ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update role dependencies

Browse Source
This commit is contained in:
Patrick Toal
2024-02-08 15:55:01 -05:00
parent e09a7f7d45
commit bb21e8d5c6
507 changed files with 1270 additions and 28219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/oatakan.windows_template_build/README.md
View File

@@ -22,10 +22,13 @@ A list of roles that this role utilizes:
- oatakan.windows_ec2_ena_driver
- oatakan.windows_ovirt_guest_agent
- oatakan.windows_powershell_upgrade
- oatakan.windows_configure_update
- oatakan.windows_update
- oatakan.windows_virtio
- oatakan.windows_vmware_tools
- oatakan.windows_virtualbox_guest_additions
- oatakan.windows_parallels_tools
- oatakan.windows_hotfix
Example Playbook
----------------

118
roles/oatakan.windows_template_build/defaults/main.yml
View File

@@ -1,46 +1,76 @@
---
install_updates: yes
remove_apps: no
clean_up_components: yes
upgrade_powershell: no
install_updates: true
remove_apps: false
clean_up_components: true
upgrade_powershell: false
powershell_target_version: 3.0
default_temp_directory: 'C:\Windows\Temp'
update_retry_limit: 10
upgrade_wait_timeout: 600
set_network_to_private: '([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))).GetNetworkConnections() | % {$_.GetNetwork().SetCategory(1)}'
win_update_server: '' #wsus server ip/hostname
enable_tlsv12_hotfix_download_location: "{{ ansible_env.TEMP }}"
enable_tlsv12_hotfix:
kb: KB3080079
file: Windows6.1-KB3080079-x64.msu
url: https://download.microsoft.com/download/F/4/1/F4154AD2-2119-48B4-BF99-CC15F68E110D/Windows6.1-KB3080079-x64.msu
set_network_to_private: "([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}'))).GetNetworkConnections() | % {$_.GetNetwork().SetCategory(1)}"
expand_disk: !unsafe "$i=(gwmi -n root/cimv2 Win32_DiskPartition|?{$_.BootPartition }).Index;'sel dis 0',\\\"sel par $($i*2+2)\\\",'extend'|& diskpart *>$null"
enable_tls_support_hotfix_download_location: 'C:\Windows\Temp'
# no longer available
#enable_tls_support_hotfix:
# kb: kb3154518
# file: windows6.1-kb3154518-x64.msu
# url: http://download.microsoft.com/download/6/8/0/680ee424-358c-4fdf-a0de-b45dee07b711/windows6.1-kb3154518-x64.msu
win2008_hotfixes:
# this update is needed to support ssl support on Windows Server 2008 R2
- kb: KB4474419
file: windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
url: http://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
# this is servicing stack update to enable any recent updates
- kb: KB3080079
file: Windows6.1-KB3080079-x64.msu
url: https://download.microsoft.com/download/F/4/1/F4154AD2-2119-48B4-BF99-CC15F68E110D/Windows6.1-KB3080079-x64.msu
# fix: https://support.microsoft.com/en-us/topic/security-and-quality-rollup-for-net-framework-3-5-1-for-windows-7-sp1-and-windows-server-2008-r2-sp1-kb-4040980-71f9f600-4878-a9d4-6b36-93cafad2eefe
enable_tls_support_hotfix:
kb: kb4040980
file: windows6.1-kb4040980-x64_83282fb5210091802984ead0d4175879056d602c.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/09/windows6.1-kb4040980-x64_83282fb5210091802984ead0d4175879056d602c.msu
win2012_hotfixes:
os_6_2:
- kb: KB2901982
file: windows8-rt-kb2901982-x64_21dae8200edae3339a8c8580e516e00d7dacdfe3.msu
url: http://catalog.s.download.windowsupdate.com/d/msdownload/update/software/ftpk/2015/01/windows8-rt-kb2901982-x64_21dae8200edae3339a8c8580e516e00d7dacdfe3.msu
os_6_3:
# this update is needed to enable .NET clients to use https (tslv12) on Windows 8.1 and Windows Server 2012 R2
# see https://www.microsoft.com/en-us/download/confirmation.aspx?id=42883
- kb: KB2978041
file: windows8.1-kb2978041-x64_93d7dd68c7487670c0ab4d5eb154a0ef5e40a306.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2014/09/windows8.1-kb2978041-x64_93d7dd68c7487670c0ab4d5eb154a0ef5e40a306.msu
# this is servicing stack update to enable any recent updates
- kb: KB5018922
file: windows8.1-kb5018922-x64_3aa7832b7586e11304f8fee5e09b6829b32d1833.msu
url: https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/10/windows8.1-kb5018922-x64_3aa7832b7586e11304f8fee5e09b6829b32d1833.msu
# this a security update, it updates cipher suite for TLS, which prevents 'SSL: DH_KEY_TOO_SMALL' error with credssp
- kb: KB3042058
file: windows8.1-kb3042058-x64_c73bfac2ad93aed131627e7482bacbd89d0a0850.msu
url: https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2015/09/windows8.1-kb3042058-x64_c73bfac2ad93aed131627e7482bacbd89d0a0850.msu
enable_winrm: true
dot_net_security_hotfix_download_location: 'C:\Windows\Temp'
# no longer available
#dot_net_security_hotfix:
# kb: KB2898850
# file: Windows8.1-KB2898850-x64.msu
# url: http://download.microsoft.com/download/C/6/9/C690CC33-18F7-405D-B18A-0A8E199E531C/Windows8.1-KB2898850-x64.msu
win2008_hotfixes_archived:
# no longer available
# enable tls support hotfix:
- kb: kb3154518
file: windows6.1-kb3154518-x64.msu
url: http://download.microsoft.com/download/6/8/0/680ee424-358c-4fdf-a0de-b45dee07b711/windows6.1-kb3154518-x64.msu
# fix: https://support.microsoft.com/en-us/topic/security-and-quality-rollup-for-net-framework-3-5-1-for-windows-7-sp1-and-windows-server-2008-r2-sp1-kb-4040980-71f9f600-4878-a9d4-6b36-93cafad2eefe
# enable tls support hotfix:
- kb: kb4040980
file: windows6.1-kb4040980-x64_83282fb5210091802984ead0d4175879056d602c.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/09/windows6.1-kb4040980-x64_83282fb5210091802984ead0d4175879056d602c.msu
dot_net_security_hotfix:
kb: KB2898850
file: windows8.1-kb2898850-x64_9ffdfdeac9011569d1b14cf2dbf926257c50186d.msu
url: http://download.windowsupdate.com/d/msdownload/update/software/secu/2014/04/windows8.1-kb2898850-x64_9ffdfdeac9011569d1b14cf2dbf926257c50186d.msu
win2012_hotfixes_archived:
# no longer available
# dot net security hotfix:
- kb: KB2898850
file: Windows8.1-KB2898850-x64.msu
url: http://download.microsoft.com/download/C/6/9/C690CC33-18F7-405D-B18A-0A8E199E531C/Windows8.1-KB2898850-x64.msu
# superseded
# dot net security hotfix:
- kb: KB2898850
file: windows8.1-kb2898850-x64_9ffdfdeac9011569d1b14cf2dbf926257c50186d.msu
url: http://download.windowsupdate.com/d/msdownload/update/software/secu/2014/04/windows8.1-kb2898850-x64_9ffdfdeac9011569d1b14cf2dbf926257c50186d.msu
winrm_enable_script_url: https://raw.githubusercontent.com/ansible/ansible-documentation/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
enable_winrm_command: "& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString('{{ winrm_enable_script_url }}'))) -ForceNewSSLCert -EnableCredSSP"
windows_update_agent_url: http://download.windowsupdate.com/windowsupdate/redist/standalone/7.6.7600.320/windowsupdateagent-7.6-x64.exe
@@ -49,32 +79,40 @@ bleachbit_download_url: https://download.bleachbit.org/BleachBit-4.0.0-portable.
sdelete_download_url: https://download.sysinternals.com/files/SDelete.zip
ultradefrag_download_url: https://downloads.sourceforge.net/project/ultradefrag/stable-release/7.1.4/ultradefrag-portable-7.1.4.bin.amd64.zip
enable_auto_logon: yes
enable_auto_logon: true
target_ovirt: no
target_qemu: no
target_ec2: no
target_vagrant: no
target_ovirt: false
target_qemu: false
target_ec2: false
target_vagrant: false
target_openstack: false
bleachbit_clean: yes
bleachbit_free_disk_space: yes
bleachbit_clean: true
bleachbit_free_disk_space: true
ec2_ena_driver_role: oatakan.windows_ec2_ena_driver
ovirt_guest_agent_role: oatakan.windows_ovirt_guest_agent
virtio_role: oatakan.windows_virtio
vmware_tools_role: oatakan.windows_vmware_tools
virtualbox_guest_additions_role: oatakan.windows_virtualbox_guest_additions
parallels_tools_role: oatakan.windows_parallels_tools
windows_configure_update_role: oatakan.windows_configure_update
windows_update_role: oatakan.windows_update
windows_powershell_upgrade_role: oatakan.windows_powershell_upgrade
windows_hotfix_role: oatakan.windows_hotfix
policy:
allow_unauthenticated_guest_access: no
allow_unauthenticated_guest_access: false
disable_eos_reminder: true
install_webclient_service: false # installed on workstation by default, only applies to server
webclient_maximum_file_size: 0xffffffff # 4GB default value is 50 MB
local_administrator_password: Chang3MyP@ssw0rd21
local_account_username: ansible
local_account_password: Chang3MyP@ssw0rd21
shutdown_instance: yes
shutdown_instance: true
winsxs_cleanmgr_file:
2008r2: '{{ ansible_env.windir }}\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe'

