_cmdline+=" extra_$key='$value'" + is_need_quote "$value" && + extra_cmdline+=" extra_$key='$value'" || + extra_cmdline+=" extra_$key=$value" fi done @@ -3042,8 +3065,28 @@ else fi fi +long_opts= +for o in ci installer debug minimal allow-ping \ + hold: \ + sleep: \ + iso: \ + image-name: \ + boot-wim: \ + img: \ + lang: \ + ssh-port: \ + rdp-port: \ + web-port: \ + allow-ping: \ + commit: \ + force: \ + force-old-windows-setup:; do + [ -n "$long_opts" ] && long_opts+=, + long_opts+=$o +done + # 整理参数 -if ! opts=$(getopt -n $0 -o "" --long ci,installer,debug,minimal,hold:,sleep:,iso:,image-name:,img:,lang:,commit:,force: -- "$@"); then +if ! opts=$(getopt -n $0 -o "" --long "$long_opts" -- "$@"); then usage_and_exit fi @@ -3073,18 +3116,41 @@ while true; do minimal=1 shift ;; + --allow-ping) + allow_ping=1 + shift + ;; --hold | --sleep) - hold=$2 - if ! { [ "$hold" = 1 ] || [ "$hold" = 2 ]; }; then - error_and_exit "Invalid --hold value: $hold." + if ! { [ "$2" = 1 ] || [ "$2" = 2 ]; }; then + error_and_exit "Invalid $1 value: $2" fi + hold=$2 shift 2 ;; --force) - force=$2 - if ! { [ "$force" = bios ] || [ "$force" = efi ]; }; then - error_and_exit "Invalid --force value: $force." + if ! { [ "$2" = bios ] || [ "$2" = efi ]; }; then + error_and_exit "Invalid $1 value: $2" fi + force=$2 + shift 2 + ;; + --ssh-port) + is_port_valid $2 || error_and_exit "Invalid $1 value: $2" + ssh_port=$2 + shift 2 + ;; + --rdp-port) + is_port_valid $2 || error_and_exit "Invalid $1 value: $2" + rdp_port=$2 + shift 2 + ;; + --web-port) + is_port_valid $2 || error_and_exit "Invalid $1 value: $2" + web_port=$2 + shift 2 + ;; + --force-old-windows-setup) + force_old_windows_setup=$2 shift 2 ;; --img) diff --git a/trans.sh b/trans.sh index b02d496..2fa95bb 100644 --- a/trans.sh +++ b/trans.sh @@ -75,7 +75,8 @@ wget() { echo "$@" | grep -o 'http[^ ]*' >&2 if command wget 2>&1 | grep -q BusyBox; then # busybox wget 没有重试功能 - retry 5 command wget "$@" + # 好像默认永不超时 + retry 5 command wget "$@" -T 10 else # 原版 wget 自带重试功能 command wget --tries=5 --progress=bar:force "$@" @@ -215,12 +216,21 @@ is_use_cloud_image() { [ -n "$cloud_image" ] && [ "$cloud_image" = 1 ] } +is_allow_ping() { + [ -n "$allow_ping" ] && [ "$allow_ping" = 1 ] +} + setup_nginx() { apk add nginx # shellcheck disable=SC2154 wget $confhome/logviewer.html -O /logviewer.html wget $confhome/logviewer-nginx.conf -O /etc/nginx/http.d/default.conf + if [ -z "$web_port" ]; then + web_port=80 + fi + sed -i "s/@WEB_PORT@/$web_port/gi" /etc/nginx/http.d/default.conf + # rc-service nginx start if pgrep nginx >/dev/null; then nginx -s reload @@ -577,6 +587,14 @@ is_windows_support_rdnss() { error_and_exit "Not found kernel32.dll" } +is_need_change_ssh_port() { + [ -n "$ssh_port" ] && ! [ "$ssh_port" = 22 ] +} + +is_need_change_rdp_port() { + [ -n "$rdp_port" ] && ! [ "$rdp_port" = 3389 ] +} + is_need_manual_set_dnsv6() { # 有没有可能是静态但是有 rdnss? ! is_have_ipv6 && return $FALSE @@ -1320,6 +1338,9 @@ install_nixos() { if [ -e /os/swapfile ] && $keep_swap; then nix_swap="swapDevices = [{ device = \"/swapfile\"; size = $swap_size; }];" fi + if is_need_change_ssh_port; then + nix_ssh_ports="services.openssh.ports = [ $ssh_port ];" + fi # TODO: 准确匹配网卡,添加 udev 或者直接配置 networkd 匹配 mac create_nixos_network_config /tmp/nixos_network_config.nix @@ -1332,6 +1353,7 @@ $nix_substituters boot.kernelParams = [ $(get_ttys console= | quote_word) ]; services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; +$nix_ssh_ports $(cat /tmp/nixos_network_config.nix) ################################################### EOF @@ -1632,6 +1654,9 @@ EOF chroot $os_dir systemctl enable systemd-resolved chroot $os_dir systemctl enable sshd allow_root_password_login $os_dir + if is_need_change_ssh_port; then + change_ssh_port $os_dir $ssh_port + fi # 修改密码 change_root_password $os_dir @@ -2135,6 +2160,13 @@ download_cloud_init_config() { # 修改密码 sed -i "s/@PASSWORD@/$PASSWORD/" $ci_file + # 修改 ssh 端口 + if is_need_change_ssh_port; then + sed -i "s/@SSH_PORT@/$ssh_port/g" $ci_file + else + sed -i "/@SSH_PORT@/d" $ci_file + fi + # swapfile # 如果分区表中已经有swapfile就跳过,例如arch if ! grep -w swap $os_dir/etc/fstab; then @@ -2179,10 +2211,27 @@ modify_windows() { use_gpo=false fi - # 下载共同的子脚本 + # bat 列表 + bats= + + # 1. rdp 端口 + if is_need_change_rdp_port; then + create_win_change_rdp_port_script $os_dir/windows-change-rdp-port.bat "$rdp_port" + bats="$bats windows-change-rdp-port.bat" + fi + + # 2. 允许 ping + if is_allow_ping; then + download $confhome/windows-allow-ping.bat $os_dir/windows-allow-ping.bat + bats="$bats windows-allow-ping.bat" + fi + + # 3. 合并分区 # 可能 unattend.xml 已经设置了ExtendOSPartition,不过运行resize没副作用 - bats="windows-resize.bat" download $confhome/windows-resize.bat $os_dir/windows-resize.bat + bats="$bats windows-resize.bat" + + # 4. 网络设置 for ethx in $(get_eths); do create_win_set_netconf_script $os_dir/windows-set-netconf-$ethx.bat bats="$bats windows-set-netconf-$ethx.bat" @@ -2534,21 +2583,44 @@ create_swap() { fi } +# arch gentoo 常规安装用 +change_ssh_conf() { + os_dir=$1 + key=$2 + value=$3 + sub_conf=$4 + + # arch 没有 /etc/ssh/sshd_config.d/ 文件夹 + # opensuse tumbleweed 有 /etc/ssh/sshd_config.d/ 文件夹,但没有 /etc/ssh/sshd_config,有/usr/etc/ssh/sshd_config + if grep -q 'Include.*/etc/ssh/sshd_config.d' $os_dir/etc/ssh/sshd_config || + grep -q '^Include.*/etc/ssh/sshd_config.d/' $os_dir/usr/etc/ssh/sshd_config; then + mkdir -p $os_dir/etc/ssh/sshd_config.d/ + echo "$key $value" >"$os_dir/etc/ssh/sshd_config.d/$sub_conf" + else + # 如果 sshd_config 存在此 key,则替换 + # 否则追加 + line="^#?$key .*" + if grep -x "$line" $os_dir/etc/ssh/sshd_config; then + sed -Ei "s/$line/$key $value/" $os_dir/etc/ssh/sshd_config + else + echo "$key $value" >>$os_dir/etc/ssh/sshd_config + fi + fi +} + # arch gentoo 常规安装用 allow_root_password_login() { os_dir=$1 - # 允许 root 密码登录 - # arch 没有 /etc/ssh/sshd_config.d/ 文件夹 - # opensuse tumbleweed 有 /etc/ssh/sshd_config.d/ 文件夹,但没有 /etc/ssh/sshd_config,但有/usr/etc/ssh/sshd_config - if grep 'Include.*/etc/ssh/sshd_config.d' $os_dir/etc/ssh/sshd_config; then - mkdir -p $os_dir/etc/ssh/sshd_config.d/ - echo 'PermitRootLogin yes' >$os_dir/etc/ssh/sshd_config.d/01-permitrootlogin.conf - else - if ! grep -x 'PermitRootLogin yes' $os_dir/etc/ssh/sshd_config; then - echo 'PermitRootLogin yes' >>$os_dir/etc/ssh/sshd_config - fi - fi + change_ssh_conf "$os_dir" PermitRootLogin yes 01-permitrootlogin.conf +} + +# arch gentoo 常规安装用 +change_ssh_port() { + os_dir=$1 + ssh_port=$2 + + change_ssh_conf "$os_dir" Port "$ssh_port" 01-change-ssh-port.conf } change_root_password() { @@ -3418,6 +3490,17 @@ EOF unix2dos $target } +create_win_change_rdp_port_script() { + target=$1 + rdp_port=$2 + + info "Create win change rdp port script" + + echo "set RdpPort=$rdp_port" >$target + wget $confhome/windows-change-rdp-port.bat -O- >>$target + unix2dos $target +} + # virt-what 要用最新版 # vultr 1G High Frequency LAX 实际上是 kvm # debian 11 virt-what 1.19 显示为 hyperv qemu @@ -3657,6 +3740,15 @@ install_windows() { ;; esac + # 防止用了不兼容架构的 iso + if ! { + { [ "$(uname -m)" = "x86_64" ] && [ "$arch_wim" = x86_64 ]; } || + { [ "$(uname -m)" = "x86_64" ] && [ "$arch_wim" = x86 ]; } || + { [ "$(uname -m)" = "aarch64" ] && [ "$arch_wim" = arm64 ]; } + }; then + error_and_exit "The machine is $(uname -m), but the iso is $arch_wim." + fi + add_drivers() { info "Add drivers" @@ -4038,7 +4130,13 @@ install_windows() { # 