tartavull · June 16, 2026 02:06
diff --git a/office-bastion-windows.ps1 b/office-bastion-windows.ps1
 $ErrorActionPreference = 'Stop'
 $ProgressPreference = 'SilentlyContinue'

 $sshDir = Join-Path $env:ProgramData 'ssh'
 New-Item -ItemType Directory -Force -Path $sshDir | Out-Null

 Write-Host 'Installing/enabling OpenSSH Server...'
 $server = Get-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
 if ($server.State -ne 'Installed') {
  Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | Out-Null
 }
 $client = Get-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
 if ($client.State -ne 'Installed') {
  Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 | Out-Null
 }
 Set-Service -Name sshd -StartupType Automatic
 Start-Service sshd

 Write-Host 'Creating/configuring tinymile local admin user...'
 if (-not (Get-LocalUser -Name tinymile -ErrorAction SilentlyContinue)) {
  $pwBytes = New-Object byte[] 24
  [Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($pwBytes)
  $pw = ConvertTo-SecureString ('Tm1!' + [Convert]::ToBase64String($pwBytes)) -AsPlainText -Force
  New-LocalUser -Name tinymile -Password $pw -FullName 'Tinymile Remote Admin' -PasswordNeverExpires | Out-Null
 }
 Enable-LocalUser -Name tinymile
 Set-LocalUser -Name tinymile -PasswordNeverExpires $true
 Add-LocalGroupMember -Group Administrators -Member tinymile -ErrorAction SilentlyContinue

 Write-Host 'Trusting bastion SSH user CA for inbound remote admin...'
 Invoke-WebRequest -UseBasicParsing https://storage.googleapis.com/credential.tinymile.ai/bastion.ca -OutFile (Join-Path $sshDir 'bastion.ca')
 $config = Join-Path $sshDir 'sshd_config'
 if (-not (Test-Path $config)) { New-Item -ItemType File -Path $config | Out-Null }
 $text = Get-Content $config -Raw
 $text = [regex]::Replace($text, '(?m)^\s*TrustedUserCAKeys\s+.*\r?\n?', '')
 $line = 'TrustedUserCAKeys __PROGRAMDATA__/ssh/bastion.ca'
 $m = [regex]::Match($text, '(?m)^Match\s+')
 if ($m.Success) {
  $text = $text.Insert($m.Index, "$line`r`n")
 } else {
  $text = $text.TrimEnd() + "`r`n$line`r`n"
 }
 Set-Content -Path $config -Value $text -Encoding ascii
 New-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name DefaultShell -Value "$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force | Out-Null
 Restart-Service sshd

 Write-Host 'Generating outbound bastion tunnel key...'
 $key = Join-Path $sshDir 'office_bastion_ed25519'
 if (-not (Test-Path $key)) {
  & "$env:WINDIR\System32\OpenSSH\ssh-keygen.exe" -q -t ed25519 -N '' -C "office-windows-$env:COMPUTERNAME" -f $key
 }
 icacls.exe $key /inheritance:r | Out-Null
 icacls.exe $key /grant:r 'SYSTEM:F' 'Administrators:F' | Out-Null

 $tunnel = Join-Path $sshDir 'office-bastion-tunnel.ps1'
 $tunnelScript = @'
 $ssh = "$env:WINDIR\System32\OpenSSH\ssh.exe"
 $key = "$env:ProgramData\ssh\office_bastion_ed25519"
 $knownHosts = "$env:ProgramData\ssh\office_bastion_known_hosts"
 $log = "$env:ProgramData\ssh\office-bastion-tunnel.log"
 while ($true) {
  Add-Content -Path $log -Value ((Get-Date -Format o) + ' starting tunnel')
  & $ssh -NT -o BatchMode=yes -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -o StrictHostKeyChecking=accept-new -o StreamLocalBindUnlink=yes -o "UserKnownHostsFile=$knownHosts" -i $key -R /run/robots/office.sock:localhost:22 robot-tunnel@bastion.pink.bot >> $log 2>&1
  Add-Content -Path $log -Value ((Get-Date -Format o) + " tunnel exited $LASTEXITCODE; retrying")
  Start-Sleep -Seconds 15
 }
 '@
 Set-Content -Path $tunnel -Value $tunnelScript -Encoding ascii

 Write-Host 'Creating startup task for the bastion tunnel...'
 $taskName = 'Office Bastion Tunnel'
 $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$tunnel`""
 $trigger = New-ScheduledTaskTrigger -AtStartup
 $principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -RunLevel Highest
 $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew
 Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Force | Out-Null
 Start-ScheduledTask -TaskName $taskName

 $pub = Get-Content "$key.pub" -Raw
 $pub | Set-Clipboard
 Write-Host ''
 Write-Host 'PUBLIC KEY COPIED TO CLIPBOARD. Send this line to Codex:'
 Write-Host $pub
 Write-Host ''
 Write-Host 'Tunnel task is installed and retrying. It will connect after Codex registers the public key on bastion.'
	$ErrorActionPreference = 'Stop'
	$ProgressPreference = 'SilentlyContinue'

	$sshDir = Join-Path $env:ProgramData 'ssh'
	New-Item -ItemType Directory -Force -Path $sshDir \| Out-Null

	Write-Host 'Installing/enabling OpenSSH Server...'
	$server = Get-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
	if ($server.State -ne 'Installed') {
	Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 \| Out-Null
	}
	$client = Get-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
	if ($client.State -ne 'Installed') {
	Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 \| Out-Null
	}
	Set-Service -Name sshd -StartupType Automatic
	Start-Service sshd

	Write-Host 'Creating/configuring tinymile local admin user...'
	if (-not (Get-LocalUser -Name tinymile -ErrorAction SilentlyContinue)) {
	$pwBytes = New-Object byte[] 24
	[Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($pwBytes)
	$pw = ConvertTo-SecureString ('Tm1!' + [Convert]::ToBase64String($pwBytes)) -AsPlainText -Force
	New-LocalUser -Name tinymile -Password $pw -FullName 'Tinymile Remote Admin' -PasswordNeverExpires \| Out-Null
	}
	Enable-LocalUser -Name tinymile
	Set-LocalUser -Name tinymile -PasswordNeverExpires $true
	Add-LocalGroupMember -Group Administrators -Member tinymile -ErrorAction SilentlyContinue

	Write-Host 'Trusting bastion SSH user CA for inbound remote admin...'
	Invoke-WebRequest -UseBasicParsing https://storage.googleapis.com/credential.tinymile.ai/bastion.ca -OutFile (Join-Path $sshDir 'bastion.ca')
	$config = Join-Path $sshDir 'sshd_config'
	if (-not (Test-Path $config)) { New-Item -ItemType File -Path $config \| Out-Null }
	$text = Get-Content $config -Raw
	$text = [regex]::Replace($text, '(?m)^\sTrustedUserCAKeys\s+.\r?\n?', '')
	$line = 'TrustedUserCAKeys __PROGRAMDATA__/ssh/bastion.ca'
	$m = [regex]::Match($text, '(?m)^Match\s+')
	if ($m.Success) {
	$text = $text.Insert($m.Index, "$line`r`n")
	} else {
	$text = $text.TrimEnd() + "`r`n$line`r`n"
	}
	Set-Content -Path $config -Value $text -Encoding ascii
	New-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name DefaultShell -Value "$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force \| Out-Null
	Restart-Service sshd

	Write-Host 'Generating outbound bastion tunnel key...'
	$key = Join-Path $sshDir 'office_bastion_ed25519'
	if (-not (Test-Path $key)) {
	& "$env:WINDIR\System32\OpenSSH\ssh-keygen.exe" -q -t ed25519 -N '' -C "office-windows-$env:COMPUTERNAME" -f $key
	}
	icacls.exe $key /inheritance:r \| Out-Null
	icacls.exe $key /grant:r 'SYSTEM:F' 'Administrators:F' \| Out-Null

	$tunnel = Join-Path $sshDir 'office-bastion-tunnel.ps1'
	$tunnelScript = @'
	$ssh = "$env:WINDIR\System32\OpenSSH\ssh.exe"
	$key = "$env:ProgramData\ssh\office_bastion_ed25519"
	$knownHosts = "$env:ProgramData\ssh\office_bastion_known_hosts"
	$log = "$env:ProgramData\ssh\office-bastion-tunnel.log"
	while ($true) {
	Add-Content -Path $log -Value ((Get-Date -Format o) + ' starting tunnel')
	& $ssh -NT -o BatchMode=yes -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -o StrictHostKeyChecking=accept-new -o StreamLocalBindUnlink=yes -o "UserKnownHostsFile=$knownHosts" -i $key -R /run/robots/office.sock:localhost:22 robot-tunnel@bastion.pink.bot >> $log 2>&1
	Add-Content -Path $log -Value ((Get-Date -Format o) + " tunnel exited $LASTEXITCODE; retrying")
	Start-Sleep -Seconds 15
	}
	'@
	Set-Content -Path $tunnel -Value $tunnelScript -Encoding ascii

	Write-Host 'Creating startup task for the bastion tunnel...'
	$taskName = 'Office Bastion Tunnel'
	$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$tunnel`""
	$trigger = New-ScheduledTaskTrigger -AtStartup
	$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -RunLevel Highest
	$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew
	Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Force \| Out-Null
	Start-ScheduledTask -TaskName $taskName

	$pub = Get-Content "$key.pub" -Raw
	$pub \| Set-Clipboard
	Write-Host ''
	Write-Host 'PUBLIC KEY COPIED TO CLIPBOARD. Send this line to Codex:'
	Write-Host $pub
	Write-Host ''
	Write-Host 'Tunnel task is installed and retrying. It will connect after Codex registers the public key on bastion.'
No results found