ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update roles

Browse Source
This commit is contained in:
Patrick Toal
2021-04-20 12:14:42 -04:00
parent 8005080b8b
commit 595021d449
131 changed files with 4144 additions and 3018 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
roles/oatakan.windows_template_build/tasks/compact.yml
View File

@@ -27,6 +27,10 @@
path: https://download.microsoft.com/download/5/D/8/5D8C65CB-C849-4025-8E95-C3966CAFD8AE/vcredist_x86.exe
product_id: '{9BE518E6-ECC6-35A9-88E4-87755C07200F}'
arguments: '/qb!'
register: install_visual_c
until: install_visual_c is success
delay: 3
retries: 5
when: "'Windows Server 2008' in ansible_distribution"
- name: stop windows update service
@@ -91,6 +95,7 @@
win_get_url:
url: '{{ ultradefrag_download_url }}'
dest: '{{ temp_directory }}\win_build\ultradefrag.zip'
follow_redirects: all
register: download_ultradefrag
until: download_ultradefrag is success
delay: 3
@@ -103,7 +108,7 @@
- name: set udefrag extract directory
set_fact:
udefrag_dir: '{{ temp_directory }}\win_build\ultradefrag-portable-7.1.3.amd64'
udefrag_dir: '{{ temp_directory }}\win_build\ultradefrag-portable-7.1.4.amd64'
- name: defrag with ultradefrag
win_shell: '{{ udefrag_dir }}\udefrag.exe --optimize --repeat C:'

32
roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml
View File

@@ -13,16 +13,29 @@
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- pause:
seconds: 10
- name: download hotfix
win_get_url:
url: '{{ enable_tlsv12_hotfix.url }}'
dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
register: download_hotfix
until: download_hotfix is success
delay: 3
retries: 5
- name: install hotfix
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
- name: install hotfix (PS == 3)
win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart'
register: hotfix_install
when: ansible_powershell_version is version('3', '==')
- name: debug hotfix installation result
debug:
@@ -35,7 +48,7 @@
- name: reboot if needed
win_reboot:
when: hotfix_install.reboot_required
when: hotfix_install.reboot_required | default(False)
- name: enable TLSv1.2 support
win_regedit:
@@ -59,10 +72,25 @@
property: DisabledByDefault
value: 0
- name: enable strong crypto
win_regedit:
path: HKLM:\{{ item }}
name: SchUseStrongCrypto
data: 1
type: dword
state: present
loop:
- 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
- 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
- name: ensure Windows ADK with DISM is removed
win_chocolatey:
name: windows-adk-deploy
state: absent
register: remove_win_adk_dism
until: remove_win_adk_dism is success
delay: 3
retries: 5
- name: reboot if TLS config was applied
win_reboot:

14
roles/oatakan.windows_template_build/tasks/main.yml
View File

@@ -9,9 +9,16 @@
- include_tasks: enable-tlsv12.yml
when: upgrade_powershell | bool
- include_tasks: update-agent-win2008.yml
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- include_tasks: security-update-win2012.yml
when: "'Windows Server 2012' in ansible_distribution or 'Windows 8' in ansible_distribution"
- include_tasks: disable-auto-logon.yml
- include_tasks: updates.yml
- include_role:
name: "{{ windows_update_role }}"
when: install_updates | bool
- include_role:
@@ -35,7 +42,7 @@
- include_tasks: policy.yml
- include_tasks: power.yml
when: "'Windows 10' in ansible_distribution"
when: "'Server' not in ansible_distribution"
- include_tasks: enable-rdp.yml
@@ -44,13 +51,14 @@
- "'VMware' not in ansible_product_name"
- "'VirtualBox' not in ansible_product_name"
- ('KubeVirt' not in ansible_system_vendor | default(False))
- ('Red Hat' not in ansible_system_vendor | default(False))
- not target_ovirt | bool
- not target_vagrant | bool
- include_tasks: remove-apps-alt-2.yml
when:
- remove_apps | bool
- "'Windows 10' in ansible_distribution"
- "'Server' not in ansible_distribution"
- include_role:
name: "{{ ec2_ena_driver_role }}"

7
roles/oatakan.windows_template_build/tasks/policy.yml
View File

@@ -9,11 +9,16 @@
type: dword
when: policy.allow_unauthenticated_guest_access|bool
- name: set connection profile to private
- name: set connection profile to private (Windows 10)
win_shell: Set-NetConnectionProfile -NetworkCategory Private
when:
- "'Windows 10' in ansible_distribution"
- name: set connection profile to private (Windows 7)
win_shell: '{{ set_network_to_private }}'
when:
- "'Windows 7' in ansible_distribution"
- name: Ensure local account password doesn't expire
win_user:
name: "{{ ansible_user }}"