修改应答文件 download $confhome/windows.xml /tmp/autounattend.xml locale=$(get_selected_image_prop 'Default Language') - sed -i "s|%arch%|$arch|; s|%image_name%|$image_name|; s|%locale%|$locale|; s|%password%|$PASSWORD|" \ + use_default_rdp_port=$(is_need_change_rdp_port && echo false || echo true) + sed -i \ + -e "s|%arch%|$arch|" \ + -e "s|%image_name%|$image_name|" \ + -e "s|%locale%|$locale|" \ + -e "s|%password%|$PASSWORD|" \ + -e "s|%use_default_rdp_port%|$use_default_rdp_port|" \ /tmp/autounattend.xml # 修改应答文件,分区配置 @@ -4174,8 +4272,12 @@ install_windows() { # 添加引导 if is_efi; then - apk add efibootmgr - efibootmgr -c -L "Windows Installer" -d /dev/$xda -p1 -l "\\EFI\\boot\\$boot_efi" + # 现在 add_default_efi_to_nvram() 添加 bootx64.efi 到最前面 + # 因此这里重复了 + if false; then + apk add efibootmgr + efibootmgr -c -L "Windows Installer" -d /dev/$xda -p1 -l "\\EFI\\boot\\$boot_efi" + fi else # 或者用 ms-sys apk add grub-bios @@ -4491,6 +4593,10 @@ hwclock -s || true # 设置密码,安装并打开 ssh echo "root:$PASSWORD" | chpasswd +apk add openssh +if is_need_change_ssh_port; then + change_ssh_port / $ssh_port +fi printf '\nyes' | setup-sshd # shellcheck disable=SC2154 diff --git a/windows-allow-ping.bat b/windows-allow-ping.bat new file mode 100644 index 0000000..d4f496a --- /dev/null +++ b/windows-allow-ping.bat @@ -0,0 +1,21 @@ +@echo off +mode con cp select=437 >nul +setlocal EnableDelayedExpansion + +rem https://learn.microsoft.com/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior#command-example-4-configure-icmp-settings +rem 旧版命令 netsh firewall set icmpsetting 8 对应的配置是:文件和打印机共享(回显请求 - ICMPv4-In) + +set ICMPv4EchoTypeNum=8 +set ICMPv6EchoTypeNum=128 + +for %%i in (4, 6) do ( + netsh advfirewall firewall add rule ^ + name="ICMP Echo Request (ICMPv%%i-In)" ^ + dir=in ^ + action=allow ^ + program=System ^ + protocol=ICMPv%%i:!ICMPv%%iEchoTypeNum!,any +) + +rem 删除此脚本 +del "%~f0" diff --git a/windows-change-rdp-port.bat b/windows-change-rdp-port.bat new file mode 100644 index 0000000..6a097ea --- /dev/null +++ b/windows-change-rdp-port.bat @@ -0,0 +1,47 @@ +@echo off +mode con cp select=437 >nul + +rem set RdpPort=3333 + +rem https://learn.microsoft.com/windows-server/remote/remote-desktop-services/clients/change-listening-port +rem HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules + +rem RemoteDesktop-Shadow-In-TCP +rem v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=%SystemRoot%\system32\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App| + +rem RemoteDesktop-UserMode-In-TCP +rem v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752| + +rem RemoteDesktop-UserMode-In-UDP +rem v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752| + +rem 设置端口 +reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d %RdpPort% /f + +rem 重启服务 +rem 可以用 sc 或者 net +rem UmRdpService 依赖 TermService +rem sc stop 不能处理依赖关系,因此 sc stop TermService 前需要 sc stop UmRdpService +rem net stop 可以处理依赖关系 +rem sc stop 是异步的,rem net stop 不是异步,但有 timeout 时间 +rem TermService 运行后,UmRdpService 会自动运行 +net stop TermService /y +net start TermService + +rem 设置防火墙 +rem 各个版本的防火墙自带的 rdp 规则略有不同 +rem 全部版本都有: program=%SystemRoot%\system32\svchost.exe service=TermService +rem win7 还有: program=System service= +rem 以下为并集 +for %%a in (TCP, UDP) do ( + netsh advfirewall firewall add rule ^ + name="Remote Desktop - Custom Port (%%a-In)" ^ + dir=in ^ + action=allow ^ + service=any ^ + protocol=%%a ^ + localport=%RdpPort% +) + +rem 删除此脚本 +del "%~f0" diff --git a/windows.xml b/windows.xml index 369a18c..df06b26 100644 --- a/windows.xml +++ b/windows.xml @@ -110,8 +110,11 @@ all + + + @FirewallAPI.dll,-28752 - true + %use_default_rdp_port% @@ -144,7 +147,8 @@ true true - China Standard Time + +