12
roles/oatakan.windows_template_build/handlers/main.yml
View File

@@ -1,5 +1,17 @@
---
- name: get Windows ADK uninstall command
win_reg_stat:
path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d794748d-72e9-45d7-9ab7-83d6c4c80f7f}
name: QuietUninstallString
register: windows_adk_uninstall_string
- name: uninstall Windows ADK
win_shell: "{{ windows_adk_uninstall_string.value }}"
args:
executable: cmd
when: windows_adk_uninstall_string.value is defined
- name: ensure Windows ADK with DISM is removed
win_chocolatey:
name: windows-adk-deploy

2
roles/oatakan.windows_template_build/meta/.galaxy_install_info
View File

@@ -1,2 +1,2 @@
install_date: Fri Oct 15 18:59:14 2021
install_date: Thu 08 Feb 2024 08:54:01 PM
version: master

11
roles/oatakan.windows_template_build/meta/main.yml
View File

@@ -3,6 +3,7 @@ galaxy_info:
author: Orcun Atakan
description: Ansible galaxy role for building a Windows template on any cloud platform(ovirt/rhev, VMware, EC2, Azure etc.)
role_name: windows_template_build
namespace: oatakan
company: Red Hat
license: MIT
@@ -14,14 +15,6 @@ galaxy_info:
versions:
- all
cloud_platforms:
- amazon
- google
- azure
- azure
- vmware
- ovirt
galaxy_tags:
- windows
- ec2
@@ -35,5 +28,3 @@ galaxy_info:
- cloud
- multicloud
- template
dependencies: []

