-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
88 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Setup Syncthing using a standalone managed service account (sMSA) | ||
| .LINK | ||
| https://docs.syncthing.net/users/autostart.html#run-as-a-service-independent-of-user-login | ||
| .LINK | ||
| https://cybergladius.com/secure-windows-scheduled-tasks-with-managed-service-accounts/ | ||
| #> | ||
|
|
||
| # It may be possible to use psexec to run a command prompt as a service account | ||
| # https://learn.microsoft.com/en-us/sysinternals/downloads/psexec | ||
|
|
||
| $ErrorActionPreference = "Stop" | ||
|
|
||
| . "${PSScriptRoot}\Utils.ps1" | ||
|
|
||
| Install-Chocolatey | ||
| choco install syncthing -y | ||
|
|
||
| $Domain = Get-ADDomain | ||
| $AccountName = "svc-$("${env:ComputerName}".ToLower())-sync" | ||
| $AccountFullName = "$($Domain.NetBIOSName)\${AccountName}" | ||
| echo "Using account name: ${AccountName}" | ||
|
|
||
| try { | ||
| # Get-LocalUser "Syncthing" | ||
| $Account = Get-ADServiceAccount -Identity "${AccountName}" | ||
| } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { | ||
| Show-Output "The Syncthing user was not found. Creating." | ||
|
|
||
| # If you get the error "New-ADServiceAccount : Key does not exist" | ||
| # Run this: | ||
| # Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) | ||
| # https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key | ||
|
|
||
| $Account = New-ADServiceAccount -Name "${AccountName}" -RestrictToSingleComputer | ||
| } | ||
| Show-Output "Installing the AD Service account" | ||
| Install-ADServiceAccount $Account | ||
| Test-ADServiceAccount $AccountName | ||
|
|
||
| $SyncthingRoot = "${env:HomeDrive}\Syncthing" | ||
| if (Test-Path "${SyncthingRoot}") { | ||
| Show-Output "Syncthing folder exists at ${SyncthingRoot}" | ||
| } else { | ||
| Show-Output "Creating Syncthing folder at ${SyncthingRoot}" | ||
| New-Item -Path "${SyncthingRoot}" -ItemType Directory | ||
| } | ||
|
|
||
| # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-7.4#example-5-grant-administrators-full-control-of-the-file | ||
| $NewAcl = Get-Acl -Path "${SyncthingRoot}" | ||
| $NTAccount = New-Object System.Security.Principal.NTAccount($Domain.NetBIOSName, "${AccountName}`$") | ||
| $NewAcl.SetOwner($NTAccount) | ||
| $AccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule("${AccountName}`$", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") | ||
| $NewAcl.SetAccessRule($AccessRule) | ||
| Set-Acl -Path "${SyncthingRoot}" -AclObject $NewAcl | ||
|
|
||
| # $Credential = New-Object System.Management.Automation.PSCredential("${AccountName}`$", (New-Object System.Security.SecureString)) | ||
| # $Credential = Get-Credential -UserName $AccountName | ||
| # echo $AccountFullName | ||
| # echo $Credential | ||
|
|
||
| # try { | ||
| # Get-Service "Syncthing" | ||
| # sc.exe stop "Syncthing" | ||
| # sc.exe delete "Syncthing" | ||
| # Start-Sleep -Seconds 5 | ||
| # } catch {} | ||
|
|
||
| # This results in error 1053 when starting | ||
| # New-Service -Name "Syncthing" -BinaryPathName "${env:ProgramData}\chocolatey\bin\syncthing.exe --no-console --no-restart --no-browser --home=`"${SyncthingRoot}`"" | ||
|
|
||
| # .\nssm.exe install "Syncthing" | ||
|
|
||
| # Show-Output "You have to configure the account for the service manually. Go to services.msc -> Syncthing -> Properties -> Log On and use the account ${AccountFullName}`$ with an empty password." | ||
|
|
||
| Get-ScheduledTask -TaskName "Syncthing" -ErrorAction SilentlyContinue -OutVariable Task | ||
| if ($Task) { | ||
| Show-Output "Unregistering old scheduled task" | ||
| Unregister-ScheduledTask -TaskName "Syncthing" | ||
| Start-Sleep -Seconds 1 | ||
| } | ||
|
|
||
| $Trigger = New-ScheduledTaskTrigger -AtStartup | ||
| $Action = New-ScheduledTaskAction -Execute "${env:ProgramData}\chocolatey\bin\syncthing.exe" -Argument "--no-console --no-browser --home=`"${SyncthingRoot}`"" | ||
| $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit "00:00:00" # -Priority 8 | ||
| $Principal = New-ScheduledTaskPrincipal -UserId "${AccountFullName}`$" -LogonType Password -RunLevel Highest | ||
| Register-ScheduledTask -TaskName "Syncthing" -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal |