ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

This a bad commit message. NO idea.

Browse Source
This commit is contained in:
Patrick Toal
2022-02-15 14:56:51 -05:00
parent 4a8ab6fc84
commit 3fb974987c
62 changed files with 421 additions and 1063 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
roles/oatakan.windows_template_build/tasks/compact.yml
View File

@@ -73,12 +73,13 @@
- name: clean with bleachbit
win_shell: >
'{{ ansible_user_dir }}\BleachBit-Portable\bleachbit_console.exe --clean deepscan.backup
'{{ ansible_user_dir }}\BleachBit-Portable\bleachbit_console.exe'
--clean deepscan.backup
deepscan.ds_store deepscan.thumbs_db deepscan.tmp internet_explorer.cookies internet_explorer.forms
internet_explorer.history internet_explorer.temporary_files system.clipboard system.custom system.logs
system.memory_dump system.muicache system.prefetch system.recycle_bin system.tmp system.updates
windows_defender.history windows_explorer.mru windows_explorer.recent_documents windows_explorer.run
windows_explorer.search_history windows_explorer.thumbnails > NUL'
windows_explorer.search_history windows_explorer.thumbnails 2> nul
args:
executable: cmd
when:
@@ -164,6 +165,9 @@
- name: remove bleachbit files
win_file:
path: '{{ ansible_user_dir }}\BleachBit-Portable'
path: '{{ item }}'
state: absent
when: download_bleachbit is success
when: download_bleachbit is success
loop:
- '{{ temp_directory }}\BleachBit-portable.zip'
- '{{ ansible_user_dir }}\BleachBit-Portable'

130
roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml
View File

@@ -1,97 +1,43 @@
---
- name: ensure Windows ADK with DISM is installed
win_chocolatey:
name: windows-adk-deploy
state: present
version: 10.0.17134.0
register: install_windows_adk_deploy
- block:
- name: test SSL connection
win_shell: "[System.Net.WebRequest]::Create('https://github.com').GetResponse()"
- name: ensure PATH contains Windows ADK
win_path:
scope: machine
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
rescue:
- name: enable TLSv1.2 support
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }}
name: '{{ item.property }}'
data: '{{ item.value }}'
type: dword
state: present
register: enable_tls12
loop:
- type: Server
property: Enabled
value: 1
- type: Server
property: DisabledByDefault
value: 0
- type: Client
property: Enabled
value: 1
- type: Client
property: DisabledByDefault
value: 0
- pause:
seconds: 10
- name: enable strong crypto
win_regedit:
path: HKLM:\{{ item }}
name: SchUseStrongCrypto
data: 1
type: dword
state: present
loop:
- 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
- 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
- name: download hotfix
win_get_url:
url: '{{ enable_tlsv12_hotfix.url }}'
dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
register: download_hotfix
until: download_hotfix is success
delay: 3
retries: 5
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
- name: install hotfix (PS == 3)
win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart'
register: hotfix_install
when: ansible_powershell_version is version('3', '==')
- name: debug hotfix installation result
debug:
var: hotfix_install
- name: ensure hotfix file is removed
win_file:
path: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: absent
- name: reboot if needed
win_reboot:
when: hotfix_install.reboot_required | default(False)
- name: enable TLSv1.2 support
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }}
name: '{{ item.property }}'
data: '{{ item.value }}'
type: dword
state: present
register: enable_tls12
loop:
- type: Server
property: Enabled
value: 1
- type: Server
property: DisabledByDefault
value: 0
- type: Client
property: Enabled
value: 1
- type: Client
property: DisabledByDefault
value: 0
- name: enable strong crypto
win_regedit:
path: HKLM:\{{ item }}
name: SchUseStrongCrypto
data: 1
type: dword
state: present
loop:
- 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
- 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
- name: ensure Windows ADK with DISM is removed
win_chocolatey:
name: windows-adk-deploy
state: absent
register: remove_win_adk_dism
until: remove_win_adk_dism is success
delay: 3
retries: 5
- name: reboot if TLS config was applied
win_reboot:
when: enable_tls12 is changed
- name: reboot if TLS config was applied
win_reboot:
when: enable_tls12 is changed

32
roles/oatakan.windows_template_build/tasks/enable_powershell.yml
View File

@@ -1,32 +0,0 @@
---
- name: check if powershell is available
raw: 'Get-Host'
failed_when: False
check_mode: no
register: check_powershell
- block:
- name: enable powershell
raw: '{{ item }}'
args:
executable: cmd.exe
changed_when: False
check_mode: no
loop:
- dism /online /enable-feature /featurename:NetFx2-ServerCore
- dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell
- dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets
- name: reboot system
raw: shutdown /r /t 5
args:
executable: cmd.exe
changed_when: False
check_mode: no
- pause:
seconds: 30
when:
- check_powershell.stderr is defined
- ('is not recognized' in check_powershell.stderr)