14
roles/oatakan.windows_template_build/tasks/clean-up-components.yml
View File

@@ -1,14 +0,0 @@
---
- name: clean up components and update files
win_shell: Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
when: "'Windows Server 2008' not in ansible_distribution"
ignore_errors: yes
- include_tasks: clean-up-with-cleanmgr.yml
when: "'Windows Server 2008' in ansible_distribution"
- name: clean up components and update files
win_shell: Dism.exe /online /Cleanup-Image /SpSuperseded
when: "'Windows Server 2008' in ansible_distribution"
ignore_errors: yes

64
roles/oatakan.windows_template_build/tasks/clean-up-with-cleanmgr.yml
View File

@@ -1,64 +0,0 @@
---
- block:
- name: check for cleanmgr executable
win_stat:
path: '{{ ansible_env.windir }}\System32\cleanmgr.exe'
register: check_cleanmgr_file
- include_tasks: copy_cleanmgr.yml
vars:
os_short_name: 2008r2
when:
- not check_cleanmgr_file.stat.exists
- ('Windows Server 2008 R2' in ansible_distribution)
- include_tasks: copy_cleanmgr.yml
vars:
os_short_name: 2012
when:
- not check_cleanmgr_file.stat.exists
- ('Windows Server 2012' in ansible_distribution)
- (not 'Windows Server 2012 R2' in ansible_distribution)
- name: get free space
win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json
register: free_space_before_cleanup
- name: ensure cleanup registry paths exist
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }}
loop: "{{ cleanup_registry_keys }}"
- name: set cleanup registry keys
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }}
name: StateFlags0012
data: 2
type: dword
loop: "{{ cleanup_registry_keys }}"
- name: run cleanmgr
win_shell: cleanmgr /sagerun:12
- name: wait for cleanmgr to finish
win_shell: (get-wmiobject win32_process | where-object {$_.processname -eq 'cleanmgr.exe'} | measure).count
register: check_cleanmgr_process
until: check_cleanmgr_process.stdout is defined and check_cleanmgr_process.stdout|int == 0
delay: 5
retries: 300
- name: get free space
win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json
register: free_space_after_cleanup
- debug:
msg:
- "Free space before cleanup: {{ ((free_space_before_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
- "Free space after cleanup: {{ ((free_space_after_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
rescue:
- name: ignore any errors
debug:
msg: "ignoring any error with clean up with cleanmgr"

41
roles/oatakan.windows_template_build/tasks/clean-up.yml
View File

@@ -1,41 +0,0 @@
---
- name: remove page file
win_regedit:
path: HKLM:\System\CurrentControlSet\Control\Session Manager\Memory Management
name: PagingFiles
data: ""
state: present
register: cleanup_pagefile_removal
- name: reboot server after clearing page file
win_reboot:
when: cleanup_pagefile_removal is changed
- name: cleanup the temp folders
win_file:
path: '{{ item }}'
state: absent
ignore_errors: yes
loop:
- C:\Temp
- C:\Windows\Panther
- C:\Windows\Temp
- name: cleanup the C:\Recovery folder
win_shell: Remove-Item -Path C:\Recovery -Force -Recurse
ignore_errors: yes
- name: check to see if WinSXS ManifestCache folder exist
win_stat:
path: '{{ ansible_env.windir }}\winsxs\ManifestCache'
register: winsxs_dir
- name: clear out the WinSXS ManifestCache folder
win_shell: |
&cmd.exe /c Takeown /f %windir%\winsxs\ManifestCache\*
&cmd.exe /c Icacls %windir%\winsxs\ManifestCache\* /GRANT administrators:F
&cmd.exe /c Del /q %windir%\winsxs\ManifestCache\*
when:
- winsxs_dir.stat is defined
- winsxs_dir.stat.exists

4
roles/oatakan.windows_template_build/tasks/cloudbase-init.yml
View File

@@ -7,3 +7,7 @@
arguments:
- /qn
state: present
register: install_cloudbase_init
until: install_cloudbase_init is success
delay: 3
retries: 5

47
roles/oatakan.windows_template_build/tasks/compact.yml
View File

@@ -33,17 +33,11 @@
retries: 60
when: "'Windows Server 2008' in ansible_distribution"
- name: stop windows update service
win_service:
name: wuauserv
state: stopped
ignore_errors: yes
- name: delete update directory
win_file:
path: C:\Windows\SoftwareDistribution\Download
state: absent
ignore_errors: yes
ignore_errors: true
- name: remove windows update settings
win_regedit:
@@ -55,21 +49,15 @@
- PingID
- AccountDomainSid
- name: start windows update service
win_service:
name: wuauserv
state: started
ignore_errors: yes
- name: create update directory
win_file:
path: C:\Windows\SoftwareDistribution\Download
state: directory
ignore_errors: yes
ignore_errors: true
- name: reset windows update
win_shell: wuauclt /resetauthorization /detectnow
ignore_errors: yes
ignore_errors: true
- name: clean with bleachbit
win_shell: >
@@ -85,7 +73,7 @@
when:
- bleachbit_clean|bool
- download_bleachbit is success
ignore_errors: yes
ignore_errors: true
- name: create temp directory
win_file:
@@ -101,20 +89,23 @@
until: download_ultradefrag is success
delay: 3
retries: 5
ignore_errors: true
- name: unzip ultradefrag
win_unzip:
src: '{{ temp_directory }}\win_build\ultradefrag.zip'
dest: '{{ temp_directory }}\win_build'
- block:
- name: unzip ultradefrag
win_unzip:
src: '{{ temp_directory }}\win_build\ultradefrag.zip'
dest: '{{ temp_directory }}\win_build'
- name: set udefrag extract directory
set_fact:
udefrag_dir: '{{ temp_directory }}\win_build\ultradefrag-portable-7.1.4.amd64'
- name: set udefrag extract directory
set_fact:
udefrag_dir: '{{ temp_directory }}\win_build\ultradefrag-portable-7.1.4.amd64'
- name: defrag with ultradefrag
win_shell: '{{ udefrag_dir }}\udefrag.exe --optimize --repeat C:'
args:
executable: cmd
- name: defrag with ultradefrag
win_shell: '{{ udefrag_dir }}\udefrag.exe --optimize --repeat C:'
args:
executable: cmd
when: download_ultradefrag is success
- name: download sdelete
win_get_url:
@@ -161,7 +152,7 @@
when:
- bleachbit_free_disk_space|bool
- download_bleachbit is success
ignore_errors: yes
ignore_errors: true
- name: remove bleachbit files
win_file:

4
roles/oatakan.windows_template_build/tasks/copy_cleanmgr.yml
View File

@@ -14,7 +14,7 @@
win_copy:
src: "{{ winsxs_cleanmgr_file[os_short_name] }}"
dest: '{{ ansible_env.windir }}\System32\cleanmgr.exe'
remote_src: yes
remote_src: true
when:
- check_winsxs_cleanmgr_file.stat.exists
- check_winsxs_cleanmgr_mui_file.stat.exists
@@ -23,7 +23,7 @@
win_copy:
src: "{{ winsxs_cleanmgr_mui_file[os_short_name] }}"
dest: '{{ ansible_env.windir }}\System32\en-US\cleanmgr.exe.mui'
remote_src: yes
remote_src: true
when:
- check_winsxs_cleanmgr_file.stat.exists
- check_winsxs_cleanmgr_mui_file.stat.exists

8
roles/oatakan.windows_template_build/tasks/disable-auto-logon.yml
View File

@@ -1,8 +0,0 @@
---
- name: disable auto login
win_regedit:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
name: "{{ item.name }}"
state: absent
loop: "{{ autologin_registry }}"

18
roles/oatakan.windows_template_build/tasks/enable-rdp.yml
View File

@@ -1,18 +0,0 @@
---
- name: enable RDP port
win_firewall_rule:
name: Remote Desktop
localport: 3389
action: allow
direction: in
protocol: tcp
state: present
enabled: yes
- name: enable RDP
win_regedit:
path: HKLM:\System\CurrentControlSet\Control\Terminal Server
name: fDenyTSConnections
data: 0
type: dword

43
roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml
View File

@@ -1,43 +0,0 @@
---
- block:
- name: test SSL connection
win_shell: "[System.Net.WebRequest]::Create('https://github.com').GetResponse()"
rescue:
- name: enable TLSv1.2 support
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }}
name: '{{ item.property }}'
data: '{{ item.value }}'
type: dword
state: present
register: enable_tls12
loop:
- type: Server
property: Enabled
value: 1
- type: Server
property: DisabledByDefault
value: 0
- type: Client
property: Enabled
value: 1
- type: Client
property: DisabledByDefault
value: 0
- name: enable strong crypto
win_regedit:
path: HKLM:\{{ item }}
name: SchUseStrongCrypto
data: 1
type: dword
state: present
loop:
- 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
- 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
- name: reboot if TLS config was applied
win_reboot:
when: enable_tls12 is changed

53
roles/oatakan.windows_template_build/tasks/hotfix-tlsv12.yml
View File

@@ -1,53 +0,0 @@
---
- name: ensure Windows ADK with DISM is installed
win_chocolatey:
name: windows-adk-deploy
state: present
version: 10.0.17134.0
register: install_windows_adk_deploy
notify: ensure Windows ADK with DISM is removed
- name: ensure PATH contains Windows ADK
win_path:
scope: machine
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- pause:
seconds: 10
- name: download hotfix
win_get_url:
url: '{{ enable_tlsv12_hotfix.url }}'
dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
register: download_hotfix
until: download_hotfix is success
delay: 3
retries: 5
- block:
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
rescue:
- name: install hotfix using shell
win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart'
register: hotfix_install
- name: install hotfix (PS == 3)
win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart'
register: hotfix_install
when: ansible_powershell_version is version('3', '==')
- name: ensure hotfix file is removed
win_file:
path: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: absent
- name: reboot if needed
win_reboot:
when: hotfix_install.reboot_required | default(False)

