Build Windows Templates in RHV

roles/oatakan.windows_update/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: disable firewall for Domain, Public and Private profiles
+  win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
+  when: "'Windows Server 2012' in ansible_distribution"
+
+- name: disable firewall for Domain, Public and Private profiles
+  win_shell: netsh advfirewall set  allprofiles state off
+  when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
+
+- name: get used space before update
+  win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
+  register: used_space_before_update
+  ignore_errors: yes
+
+- include_tasks: updates-all.yml
+  when:
+    - "'Windows Server 2008' not in ansible_distribution"
+    - "'Windows 7' not in ansible_distribution"
+
+#- include_tasks: updates-powershell.yml
+#  when:
+#    - install_updates | bool
+#    - "'Windows Server 2008' in ansible_distribution"
+
+- include_tasks: updates-win2008r2.yml
+  when:
+    - "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
+
+- name: get used space after update
+  win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
+  register: used_space_after_update
+  ignore_errors: yes
+
+- debug:
+    msg:
+      - "Used space before update: {{ ((used_space_before_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
+      - "Used space after update: {{ ((used_space_after_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
+  when:
+    - used_space_before_update.stdout is defined
+    - used_space_after_update.stdout is defined
+
+- name: enabled firewall for Domain, Public and Private profiles
+  win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
+  when: "'Windows Server 2012' in ansible_distribution"
+
+- name: enable firewall for Domain, Public and Private profiles
+  win_shell: netsh advfirewall set  allprofiles state on
+  when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"

roles/oatakan.windows_update/tasks/updates-all.yml

@@ -0,0 +1,43 @@
+---
+
+- name: check for available updates
+  win_updates:
+    category_names: "{{ win_update_category_names }}"
+    blacklist: "{{ win_update_blacklist | default(omit) }}"
+    state: searched
+  register: available_updates
+
+- debug:
+    msg: |
+      {{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
+      {% for key, value in available_updates.updates.items() %}
+        - {{ value.title }}
+      {% endfor %}
+  when: available_updates.updates is defined
+
+- include_tasks: updates-with-retry.yml
+  when:
+    - available_updates.updates is defined
+    - available_updates.found_update_count > 0
+
+- name: check for missing updates.
+  win_updates:
+    state: searched
+  register: available_updates
+
+- name: list missing updates
+  debug:
+    var: available_updates
+
+- name: check to see if update is finished
+  win_shell: gwmi -Class win32_computersystem -ComputerName 127.0.0.1 | select -ExpandProperty username -ErrorAction Stop
+  register: logon_status
+  until: logon_status is success
+  delay: 10
+  retries: 100
+  ignore_errors: yes
+  when: "'Server' not in ansible_distribution"
+
+- name: reboot windows
+  win_reboot:
+  when: "'Server' not in ansible_distribution"

roles/oatakan.windows_update/tasks/updates-powershell.yml

@@ -0,0 +1,98 @@
+---
+
+- name: update over multiple reboots
+  block:
+    - name: check for available updates
+      win_updates:
+        category_names:
+          - CriticalUpdates
+          - DefinitionUpdates
+          - SecurityUpdates
+          - UpdateRollups
+          - Updates
+        state: searched
+      register: available_updates
+
+    - debug:
+        msg: |
+          {{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
+          {% for key, value in available_updates.updates.items() %}
+            - {{ value.title }}
+          {% endfor %}
+      when: available_updates.updates is defined
+
+    - block:
+        - name: install windows updates using powershell script
+          script: win-updates.ps1
+          become: yes
+          become_method: runas
+          become_user: SYSTEM
+          when:
+            - available_updates.updates is defined
+            - available_updates.found_update_count > 0
+
+      rescue:
+        - name: reboot the system to recover from a failed update
+          win_reboot:
+            reboot_timeout: 7200
+
+    - name: wait for system to be responsive after update
+      wait_for_connection:
+        delay: 60
+        sleep: 10
+        timeout: 600
+
+    - name: check to see if reboot is required
+      win_reg_stat:
+        path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
+        name: CustomRebootRequired
+      register: update_reboot_required_key
+
+    - name: reboot the system to continue with the update
+      win_reboot:
+        reboot_timeout: 7200
+      when: update_reboot_required_key.exists
+
+    - name: check for missing updates
+      win_updates:
+        category_names:
+          - CriticalUpdates
+          - DefinitionUpdates
+          - SecurityUpdates
+          - UpdateRollups
+          - Updates
+        state: searched
+      register: missing_updates
+
+    - debug:
+        msg: |
+          {{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
+          {% for key, value in missing_updates.updates.items() %}
+            - {{ value.title }}
+          {% endfor %}
+      when: missing_updates.updates is defined
+
+    - block:
+        - name: set update count
+          set_fact:
+            update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
+
+        - name: still more updates - need to retry
+          fail:
+            msg: >
+              '{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
+              {{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
+          when: ((update_retry_limit | int) - (update_retry_count | int) > 0)
+      when: missing_updates.found_update_count > 0
+
+    - name: ensure the CustomRebootRequired key doesn't exist
+      win_regedit:
+        path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
+        name: CustomRebootRequired
+        state: absent
+
+  rescue:
+    - debug:
+        msg: "Still more updates remaining - retrying..."
+
+    - include_tasks: updates-powershell.yml