51
roles/oatakan.windows_template_build/tasks/enable_tls_system_default.yml
View File

@@ -1,51 +0,0 @@
# on Windows 7 SP1, TLS 1.1 and 1.2 is not enabled by default
# this hotfix is needed to fix that
# see https://support.microsoft.com/en-us/topic/support-for-tls-system-default-versions-included-in-the-net-framework-3-5-1-on-windows-7-sp1-and-server-2008-r2-sp1-5ef38dda-8e6c-65dc-c395-62d2df58715a
- name: download hotfix
raw: '(New-Object -TypeName System.Net.WebClient).DownloadFile("{{ enable_tls_support_hotfix.url }}", "{{ enable_tls_support_hotfix_download_location }}\\{{ enable_tls_support_hotfix.file }}")'
changed_when: False
check_mode: no
register: download_hotfix
until: download_hotfix is success
delay: 3
retries: 5
- name: delete scheduled task if it exists (hotfix)
raw: 'SCHTASKS /Delete /TN hotfix_install /f'
args:
executable: cmd.exe
changed_when: False
check_mode: no
ignore_errors: yes
- name: create a scheduled task to install hotfix
raw: SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN hotfix_install /TR "{{ enable_tls_support_hotfix_download_location }}\\{{ enable_tls_support_hotfix.file }} /quiet /restart"
args:
executable: cmd.exe
changed_when: False
check_mode: no
- name: run scheduled task (hotfix)
raw: 'SCHTASKS /Run /TN hotfix_install'
args:
executable: cmd.exe
changed_when: False
check_mode: no
- pause:
seconds: 60
- name: delete scheduled task (hotfix)
raw: 'SCHTASKS /Delete /TN hotfix_install /f'
args:
executable: cmd.exe
changed_when: False
check_mode: no
ignore_errors: yes
- name: remove hotfix file
raw: 'Remove-Item -Path {{ enable_tls_support_hotfix_download_location }}\{{ enable_tls_support_hotfix.file }} -Force'
changed_when: False
check_mode: no
ignore_errors: yes

53
roles/oatakan.windows_template_build/tasks/hotfix-tlsv12.yml Normal file
View File

@@ -0,0 +1,53 @@
---
- name: ensure Windows ADK with DISM is installed
win_chocolatey:
name: windows-adk-deploy
state: present
version: 10.0.17134.0
register: install_windows_adk_deploy
notify: ensure Windows ADK with DISM is removed
- name: ensure PATH contains Windows ADK
win_path:
scope: machine
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- pause:
seconds: 10
- name: download hotfix
win_get_url:
url: '{{ enable_tlsv12_hotfix.url }}'
dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
register: download_hotfix
until: download_hotfix is success
delay: 3
retries: 5
- block:
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
rescue:
- name: install hotfix using shell
win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart'
register: hotfix_install
- name: install hotfix (PS == 3)
win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart'
register: hotfix_install
when: ansible_powershell_version is version('3', '==')
- name: ensure hotfix file is removed
win_file:
path: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: absent
- name: reboot if needed
win_reboot:
when: hotfix_install.reboot_required | default(False)

19
roles/oatakan.windows_template_build/tasks/main.yml
View File

@@ -1,13 +1,16 @@
---
- include_tasks: powershell-upgrade.yml
- include_role:
name: "{{ windows_powershell_upgrade_role }}"
when: upgrade_powershell | bool
- name: run setup module
setup:
- include_tasks: hotfix-tlsv12.yml
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- include_tasks: enable-tlsv12.yml
when: upgrade_powershell | bool
- include_tasks: update-agent-win2008.yml
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
@@ -42,7 +45,7 @@
- include_tasks: policy.yml
- include_tasks: power.yml
when: "'Server' not in ansible_distribution"
when: (ansible_os_product_type == 'workstation') | default(False)
- include_tasks: enable-rdp.yml
@@ -55,15 +58,21 @@
- not target_ovirt | bool
- not target_vagrant | bool
- include_tasks: remove-apps-alt-2.yml
- block:
- include_tasks: remove-apps-alt-2.yml
- include_tasks: remove-onedrive.yml
when:
- remove_apps | bool
- "'Server' not in ansible_distribution"
- (ansible_os_product_type == 'workstation') | default(False)
- include_role:
name: "{{ ec2_ena_driver_role }}"
when: target_ec2 | bool
- name: run all handlers here
meta: flush_handlers
- include_tasks: clean-up-components.yml
when: clean_up_components | bool