104
roles/oatakan.windows_template_build/tasks/main.yml
View File

@@ -7,38 +7,91 @@
- name: run setup module
setup:
- include_tasks: hotfix-tlsv12.yml
- block:
# This is needed where many tasks and polls run against the windows target where it reaches the limit
# Default value is 1500
- name: increase MaxConcurrentOperationsPerUser
ansible.windows.win_shell: |
winrm set winrm/config/service @{MaxConcurrentOperationsPerUser="20000"}
args:
executable: cmd
# first we need to fix SSL connections with the hotfix
- include_role:
name: "{{ windows_hotfix_role }}"
vars:
hotfix: "{{ win2008_hotfixes[0] }}"
- include_tasks: install_dism.yml
# enable TLS 1.2 with an hotfix
- include_role:
name: "{{ windows_hotfix_role }}"
vars:
hotfix: "{{ win2008_hotfixes[1] }}"
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- include_tasks: enable-tlsv12.yml
- include_tasks: enable_tlsv12.yml
- include_tasks: update-agent-win2008.yml
- include_tasks: update_agent_win2008.yml
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- include_tasks: security-update-win2012.yml
when: "'Windows Server 2012' in ansible_distribution or 'Windows 8' in ansible_distribution"
- include_tasks: disable-auto-logon.yml
- include_role:
name: "{{ windows_update_role }}"
name: "{{ windows_hotfix_role }}"
loop: "{{ win2012_hotfixes[os_version_name | default('os_6_3')] }}"
loop_control:
loop_var: hotfix
when: "'Windows Server 2012' in ansible_distribution or 'Windows 8' in ansible_distribution"
- include_tasks: disable_auto_logon.yml
- block:
- include_role:
name: "{{ windows_configure_update_role }}"
vars:
role_action: register
wsus_server: "{{ win_update_server }}"
register_with_wsus: true
when: win_update_server | length > 0
- include_role:
name: "{{ windows_update_role }}"
vars:
win_update_server_selection: "{{ 'managed_server' if (win_update_server | length > 0) else 'default' }}"
always:
- include_role:
name: "{{ windows_configure_update_role }}"
vars:
role_action: unregister
when: win_update_server | length > 0
when: install_updates | bool
- name: ensure windows update service stopped and disabled
ansible.windows.win_service:
name: wuauserv
state: stopped
start_mode: disabled
ignore_errors: true
- include_role:
name: "{{ ovirt_guest_agent_role }}"
when: target_ovirt | bool and not target_qemu | bool
- include_role:
name: "{{ virtio_role }}"
when: target_qemu | bool or ('KubeVirt' in ansible_system_vendor | default(''))
when: target_qemu | bool or ('KubeVirt' in (ansible_system_vendor | default('', true)))
- include_role:
name: "{{ virtualbox_guest_additions_role }}"
when: "'VirtualBox' in ansible_product_name"
when: ('VirtualBox' in (ansible_product_name | default('', true)))
- include_role:
name: "{{ vmware_tools_role }}"
when: "'VMware' in ansible_product_name"
when: ('VMware' in (ansible_product_name | default('', true)))
- include_role:
name: "{{ parallels_tools_role }}"
when: ('Parallels' in (ansible_product_name | default('', true))) or (ansible_product_name == None and 'Parallels' in ansible_interfaces[0].interface_name)
- include_tasks: startup.yml
@@ -47,21 +100,21 @@
- include_tasks: power.yml
when: (ansible_os_product_type == 'workstation') | default(False)
- include_tasks: enable-rdp.yml
- include_tasks: enable_rdp.yml
- include_tasks: cloudbase-init.yml
when:
- "'VMware' not in ansible_product_name"
- "'VirtualBox' not in ansible_product_name"
- ('KubeVirt' not in ansible_system_vendor | default(False))
- ('Red Hat' not in ansible_system_vendor | default(False))
- ('VMware' not in (ansible_product_name | default('', true)))
- ('VirtualBox' not in (ansible_product_name | default('', true)))
- ('KubeVirt' not in (ansible_system_vendor | default('', true)))
- ('Red Hat' not in (ansible_system_vendor | default('', true))) or target_openstack | bool
- not target_ovirt | bool
- not target_vagrant | bool
- block:
- include_tasks: remove-apps-alt-2.yml
- include_tasks: remove_apps-alt-2.yml
- include_tasks: remove-onedrive.yml
- include_tasks: remove_onedrive.yml
when:
- remove_apps | bool
- (ansible_os_product_type == 'workstation') | default(False)
@@ -73,14 +126,21 @@
- name: run all handlers here
meta: flush_handlers
- include_tasks: clean-up-components.yml
- include_tasks: clean_up_components.yml
when: clean_up_components | bool
- include_tasks: clean-up.yml
- include_tasks: clean_up.yml
- include_tasks: sysprep.yml
- include_tasks: compact.yml
- name: ensure windows update service is enabled
ansible.windows.win_service:
name: wuauserv
state: stopped
start_mode: auto
ignore_errors: true
- include_tasks: shutdown.yml
when: shutdown_instance | bool
when: shutdown_instance | bool

57
roles/oatakan.windows_template_build/tasks/policy.yml
View File

@@ -9,17 +9,68 @@
type: dword
when: policy.allow_unauthenticated_guest_access|bool
# webdav support policy
- block:
- block:
- name: enable WebDAV-Redirector feature on Server (2016+)
win_feature:
name: WebDAV-Redirector
state: present
register: enable_webdav_redirector
when:
- ('Windows Server 2008' not in ansible_distribution)
- ('Windows Server 2012' not in ansible_distribution)
- name: enable Desktop-Experience feature on Server (2008-2012)
win_feature:
name: Desktop-Experience
state: present
register: enable_desktop_experience
when: ('Windows Server 2008' in ansible_distribution or 'Windows Server 2012' in ansible_distribution)
- name: reboot if needed
win_reboot:
when: (enable_webdav_redirector is changed and enable_webdav_redirector.reboot_required) or (enable_desktop_experience is changed and enable_desktop_experience.reboot_required)
when: (ansible_os_product_type | default('server')) == 'server'
- name: set webclient maximum file size
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
name: FileSizeLimitinBytes
data: "{{ webclient_maximum_file_size }}"
type: dword
- name: ensure webclient service is started in auto mode
win_service:
name: webclient
start_mode: auto
state: started
when:
- policy.install_webclient_service|bool
- ansible_os_installation_type | default('server') | lower != 'server core'
- name: set connection profile to private (Windows 10)
win_shell: Set-NetConnectionProfile -NetworkCategory Private
when:
- "'Windows 10' in ansible_distribution"
- name: set connection profile to private (Windows 7)
win_shell: '{{ set_network_to_private }}'
win_shell: "{{ set_network_to_private }}"
when: "'Windows 7' in ansible_distribution"
- name: disable end of support notification (Windows 7,8)
win_regedit:
path: HKCU:\Software\Microsoft\Windows\CurrentVersion\EOSNotify
name: DiscontinueEOS
data: 1
type: dword
when:
- "'Windows 7' in ansible_distribution"
- (policy.disable_eos_reminder | default(true))|bool
- ('Windows 7' in ansible_distribution) or ('Windows 8' in ansible_distribution)
- name: Ensure local account password doesn't expire
win_user:
name: "{{ ansible_user }}"
password_never_expires: yes
password_never_expires: true

18
roles/oatakan.windows_template_build/tasks/power.yml
View File

@@ -1,6 +1,16 @@
---
- name: change power plan to high performance
win_power_plan:
name: high performance
ignore_errors: yes
- block:
- name: change power plan to high performance
win_power_plan:
name: high performance
rescue:
- name: use powershell to change plan to high performance
win_shell: |
powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
#powercfg /change monitor-timeout-ac 0
powercfg /change disk-timeout-ac 0
powercfg /change standby-timeout-ac 0
powercfg /change hibernate-timeout-ac 0
ignore_errors: true

96
roles/oatakan.windows_template_build/tasks/remove-apps-alt-2.yml
View File

@@ -1,96 +0,0 @@
---
- name: remove default apps
win_shell: |
$ErrorActionPreference = "Stop"
$apps = @(
"Microsoft.3DBuilder",
"Microsoft.Appconnector",
"Microsoft.BingFinance",
"Microsoft.BingNews",
"Microsoft.BingSports",
"Microsoft.BingWeather",
"Microsoft.FreshPaint",
"Microsoft.Getstarted",
"Microsoft.MicrosoftOfficeHub",
"Microsoft.MicrosoftSolitaireCollection",
"Microsoft.MicrosoftStickyNotes",
"Microsoft.Office.OneNote",
"Microsoft.OneConnect",
"Microsoft.People",
"Microsoft.SkypeApp",
"Microsoft.Windows.Photos",
"Microsoft.WindowsAlarms",
"Microsoft.WindowsCalculator",
"Microsoft.WindowsCamera",
"Microsoft.WindowsMaps",
"Microsoft.WindowsPhone",
"Microsoft.WindowsSoundRecorder",
"Microsoft.XboxApp",
"Microsoft.ZuneMusic",
"Microsoft.ZuneVideo",
"Microsoft.WindowsCommunicationsApps",
"Microsoft.MinecraftUWP",
"Microsoft.MicrosoftPowerBIForWindows",
"Microsoft.NetworkSpeedTest",
"Microsoft.CommsPhone",
"Microsoft.ConnectivityStore",
"Microsoft.Messaging",
"Microsoft.Office.Sway",
"Microsoft.OneConnect",
"Microsoft.WindowsFeedbackHub",
"Microsoft.BingFoodAndDrink",
"Microsoft.BingTravel",
"Microsoft.BingHealthAndFitness",
"Microsoft.WindowsReadingList",
"Microsoft.MSPaint",
"Microsoft.Microsoft3DViewer",
"Microsoft.Print3D",
"9E2F88E3.Twitter",
"PandoraMediaInc.29680B314EFC2",
"Flipboard.Flipboard",
"ShazamEntertainmentLtd.Shazam",
"king.com.CandyCrushSaga",
"king.com.CandyCrushSodaSaga",
"king.com.*",
"ClearChannelRadioDigital.iHeartRadio",
"4DF9E0F8.Netflix",
"6Wunderkinder.Wunderlist",
"Drawboard.DrawboardPDF",
"2FE3CB00.PicsArt-PhotoStudio",
"D52A8D61.FarmVille2CountryEscape",
"TuneIn.TuneInRadio",
"GAMELOFTSA.Asphalt8Airborne",
"TheNewYorkTimes.NYTCrossword",
"DB6EA5DB.CyberLinkMediaSuiteEssentials",
"Facebook.Facebook",
"flaregamesGmbH.RoyalRevolt2",
"Playtika.CaesarsSlotsFreeCasino",
"A278AB0D.MarchofEmpires",
"KeeperSecurityInc.Keeper",
"ThumbmunkeysLtd.PhototasticCollage",
"XINGAG.XING",
"89006A2E.AutodeskSketchBook",
"D5EA27B7.Duolingo-LearnLanguagesforFree",
"46928bounde.EclipseManager",
"ActiproSoftwareLLC.562882FEEB491"
)
foreach ($app in $apps) {
Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage -AllUsers
Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -like $app } | Remove-AppxProvisionedPackage -Online
}
register: cleanup_win10_remove
until: cleanup_win10_remove is successful
retries: 5
delay: 1
ignore_errors: yes
- name: prevent suggested applications from returning
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content
name: DisableWindowsConsumerFeatures
data: 1
datatype: dword
- name: reboot to effect pending changes
win_reboot:

30
roles/oatakan.windows_template_build/tasks/remove-apps-alt.yml
View File

@@ -1,30 +0,0 @@
---
- name: remove user apps
script: RemoveUserApps.ps1
register: cleanup_win10_remove
until: cleanup_win10_remove is successful
retries: 3
delay: 1
ignore_errors: yes
#- name: disable windows store
# win_regedit:
# path: HKLM:\Software\Policies\Microsoft\WindowsStore
# name: AutoDownload
# data: 00000002
# type: dword
#
#- name: disable content delivery manager
# win_regedit:
# path: HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
# name: SilentInstalledAppsEnabled
# data: 00000000
# type: dword
#
#- name: disable windows store
# win_regedit:
# path: HKLM:\Software\Policies\Microsoft\Windows\CloudContent
# name: DisableWindowsConsumerFeatures
# data: 00000001
# type: dword

97
roles/oatakan.windows_template_build/tasks/remove-apps.yml
View File

@@ -1,97 +0,0 @@
---
- name: Setup the xWebAdministration module
win_psmodule:
name: DSCR_AppxPackage
state: present
- name: remove packages
win_dsc:
resource_name: cAppxProvisionedPackageSet
Ensure: Absent
PackageName:
- Microsoft.3DBuilder
- Microsoft.Appconnector
- Microsoft.BingFinance
- Microsoft.BingNews
- Microsoft.BingSports
- Microsoft.BingWeather
- Microsoft.FreshPaint
- Microsoft.Getstarted
- Microsoft.MicrosoftOfficeHub
- Microsoft.MicrosoftSolitaireCollection
- Microsoft.MicrosoftStickyNotes
- Microsoft.Office.OneNote
- Microsoft.OneConnect
- Microsoft.People
- Microsoft.SkypeApp
- Microsoft.Windows.Photos
- Microsoft.WindowsAlarms
- Microsoft.WindowsCalculator
- Microsoft.WindowsCamera
- Microsoft.WindowsMaps
- Microsoft.WindowsPhone
- Microsoft.WindowsSoundRecorder
- Microsoft.XboxApp
- Microsoft.ZuneMusic
- Microsoft.ZuneVideo
- Microsoft.WindowsCommunicationsApps
- Microsoft.MinecraftUWP
- Microsoft.MicrosoftPowerBIForWindows
- Microsoft.NetworkSpeedTest
- Microsoft.CommsPhone
- Microsoft.ConnectivityStore
- Microsoft.Messaging
- Microsoft.Office.Sway
- Microsoft.OneConnect
- Microsoft.WindowsFeedbackHub
- Microsoft.BingFoodAndDrink
- Microsoft.BingTravel
- Microsoft.BingHealthAndFitness
- Microsoft.WindowsReadingList
- Microsoft.MSPaint
- Microsoft.Microsoft3DViewer
- Microsoft.Print3D
- 9E2F88E3.Twitter
- PandoraMediaInc.29680B314EFC2
- Flipboard.Flipboard
- ShazamEntertainmentLtd.Shazam
- king.com.CandyCrushSaga
- king.com.CandyCrushSodaSaga
- king.com.*
- ClearChannelRadioDigital.iHeartRadio
- 4DF9E0F8.Netflix
- 6Wunderkinder.Wunderlist
- Drawboard.DrawboardPDF
- 2FE3CB00.PicsArt-PhotoStudio
- D52A8D61.FarmVille2CountryEscape
- TuneIn.TuneInRadio
- GAMELOFTSA.Asphalt8Airborne
- TheNewYorkTimes.NYTCrossword
- DB6EA5DB.CyberLinkMediaSuiteEssentials
- Facebook.Facebook
- flaregamesGmbH.RoyalRevolt2
- Playtika.CaesarsSlotsFreeCasino
- A278AB0D.MarchofEmpires
- KeeperSecurityInc.Keeper
- ThumbmunkeysLtd.PhototasticCollage
- XINGAG.XING
- 89006A2E.AutodeskSketchBook
- D5EA27B7.Duolingo-LearnLanguagesforFree
- 46928bounde.EclipseManager
- ActiproSoftwareLLC.562882FEEB491-
register: cleanup_win10_remove
until: cleanup_win10_remove is successful
retries: 3
delay: 1
ignore_errors: yes
- name: prevent suggested applications from returning
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content
name: DisableWindowsConsumerFeatures
data: 1
datatype: dword
- name: reboot to effect pending changes
win_reboot:

33
roles/oatakan.windows_template_build/tasks/remove-onedrive.yml
View File

@@ -1,33 +0,0 @@
---
- name: kill onedrive process
win_shell: Stop-Process -Name OneDrive
ignore_errors: yes
- name: uninstall onedrive
win_shell: '{{ ansible_env.SystemRoot }}\SysWOW64\OneDriveSetup.exe /uninstall'
ignore_errors: yes
- name: remove onedrivesync package
win_shell: get-appxpackage *Microsoft.OneDriveSync* | remove-appxpackage -AllUsers
ignore_errors: yes
- name: remove onedrive directories
win_file:
path: '{{ item }}'
state: absent
ignore_errors: yes
loop:
- '{{ ansible_env.USERPROFILE }}\OneDrive'
- '{{ ansible_env.LOCALAPPDATA }}\Microsoft\OneDrive'
- '{{ ansible_env.ProgramData }}\Microsoft OneDrive'
- C:\OneDriveTemp
- name: delete registry keys
win_regedit:
path: '{{ item }}'
state: absent
delete_key: yes
loop:
- HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
- HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}

38
roles/oatakan.windows_template_build/tasks/security-update-win2012.yml
View File

@@ -1,38 +0,0 @@
---
# this update is needed to enable .NET clients to use https (tslv12) on Windows 8.1 and Windows Server 2012 R2
# see https://www.microsoft.com/en-us/download/confirmation.aspx?id=42883
- name: download hotfix
win_get_url:
url: '{{ dot_net_security_hotfix.url }}'
dest: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }}'
register: download_hotfix
until: download_hotfix is success
delay: 3
retries: 5
- block:
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
rescue:
- name: install hotfix using shell
win_shell: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }} /quiet /norestart'
register: hotfix_install
- name: install hotfix (PS == 3)
win_shell: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }} /quiet /norestart'
register: hotfix_install
when: ansible_powershell_version is version('3', '==')
- name: ensure hotfix file is removed
win_file:
path: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }}'
state: absent
- name: reboot if needed
win_reboot:
when: hotfix_install.reboot_required | default(False)

2
roles/oatakan.windows_template_build/tasks/shutdown.yml
View File

@@ -2,4 +2,4 @@
- name: run sysprep-shutdown scheduled task
win_shell: schtasks.exe /Run /TN "sysprep-shutdown"
ignore_errors: yes
ignore_errors: true