roles/oatakan.windows_update/tasks/updates-win2008r2.yml

@@ -0,0 +1,81 @@
+---
+
+- name: ensure Windows ADK with DISM is installed
+  win_chocolatey:
+    name: windows-adk-deploy
+    state: present
+    version: 10.0.17134.0
+  register: install_windows_adk_deploy
+
+- name: ensure PATH contains Windows ADK
+  win_path:
+    scope: machine
+    state: present
+    elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
+
+- name: download hotfix group 1 (PS >= 4)
+  win_get_url:
+    url: '{{ item.url }}'
+    dest: '{{ hotfix_download_location }}\{{ item.file }}'
+  loop: "{{ hotfixes_group_1 }}"
+
+- name: install hotfix group 1
+  win_hotfix:
+    source: '{{ hotfix_download_location }}\{{ item.file }}'
+    state: present
+  register: hotfix_install_group_1
+  loop: "{{ hotfixes_group_1 }}"
+  when: ansible_powershell_version is version('4', '>=')
+
+- name: install hotfix (PS == 3)
+  win_shell: '{{ hotfix_download_location }}\{{ item.file }} /quiet /norestart'
+  register: hotfix_install_group_1
+  loop: "{{ hotfixes_group_1 }}"
+  when: ansible_powershell_version is version('3', '==')
+
+- name: debug hotfix installation result
+  debug:
+    var: hotfix_install_group_1
+
+- name: ensure hotfix file is removed (group 1)
+  win_file:
+    path: '{{ hotfix_download_location }}\{{ item.file }}'
+    state: absent
+  loop: "{{ hotfixes_group_1 }}"
+
+- name: reboot from starting update
+  win_reboot:
+
+- name: check for available updates
+  win_updates:
+    category_names: "{{ win_update_category_names }}"
+    blacklist: "{{ win_update_blacklist | default(omit) }}"
+    state: searched
+  register: available_updates
+
+- debug:
+    msg: |
+      {{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
+      {% for key, value in available_updates.updates.items() %}
+        - {{ value.title }}
+      {% endfor %}
+  when: available_updates.updates is defined
+
+- include_tasks: updates-with-retry.yml
+  when:
+    - available_updates.updates is defined
+    - available_updates.found_update_count > 0
+
+- name: check for missing updates.
+  win_updates:
+    state: searched
+  register: available_updates
+
+- name: list missing updates
+  debug:
+    var: available_updates
+
+- name: make sure Windows ADK with DISM for Server 2008 R2 is not installed
+  win_chocolatey:
+    name: windows-adk-deploy
+    state: absent

roles/oatakan.windows_update/tasks/updates-with-retry.yml

@@ -0,0 +1,84 @@
+---
+
+- name: update over multiple reboots
+  block:
+    - block:
+        - name: install all windows updates
+          win_updates:
+            category_names: "{{ win_update_category_names }}"
+            blacklist: "{{ (win_update_blacklist | default([])) + (failed_kb | default([])) }}"
+            whitelist: "{{ win_update_whitelist | default(omit) }}"
+            reboot: yes
+          register: installed_updates
+
+      rescue:
+        - name: reboot the system to recover from a failed update
+          win_reboot:
+            reboot_timeout: 7200
+
+        - name: set failed KB to skip
+          set_fact:
+            failed_kb: "{{ failed_kb|default([]) + [installed_updates.msg | regex_replace('^.*\\((KB.*)\\).*','\\1')] }}"
+          when:
+            - installed_updates.msg is defined
+            - ('Failed' in installed_updates.msg)
+            - ('KB' in installed_updates.msg)
+
+        - name: fail to retry
+          fail:
+            msg: "There are failed updates: {{ failed_kb | join(' ') }}"
+          when:
+            - failed_kb is defined
+            - failed_kb | length > 0
+
+    - name: wait for system to be responsive after update
+      wait_for_connection:
+        delay: 60
+        sleep: 10
+        timeout: 600
+
+    - name: work on any skipped KB
+      win_updates:
+        category_names: "{{ win_update_category_names }}"
+        blacklist: "{{ win_update_blacklist | default(omit) }}"
+        whitelist: "{{ failed_kb | default([]) }}"
+        reboot: yes
+      register: installed_updates_retry_skipped
+      when:
+        - failed_kb is defined
+        - failed_kb | length > 0
+
+    - name: check for missing updates
+      win_updates:
+        category_names: "{{ win_update_category_names }}"
+        blacklist: "{{ win_update_blacklist | default(omit) }}"
+        state: searched
+      register: missing_updates
+
+    - debug:
+        msg: |
+          {{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
+          {% for key, value in missing_updates.updates.items() %}
+            - {{ value.title }}
+          {% endfor %}
+      when: missing_updates.updates is defined
+
+    - name: still more updates - need to retry
+      fail:
+        msg: >
+          '{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
+          {{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
+      when:
+        - missing_updates.found_update_count > 0
+        - ((update_retry_limit | int) - (update_retry_count | int) >= 0)
+
+  rescue:
+    - name: set update count
+      set_fact:
+        update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
+
+    - debug:
+        msg: "Still more updates remaining - retrying... ({{ update_retry_count }}/{{ update_retry_limit }})"
+
+    - include_tasks: updates-with-retry.yml
+      when: ((update_retry_limit | int) - (update_retry_count | int) >= 0)