From 2c29c0d33ec4e8c3f15f8b5f80535ca9f2a03658 Mon Sep 17 00:00:00 2001 From: Damien Coles Date: Thu, 12 Feb 2026 15:58:35 -0800 Subject: [PATCH] =?UTF-8?q?read=20DnsServer=20and=20Domain=20from=20bootst?= =?UTF-8?q?rap.json=20=E2=80=94=20zero-param=20bootstrap?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 3 +++ CHANGELOG.md | 3 ++- README.md | 32 ++++++++++++++++++++++++-------- bootstrap.ps1 | 33 +++++++++++++++++++++++++++------ 4 files changed, 56 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index c1aa053..f789ed3 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,9 @@ config.yml # CA certificate (unique per deployment) ca.crt +# Deployment config (unique per deployment) +bootstrap.json + # Downloaded at install time nebula.exe nebula-cert.exe diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f9871c..b17ea3f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,8 @@ DNS persistence and domain authentication at the login screen. -- `install-nebula.ps1` now requires `-DnsServer` and `-Domain` parameters +- `bootstrap.ps1` now reads `DnsServer` and `Domain` from `bootstrap.json` — no required parameters +- `install-nebula.ps1` now requires `-DnsServer` and `-Domain` parameters (passed automatically by bootstrap) - Nebula service changed from `delayed-auto` to `auto` start — NlaSvc dependency already ensures the physical network is up - Creates a `NebulaDNS` scheduled task that runs at startup to re-apply DNS on the `nebula1` adapter after Nebula recreates it, wait for the DC to become reachable, and force Netlogon DC rediscovery via `nltest` - Idempotency check now also verifies the scheduled task and startup script exist diff --git a/README.md b/README.md index a06dfa0..5c8998f 100644 --- a/README.md +++ b/README.md @@ -8,13 +8,15 @@ For domain controller setup requirements, see [DC-SETUP.md](DC-SETUP.md). ## Prerequisites -Before running, you need the following **per-host files** prepared by the domain administrator: +The domain administrator prepares a deployment package containing: +- `ca.crt` — Nebula CA certificate (ships with the scripts) +- `bootstrap.json` — Deployment config with DNS server and domain name (ships with the scripts) - `config.yml` — Nebula configuration (use forward slashes in all paths) - `host.crt` — Nebula certificate signed by the CA - `host.key` — Nebula private key -These files are unique to each machine and should be placed in a directory you will run the scripts from. +The per-host files (`config.yml`, `host.crt`, `host.key`) are unique to each machine and should be placed in a directory you will run the scripts from. ## Package Contents @@ -24,6 +26,8 @@ These files are unique to each machine and should be placed in a directory you w | `install-nebula.ps1` | Downloads Nebula and installs it as a Windows service | | `set-dns.ps1` | Points the Nebula adapter's DNS at the domain controller | | `join-domain.ps1` | Joins the machine to the domain | +| `ca.crt` | Nebula CA certificate (provided by admin) | +| `bootstrap.json` | Deployment config: DNS server IP and domain name (provided by admin) | ## Usage @@ -38,16 +42,16 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process From the directory containing your per-host files (`config.yml`, `host.crt`, `host.key`): ```powershell -& "C:\path\to\nebula\bootstrap.ps1" -DnsServer 10.10.10.13 -Domain "arvandor.internal" +& "C:\path\to\nebula\bootstrap.ps1" ``` Optionally pass `-ComputerName` to validate the machine name matches a pre-staged AD object: ```powershell -& "C:\path\to\nebula\bootstrap.ps1" -DnsServer 10.10.10.13 -Domain "arvandor.internal" -ComputerName "WS-NAME" +& "C:\path\to\nebula\bootstrap.ps1" -ComputerName "WS-NAME" ``` -This runs all three steps in order, prompts for domain credentials, and offers to restart when finished. +DNS server and domain are read from `bootstrap.json` in the script directory. This runs all three steps in order, prompts for domain credentials, and offers to restart when finished. ### Step-by-step @@ -66,15 +70,27 @@ If you need to run steps individually: ### Parameters -**install-nebula.ps1** +**bootstrap.ps1** +- `-ComputerName` (optional) — Expected NetBIOS name (max 15 characters). Warns if the current machine name doesn't match. +- Reads `DnsServer` and `Domain` from `bootstrap.json`. + +**bootstrap.json** +```json +{ + "DnsServer": "10.10.10.13", + "Domain": "arvandor.internal" +} +``` + +**install-nebula.ps1** (standalone use) - `-DnsServer` (required) — IP address of the domain controller. Used to configure DNS persistence across reboots. - `-Domain` (required) — FQDN of the Active Directory domain. Used to configure Netlogon DC rediscovery at startup. -**set-dns.ps1** +**set-dns.ps1** (standalone use) - `-DnsServer` (required) — IP address of the domain controller - `-InterfaceAlias` (optional) — Target a specific adapter. Defaults to `nebula1` -**join-domain.ps1** +**join-domain.ps1** (standalone use) - `-Domain` (required) — FQDN of the Active Directory domain - `-ComputerName` (optional) — Expected NetBIOS name (max 15 characters). If provided and the current machine name doesn't match, the script warns but proceeds with the join under the current name. diff --git a/bootstrap.ps1 b/bootstrap.ps1 index 4a86f64..35ec9e8 100644 --- a/bootstrap.ps1 +++ b/bootstrap.ps1 @@ -1,12 +1,6 @@ #Requires -RunAsAdministrator param( - [Parameter(Mandatory=$true)] - [string]$DnsServer, - - [Parameter(Mandatory=$true)] - [string]$Domain, - [Parameter(Mandatory=$false)] [string]$ComputerName ) @@ -23,6 +17,33 @@ if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administra $ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Definition +# --- Read deployment config --- + +$configFile = Join-Path $ScriptDir "bootstrap.json" +if (-not (Test-Path $configFile)) { + Write-Error "Missing bootstrap.json in $ScriptDir. This file should be provided by the domain administrator." + exit 1 +} + +try { + $config = Get-Content $configFile -Raw | ConvertFrom-Json +} catch { + Write-Error "Failed to parse bootstrap.json: $_" + exit 1 +} + +if (-not $config.DnsServer) { + Write-Error "bootstrap.json is missing required field: DnsServer" + exit 1 +} +if (-not $config.Domain) { + Write-Error "bootstrap.json is missing required field: Domain" + exit 1 +} + +$DnsServer = $config.DnsServer +$Domain = $config.Domain + # --- Step 1: Install Nebula --- Write-Host ""