102
roles/oatakan.windows_template_build/tasks/powershell-upgrade.yml
View File

@@ -1,102 +0,0 @@
---
- include_tasks: enable_powershell.yml
- include_tasks: enable_tls_system_default.yml
- name: download script
raw: '[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072); (New-Object -TypeName System.Net.WebClient).DownloadFile("{{ powershell_script_url }}", "{{ powershell_upgrade_script_file }}")'
changed_when: False
check_mode: no
register: download_script
- name: set execution policy
raw: 'Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force'
changed_when: False
check_mode: no
ignore_errors: yes
- name: delete scheduled task if it exists
raw: 'SCHTASKS /Delete /TN upgrade /f'
args:
executable: cmd.exe
changed_when: False
check_mode: no
failed_when: False
- name: create a scheduled task to run powershell script
raw: >
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN upgrade /TR "powershell.exe -Command
'& {{ powershell_upgrade_script_file }} -Version {{ powershell_target_version }}
-Username {{ ansible_user }} -Password {{ ansible_password }}'"
args:
executable: cmd.exe
changed_when: False
check_mode: no
- name: start windows update service
raw: net start wuauserv
args:
executable: cmd.exe
failed_when: false
- pause:
seconds: 60
- name: run scheduled task
raw: 'SCHTASKS /Run /TN upgrade'
args:
executable: cmd.exe
changed_when: False
check_mode: no
- pause:
seconds: "{{ upgrade_wait_timeout }}"
- name: wait for powershell upgrade task to finish
raw: '((schtasks /query /TN upgrade)[4] -split " +")[-2]'
changed_when: False
check_mode: no
register: upgrade_status_check
failed_when: false
until: (upgrade_status_check.stdout | trim | lower) == 'ready'
delay: 10
retries: 10
- debug:
msg: "{{ powershell_target_version }}"
# apply winrm memory hotfix for powershell 3.0
- include_tasks: winrm-memfix.yml
when: powershell_target_version is version('3.0', '==')
- name: wait for system to reboot after upgrade
wait_for_connection:
sleep: 60
timeout: 400
- name: delete scheduled task
win_scheduled_task:
name: upgrade
state: absent
- name: delete script
win_file:
path: "{{ powershell_upgrade_script_file }}"
state: absent
- name: ensure auto login is disabled
win_regedit:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
name: AutoAdminLogon
data: 0
type: string
- name: ensure auto login creds are removed
win_regedit:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
name: "{{ item }}"
state: absent
loop:
- DefaultUserName
- DefaultPassword

4
roles/oatakan.windows_template_build/tasks/remove-onedrive.yml
View File

@@ -8,6 +8,10 @@
win_shell: '{{ ansible_env.SystemRoot }}\SysWOW64\OneDriveSetup.exe /uninstall'
ignore_errors: yes
- name: remove onedrivesync package
win_shell: get-appxpackage *Microsoft.OneDriveSync* | remove-appxpackage -AllUsers
ignore_errors: yes
- name: remove onedrive directories
win_file:
path: '{{ item }}'

24
roles/oatakan.windows_template_build/tasks/security-update-win2012.yml
View File

@@ -11,16 +11,22 @@
delay: 3
retries: 5
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
- block:
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
rescue:
- name: install hotfix using shell
win_shell: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }} /quiet /norestart'
register: hotfix_install
- name: debug hotfix installation result
debug:
var: hotfix_install
- name: install hotfix (PS == 3)
win_shell: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }} /quiet /norestart'
register: hotfix_install
when: ansible_powershell_version is version('3', '==')
- name: ensure hotfix file is removed
win_file:

69
roles/oatakan.windows_template_build/tasks/winrm-memfix.yml
View File

@@ -1,69 +0,0 @@
---
# see https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#winrm-memory-hotfix
- name: download script
raw: '[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072); (New-Object -TypeName System.Net.WebClient).DownloadFile("{{ ps_memfix_script_url }}", "{{ ps_memfix_script_file }}")'
changed_when: False
check_mode: no
register: download_script
- name: set execution policy
raw: 'Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force'
changed_when: False
check_mode: no
ignore_errors: yes
- name: delete scheduled task if it exists
raw: 'SCHTASKS /Delete /TN memfix /f'
args:
executable: cmd.exe
changed_when: False
check_mode: no
failed_when: False
- name: create a scheduled task to run powershell script
raw: >
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN memfix /TR "powershell.exe -Command
'& {{ ps_memfix_script_file }} -Verbose'"
args:
executable: cmd.exe
changed_when: False
check_mode: no
- name: run scheduled task
raw: 'SCHTASKS /Run /TN memfix'
args:
executable: cmd.exe
changed_when: False
check_mode: no
- name: wait for system to reboot after fix
wait_for_connection:
delay: 300
sleep: 30
timeout: 300
- name: wait for powershell memfix task to finish
raw: '((schtasks /query /TN memfix)[4] -split " +")[-2]'
changed_when: False
check_mode: no
register: memfix_status_check
failed_when: false
until: (memfix_status_check.stdout | trim | lower) == 'ready'
delay: 10
retries: 30
- name: delete scheduled task
win_scheduled_task:
name: memfix
state: absent
register: delete_scheduled_task
until: delete_scheduled_task is success
delay: 10
retries: 10
- name: delete script
win_file:
path: "{{ ps_memfix_script_file }}"
state: absent