42
roles/oatakan.windows_template_build/tasks/powershell-upgrade.yml
View File

@@ -1,7 +1,9 @@
---
- include_tasks: enable_tls_system_default.yml
- name: download script
raw: '(New-Object -TypeName System.Net.WebClient).DownloadFile("{{ powershell_script_url }}", "{{ powershell_upgrade_script_file }}")'
raw: '[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072); (New-Object -TypeName System.Net.WebClient).DownloadFile("{{ powershell_script_url }}", "{{ powershell_upgrade_script_file }}")'
changed_when: False
check_mode: no
register: download_script
@@ -13,12 +15,12 @@
ignore_errors: yes
- name: delete scheduled task if it exists
raw: 'SCHTASKS /Delete /TN upgrade'
raw: 'SCHTASKS /Delete /TN upgrade /f'
args:
executable: cmd.exe
changed_when: False
check_mode: no
ignore_errors: yes
failed_when: False
- name: create a scheduled task to run powershell script
raw: >
@@ -30,6 +32,15 @@
changed_when: False
check_mode: no
- name: start windows update service
raw: net start wuauserv
args:
executable: cmd.exe
failed_when: false
- pause:
seconds: 60
- name: run scheduled task
raw: 'SCHTASKS /Run /TN upgrade'
args:
@@ -37,11 +48,30 @@
changed_when: False
check_mode: no
- pause:
seconds: "{{ upgrade_wait_timeout }}"
- name: wait for powershell upgrade task to finish
raw: '((schtasks /query /TN upgrade)[4] -split " +")[-2]'
changed_when: False
check_mode: no
register: upgrade_status_check
failed_when: false
until: (upgrade_status_check.stdout | trim | lower) == 'ready'
delay: 10
retries: 10
- debug:
msg: "{{ powershell_target_version }}"
# apply winrm memory hotfix for powershell 3.0
- include_tasks: winrm-memfix.yml
when: powershell_target_version is version('3.0', '==')
- name: wait for system to reboot after upgrade
wait_for_connection:
delay: 300
sleep: 30
timeout: 300
sleep: 60
timeout: 400
- name: delete scheduled task
win_scheduled_task:

2
roles/oatakan.windows_template_build/tasks/sysprep.yml
View File

@@ -18,7 +18,7 @@
- name: enable winrm
win_shell: '& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"))) -ForceNewSSLCert -EnableCredSSP'
ignore_errors: yes
when: "'Windows Server 2008' in ansible_distribution"
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- name: copy unattend.xml
win_template:

43
roles/oatakan.windows_template_build/tasks/updates-all.yml
View File

@@ -1,43 +0,0 @@
---
- name: check for available updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- include_tasks: updates-with-retry.yml
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
- name: check for missing updates.
win_updates:
state: searched
register: available_updates
- name: list missing updates
debug:
var: available_updates
- name: check to see if update is finished
win_shell: gwmi -Class win32_computersystem -ComputerName 127.0.0.1 | select -ExpandProperty username -ErrorAction Stop
register: logon_status
until: logon_status is success
delay: 10
retries: 100
ignore_errors: yes
when: "'Windows 10' in ansible_distribution"
- name: reboot windows
win_reboot:
when: "'Windows 10' in ansible_distribution"

98
roles/oatakan.windows_template_build/tasks/updates-powershell.yml
View File

@@ -1,98 +0,0 @@
---
- name: update over multiple reboots
block:
- name: check for available updates
win_updates:
category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- block:
- name: install windows updates using powershell script
script: win-updates.ps1
become: yes
become_method: runas
become_user: SYSTEM
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
rescue:
- name: reboot the system to recover from a failed update
win_reboot:
reboot_timeout: 7200
- name: wait for system to be responsive after update
wait_for_connection:
delay: 60
sleep: 10
timeout: 600
- name: check to see if reboot is required
win_reg_stat:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
name: CustomRebootRequired
register: update_reboot_required_key
- name: reboot the system to continue with the update
win_reboot:
reboot_timeout: 7200
when: update_reboot_required_key.exists
- name: check for missing updates
win_updates:
category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
state: searched
register: missing_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{% for key, value in missing_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: missing_updates.updates is defined
- block:
- name: set update count
set_fact:
update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
- name: still more updates - need to retry
fail:
msg: >
'{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
when: ((update_retry_limit | int) - (update_retry_count | int) > 0)
when: missing_updates.found_update_count > 0
- name: ensure the CustomRebootRequired key doesn't exist
win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
name: CustomRebootRequired
state: absent
rescue:
- debug:
msg: "Still more updates remaining - retrying..."
- include_tasks: updates-powershell.yml

74
roles/oatakan.windows_template_build/tasks/updates-win2008r2.yml
View File

@@ -1,74 +0,0 @@
---
- name: ensure Windows ADK with DISM is installed
win_chocolatey:
name: windows-adk-deploy
state: present
version: 10.0.17134.0
register: install_windows_adk_deploy
- name: ensure PATH contains Windows ADK
win_path:
scope: machine
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- name: download hotfix group 1
win_get_url:
url: '{{ item.url }}'
dest: '{{ hotfix_download_location }}\{{ item.file }}'
loop: "{{ hotfixes_group_1 }}"
- name: install hotfix group 1
win_hotfix:
source: '{{ hotfix_download_location }}\{{ item.file }}'
state: present
register: hotfix_install_group_1
loop: "{{ hotfixes_group_1 }}"
- name: debug hotfix installation result
debug:
var: hotfix_install_group_1
- name: ensure hotfix file is removed (group 1)
win_file:
path: '{{ hotfix_download_location }}\{{ item.file }}'
state: absent
loop: "{{ hotfixes_group_1 }}"
- name: reboot from starting update
win_reboot:
- name: check for available updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- include_tasks: updates-with-retry.yml
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
- name: check for missing updates.
win_updates:
state: searched
register: available_updates
- name: list missing updates
debug:
var: available_updates
- name: make sure Windows ADK with DISM for Server 2008 R2 is not installed
win_chocolatey:
name: windows-adk-deploy
state: absent

84
roles/oatakan.windows_template_build/tasks/updates-with-retry.yml
View File

@@ -1,84 +0,0 @@
---
- name: update over multiple reboots
block:
- block:
- name: install all windows updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ (win_update_blacklist | default([])) + (failed_kb | default([])) }}"
whitelist: "{{ win_update_whitelist | default(omit) }}"
reboot: yes
register: installed_updates
rescue:
- name: reboot the system to recover from a failed update
win_reboot:
reboot_timeout: 7200
- name: set failed KB to skip
set_fact:
failed_kb: "{{ failed_kb|default([]) + [installed_updates.msg | regex_replace('^.*\\((KB.*)\\).*','\\1')] }}"
when:
- installed_updates.msg is defined
- ('Failed' in installed_updates.msg)
- ('KB' in installed_updates.msg)
- name: fail to retry
fail:
msg: "There are failed updates: {{ failed_kb | join(' ') }}"
when:
- failed_kb is defined
- failed_kb | length > 0
- name: wait for system to be responsive after update
wait_for_connection:
delay: 60
sleep: 10
timeout: 600
- name: work on any skipped KB
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
whitelist: "{{ failed_kb | default([]) }}"
reboot: yes
register: installed_updates_retry_skipped
when:
- failed_kb is defined
- failed_kb | length > 0
- name: check for missing updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: missing_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{% for key, value in missing_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: missing_updates.updates is defined
- name: still more updates - need to retry
fail:
msg: >
'{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
when:
- missing_updates.found_update_count > 0
- ((update_retry_limit | int) - (update_retry_count | int) >= 0)
rescue:
- name: set update count
set_fact:
update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
- debug:
msg: "Still more updates remaining - retrying... ({{ update_retry_count }}/{{ update_retry_limit }})"
- include_tasks: updates-with-retry.yml
when: ((update_retry_limit | int) - (update_retry_count | int) >= 0)

89
roles/oatakan.windows_template_build/tasks/updates.yml
View File

@@ -1,89 +0,0 @@
---
- name: disable firewall for Domain, Public and Private profiles
win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
when: "'Windows Server 2012' in ansible_distribution"
- name: disable firewall for Domain, Public and Private profiles
win_shell: netsh advfirewall set allprofiles state off
when: "'Windows Server 2008' in ansible_distribution"
- name: get used space before update
win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
register: used_space_before_update
ignore_errors: yes
- name: update Windows Update Agent on 2008
win_package:
path: http://download.windowsupdate.com/windowsupdate/redist/standalone/7.6.7600.320/windowsupdateagent-7.6-x64.exe
arguments:
- /quiet
- /norestart
- /wuforce
creates_path: C:\Windows\System32\wuaueng.dll
creates_version: 7.6.7600.320
when: "'Windows Server 2008' in ansible_distribution"
- include_tasks: updates-all.yml
vars:
win_update_category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
when:
- install_updates | bool
- "'Windows Server 2008' not in ansible_distribution"
#- include_tasks: updates-powershell.yml
# when:
# - install_updates | bool
# - "'Windows Server 2008' in ansible_distribution"
- include_tasks: updates-win2008r2.yml
vars:
win_update_category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
hotfix_download_location: "{{ ansible_env.TEMP }}"
hotfixes_group_1:
- kb: KB3020369
file: Windows6.1-KB3020369-x64.msu
url: https://download.microsoft.com/download/F/D/3/FD3728D5-0D2F-44A6-B7DA-1215CC0C9B75/Windows6.1-KB3020369-x64.msu
- kb: KB3125574
file: windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu
url: http://download.windowsupdate.com/d/msdownload/update/software/updt/2016/05/windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu
- kb: KB4474419
file: windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
- kb: KB4490628
file: windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/03/windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
when:
- install_updates | bool
- "'Windows Server 2008' in ansible_distribution"
- name: get used space after update
win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
register: used_space_after_update
ignore_errors: yes
- debug:
msg:
- "Used space before update: {{ ((used_space_before_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
- "Used space after update: {{ ((used_space_after_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
when:
- used_space_before_update.stdout is defined
- used_space_after_update.stdout is defined
- name: enabled firewall for Domain, Public and Private profiles
win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
when: "'Windows Server 2012' in ansible_distribution"
- name: enable firewall for Domain, Public and Private profiles
win_shell: netsh advfirewall set allprofiles state on
when: "'Windows Server 2008' in ansible_distribution"