4dd300e7ab
Hypothesis test for WJ Phase 2 stuck issue. GE Report IP script
filters Get-NetIPAddress on StartsWith("10.") - WJ bays don't see
ANY 10.x because:
- PXE LAN is 10.9.100.x (we'd disable wired anyway to avoid leak)
- Internet WiFi at site is 172.16.x (filter rejects)
- AESFMA corp WiFi (10.x) requires machine cert that Intune SCEP
provisions a few minutes AFTER PPKG enrollment
Result: Report IP webhook gets nothing -> GE backend never sees the
bay -> bay never enters the dynamic group that SFLD policy is
assigned to. Other GE sites work because their corp WiFi/wired is
on a real 10.x corp network and the script always finds a 10.x to
report.
Drop the MA package (8021x.xml + AESFMA.xml + multi-NIC bat) onto
each bay early in Run-ShopfloorSetup, run MA4NetworkConfigv2.bat to
import both profiles to every physical wired + wireless adapter.
AESFMA.xml patched to connectionMode=auto (default V02 was manual)
so WLAN service auto-joins as soon as the SCEP cert lands. Bay
gets a real 10.x corp address. Report IP webhook fires cleanly.
Profile XMLs (8021x.xml, AESFMA.xml, BLUESSO.xml, WiFi-Profile.xml,
*.wlanprofile, *.lanprofile) added to .gitignore - they contain
GE-internal SSID + trusted-root thumbprint and are staged on the
PXE enrollment share at /srv/samba/enrollment/MachineAuth/ instead
of git.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
107 lines
2.6 KiB
Plaintext
107 lines
2.6 KiB
Plaintext
# Large binary files — download/build these, don't commit them
|
|
*.deb
|
|
*.zip
|
|
*.wim
|
|
*.iso
|
|
*.efi
|
|
*.sdi
|
|
|
|
# OneDrive download artifacts
|
|
OneDrive_*/
|
|
|
|
# Error folders from OneDrive download
|
|
__*/
|
|
___*.txt
|
|
|
|
# Original OneDrive folder structure (reorganized into autoinstall/ and playbook/)
|
|
WestJeff*/
|
|
|
|
# Duplicate at root (canonical copy in unattend/)
|
|
/FlatUnattendW10.xml
|
|
|
|
# Offline packages (built by download-packages.sh)
|
|
offline-packages/
|
|
|
|
# Boot tool binaries (built by prepare-boot-tools.sh)
|
|
boot-tools/
|
|
# Track the Blancco GRUB config as source-of-truth for grubx64.efi rebuilds.
|
|
# prepare-boot-tools.sh rebuilds grubx64.efi from this file via grub-mkstandalone.
|
|
!boot-tools/blancco/grub-blancco.cfg
|
|
|
|
# WinPE boot files (wimboot, boot.wim, BCD, ipxe.efi, etc.)
|
|
boot-files/
|
|
# Exception: track undionly.kpxe (open-source iPXE BIOS-mode NBP for
|
|
# legacy PXE clients, ~70KB, from boot.ipxe.org). Makes air-gapped USB
|
|
# build self-contained without a separate fetch step.
|
|
!boot-files/undionly.kpxe
|
|
|
|
# Python wheels for offline install (built by download-packages.sh)
|
|
pip-wheels/
|
|
|
|
# Deployment images (imported via webapp or USB)
|
|
geastandardpbr/
|
|
|
|
# OS files
|
|
.DS_Store
|
|
Thumbs.db
|
|
|
|
# Python
|
|
__pycache__/
|
|
*.pyc
|
|
*.pyo
|
|
venv/
|
|
|
|
# MOK Secure Boot signing keys (contains private key)
|
|
mok-keys/
|
|
|
|
# Secrets
|
|
secrets.md
|
|
**/eMxInfo*.txt
|
|
*.ppkg
|
|
enrollment/
|
|
drivers-staging/
|
|
bios-staging/
|
|
.claude/
|
|
|
|
# Secrets and credentials (defensive)
|
|
.env
|
|
.env.*
|
|
!.env.example
|
|
!.env.*.example
|
|
*.pem
|
|
*.key
|
|
id_rsa
|
|
id_rsa.*
|
|
*.ppk
|
|
*.p12
|
|
*.pfx
|
|
secrets.json
|
|
secrets.yaml
|
|
secrets.yml
|
|
*_secret
|
|
*_secrets
|
|
credentials.json
|
|
|
|
# GE-internal WiFi / 802.1X profiles - contain SSID + trusted-root thumbprint.
|
|
# Staged on PXE share at /srv/samba/enrollment/MachineAuth/ and copied to
|
|
# bays during imaging. Never check these into git.
|
|
AESFMA.xml
|
|
8021x.xml
|
|
BLUESSO.xml
|
|
WiFi-Profile.xml
|
|
*.wlanprofile
|
|
*.lanprofile
|
|
|
|
# Pre-staged binary (142 MB) - track via LFS or stage on PXE server, not in regular git
|
|
playbook/shopfloor-setup/Shopfloor/PrinterInstallerMap.exe
|
|
|
|
# Keyence VR-6000 InstallShield payload (560 MB). InstallShield MSIs split
|
|
# the compressed payload into Data1.cab; without it next to the MSI, msiexec
|
|
# exits 1603 with "SECREPAIR: Failed to open Data1.cab" (see
|
|
# /home/camp/pxe-images/keyence/Logs/Keyence/install.log for the signature).
|
|
# Canonical source on the GE-Enforce SFLD share:
|
|
# tsgwp00525\sfld$\v2\shared\dt\shopfloor\gea-shopfloor-keyence\apps\Data1.cab
|
|
# Stage to playbook/shopfloor-setup/gea-shopfloor-keyence/installers/Data1.cab
|
|
# before building the USB image.
|
|
playbook/shopfloor-setup/gea-shopfloor-keyence/installers/Data1.cab
|