6.6 KiB
6.6 KiB
Windows prerequisite
Installation
- Language: English (US)
- Region: Korea
- Keyboard: US
- Internet connection
- Account setting: DOS prompt (Shift + F10)
start ms-cxh:localonly
Initial configuration
Time and language
- Preferred Languages: Add a Language: Korean
- Don't set additional options
- Typing: Advanced Keyboard setting: Override for default input method: Korean: Microsoft IME
Set the password
- Settings: Accounts: Sign-in options
- Password
- PIN
- Windows Hello
Disable unused functions
# Administrator privileges are required
## Disable Recall
DISM /Online /Disable-Feature /FeatureName:Recall /NoRestart
## Disable Copilot
reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot" /v TurnOffWindowsCopilot /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsCopilot" /v TurnOffWindowsCopilot /t REG_DWORD /d 1 /f
## Delete programs
Get-AppxPackage *bingnews* | Remove-AppxPackage
Get-AppxPackage *bingweather* | Remove-AppxPackage
Get-AppxPackage *gethelp* | Remove-AppxPackage
Get-AppxPackage *tips* | Remove-AppxPackage
Get-AppxPackage *feedbackhub* | Remove-AppxPackage
Get-AppxPackage *solitairecollection* | Remove-AppxPackage
Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage
Get-AppxPackage *outlookforwindows* | Remove-AppxPackage
Get-AppxPackage *people* | Remove-AppxPackage
Get-AppxPackage *clipchamp* | Remove-AppxPackage
Get-AppxPackage *todos* | Remove-AppxPackage
Get-AppxPackage *quickassist* | Remove-AppxPackage
Get-AppxPackage *windowsmaps* | Remove-AppxPackage
Get-AppxPackage *xbox* | Remove-AppxPackage
Get-AppxPackage *gamingapp* | Remove-AppxPackage
## Disable telemetry
Stop-Service DiagTrack
Set-Service DiagTrack -StartupType Disable
Stop-Service dmwappushservice
Set-Service dmwappushservice -StartupType Disable
## Compact OS configuration
compact /compactos:always
Delete programs
- Add or remove programs
- Copilot
- Family
- Microsoft 365 (Other languages; except en-us, ko-kr)
- Microsoft 365 copilot
- Microsoft edge game assist
- Microsoft Onedrive
- Microsoft Teams
- Speech pack
Edge configuration
- Settings: System and performance: System
- Disable All options
Explorer configuration
- Settings: Privacy
- Disable All options
Login on Microsoft account
sign in on app only
- surface app
- microsoft office 365
Install Microsoft app
- Microsoft PC manager
Firewall configuration
- WindowsDefender Firewall:Inbound Rules:
- File and Printer Sharing (Echo Request - ICMPv4-In) - Profile: Private, Public
- General: [x] Enable
- Scope: 192.168.1.0/24, 192.168.10.0/24, 192.168.99.0/24
- File and Printer Sharing (Echo Request - ICMPv6-In) - Profile: Private, Public
- General: [x] Enable
- Scope: fd00::/8
- Apply
- File and Printer Sharing (Echo Request - ICMPv4-In) - Profile: Private, Public
NIC VLAN configuration
- Device Manager:Network Adapters:Surface network adpaters
- Advanced:Priority & VLAN: Priority & VLAN disable
Set WSL2
Create wsl config
- C:\Users$USERNAME.wslconfig
[wsl2]
processors=4
memory=4294967296
swap=0
defaultVhdSize=34359738368
networkingMode=Mirrored
Installation
# Run with administrator's authority
# Install wsl
wsl --install -d Debian
# Enter new UNIX username: debian
# Enter new password: debian
wsl --shutdown
# --- Uninstall Debian ---
# wsl --unregister Debian
# wsl --uninstall
# ------
WSL Debian configuration
# PowerShell
wsl -d Debian
# bash
## User create
sudo groupadd -g 2000 svadmins
sudo useradd -u 2999 -g svadmins -G sudo -c "Console Client" -m -d /home/console -s /bin/bash console
sudo passwd console
# New password: [password]
exit
# PowerShell
wsl --shutdown
wsl -d Debian -u console
# bash
## User delete and set wsl.conf
sudo userdel -r debian
echo '[user]' | sudo tee -a /etc/wsl.conf
echo 'default=console' | sudo tee -a /etc/wsl.conf
echo '[network]' | sudo tee -a /etc/wsl.conf
echo 'generateHosts = false' | sudo tee -a /etc/wsl.conf
exit
wsl --shutdown
wsl -d Debian
## package
sudo apt update && sudo apt upgrade
sudo apt install curl jq gnupg git fuse3
sudo apt install ansible-core ansible-lint --no-install-recommends
ansible-galaxy collection install community.libvirt
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
## SOPS (arm64)
## Check for latest release: Current version: 3.12.1
## x86_64 url: https://github.com/getsops/sops/releases/download/v3.12.1/sops_3.12.1_amd64.deb
curl -L -o sops_3.12.1.deb https://github.com/getsops/sops/releases/download/v3.12.1/sops_3.12.1_arm64.deb
sudo apt install ./sops_3.12.1.deb
rm -rf ./sops_3.12.1.deb
mkdir ~/workspace
VS Code
VS Code Download
- Download from https://code.visualstudio.com/Download#
User Installer Arm64
VS Code configuration
- WSL extension(
Ctrl + shift + x)- Install
WSLby Microsoft- Remote Explorer:Debian:Connect in Current Windows
- Install
Ctrl + kandCtrl + o- Open folder:
/home/console/workspace
- Open folder:
Ctrl + shift + `for Terminal- Extensions(
Ctrl + shift + x)- Install
Ansibleby RedHat
- Install
Playbooks
# Ansible playbook
# Copy all files "workspace" directory to Debian via VS Code
cd ~/workspace/homelab/ansible
ansible-playbook playbooks/console/site.yaml --tags "init"
Terminal configuration
- Terminal: Setting: Startup
- Default profile
- Debian
- Profile: Debian:
- Icon
- "ms-appx:///ProfileIcons/{61c54bbd-c2c6-5271-96e7-009a87ff44bf}.png"
- Starting Directory
- ~
- Icon
- Default profile
Secret management
Flow
- Secret data
secrets.yaml- encrypted by sops with age-key
- age-key
age-key.gpgandansible/group_vars/all.yaml- encrypted by gpg and ansible vault with master key
- Master key
- The key which has above 40 characters containing upper and lower letters, numbers, and special letters
- managed by physical media (Mind, MDisc, paper) as file, string, and QR
- This value is never saved in server or console.
- Root CA (including ssh CA) must not be deployed.
- The tasks with root CA must be performed manually. The source of Trust is the most important in security.
- Intermediate CA can be deployed.
- Intermediate CA is operated as a live server.
- Intermediate CA can be revoked by the root CA
- Only encrypted intermediate CA's private key is deployed.
- CA server decrypts intermediate CA's private key in memory at runtime.