22
roles/oatakan.windows_template_build/tasks/sysprep.yml
View File

@@ -16,8 +16,8 @@
state: directory
- name: enable winrm
win_shell: '& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"))) -ForceNewSSLCert -EnableCredSSP'
ignore_errors: yes
win_shell: '{{ enable_winrm_command }}'
ignore_errors: true
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- name: copy unattend.xml
@@ -25,9 +25,9 @@
src: unattend.xml.j2
dest: C:\Windows\system32\sysprep\unattend.xml
when:
- ('VMware' not in ansible_product_name) or ('VMware' in ansible_product_name and target_vagrant | bool)
- ('VMware' not in (ansible_product_name | default('', true))) or ('VMware' in (ansible_product_name | default('', true)) and target_vagrant | bool)
- not target_ovirt | bool
- not ('KubeVirt' in ansible_system_vendor | default(''))
- not ('KubeVirt' in ansible_system_vendor | default('', true))
#- name: run sysprep
# win_shell: C:\Windows\system32\sysprep\sysprep.exe /generalize /shutdown /oobe /quiet
@@ -40,32 +40,32 @@
win_scheduled_task:
name: sysprep-shutdown
username: SYSTEM
disallow_start_if_on_batteries: no
stop_if_going_on_batteries: no
disallow_start_if_on_batteries: false
stop_if_going_on_batteries: false
actions:
- path: powershell.exe
arguments: Remove-Item -Path WSMan:\localhost\Listener\* -Recurse -Force
- path: C:\windows\system32\sysprep\sysprep.exe
arguments: /generalize /oobe /quiet /shutdown
when:
- ('VMware' not in ansible_product_name) or ('VMware' in ansible_product_name and target_vagrant | bool) or (target_ovirt | bool) or ('KubeVirt' in ansible_system_vendor | default(''))
- ('VMware' not in (ansible_product_name | default('', true))) or ('VMware' in (ansible_product_name | default('', true)) and target_vagrant | bool) or (target_ovirt | bool) or ('KubeVirt' in ansible_system_vendor | default(''))
- name: create scheduled task to delete WinRM listeners and shutdown
win_scheduled_task:
name: sysprep-shutdown
username: SYSTEM
disallow_start_if_on_batteries: no
stop_if_going_on_batteries: no
disallow_start_if_on_batteries: false
stop_if_going_on_batteries: false
actions:
- path: powershell.exe
arguments: Remove-Item -Path WSMan:\localhost\Listener\* -Recurse -Force
- path: shutdown.exe
arguments: /s /t 10 /f /d p:4:1 /c "Ansible Shutdown"
when:
- "'VMware' in ansible_product_name"
- ('VMware' in (ansible_product_name | default('', true)))
- not target_vagrant | bool
- not target_ovirt | bool
- not ('KubeVirt' in ansible_system_vendor | default(''))
- not ('KubeVirt' in (ansible_system_vendor | default('', true)))
- name: set flag to recreate pagefile after next sysprep
win_shell: |

13
roles/oatakan.windows_template_build/tasks/update-agent-win2008.yml
View File

@@ -1,13 +0,0 @@
---
# this updates windows update which is needed to install further updates
# see https://docs.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent
- name: ensure Windows Update Agent on 2008 is installed
win_package:
path: "{{ windows_update_agent_url }}"
arguments:
- /quiet
- /norestart
- /wuforce
creates_path: C:\Windows\System32\wuaueng.dll
creates_version: 7.6.7600.320

43
roles/oatakan.windows_template_build/templates/unattend.xml.j2
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="{{ win_architecture | default('amd64') }}" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
{% if unattend.administrator_password is defined %}
<AdministratorPassword>
@@ -41,7 +41,7 @@
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<NetworkLocation>Home</NetworkLocation>
<ProtectYourPC>1</ProtectYourPC>
{% if not '2008' in ansible_distribution or not 'Windows 7' in ansible_distribution %}
{% if not 'Windows Server 2008' in ansible_distribution and not 'Windows 7' in ansible_distribution %}
<HideLocalAccountScreen>true</HideLocalAccountScreen>
<HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
@@ -60,22 +60,49 @@
</AutoLogon>
{% endif %}
<FirstLogonCommands>
{% if not 'Windows Server 2008' in ansible_distribution and not 'Windows 7' in ansible_distribution %}
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell -Command "& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))) -ForceNewSSLCert -EnableCredSSP"</CommandLine>
<Description>Enable winrm</Description>
<CommandLine>cmd.exe /c powershell -Command "Resize-Partition -DriveLetter C -Size (Get-PartitionSupportedSize -DriveLetter C).Sizemax -ErrorAction SilentlyContinue"</CommandLine>
<Description>Resize partition</Description>
<Order>1</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell -Command "Set-NetConnectionProfile -NetworkCategory Private"</CommandLine>
<Description>Set network connection profile to private</Description>
<Order>2</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
{% else %}
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell Command "{{ expand_disk }}"</CommandLine>
<Description>Resize partition</Description>
<Order>1</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell Command "{{ set_network_to_private }}"</CommandLine>
<Description>Set network connection profile to private</Description>
<Order>2</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
{% endif %}
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell -Command "{{ enable_winrm_command }}"</CommandLine>
<Description>Enable winrm</Description>
<Order>3</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell -Command "Enable-WSManCredSSP -Role Server -Force"</CommandLine>
<Description>Enable winrm server role</Description>
<Order>2</Order>
<Order>4</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell -Command "Set-Item -Path 'WSMan:\localhost\Service\Auth\CredSSP' -Value $true"</CommandLine>
<Description>Enable credssp authentication</Description>
<Order>3</Order>
<Order>5</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
</FirstLogonCommands>
@@ -83,7 +110,7 @@
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="{{ win_architecture | default('amd64') }}" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<OEMInformation>
<HelpCustomized>false</HelpCustomized>
</OEMInformation>
@@ -92,7 +119,7 @@
<TimeZone>{{ settings.time_zone | default('Central Standard Time') }}</TimeZone>
<RegisteredOwner/>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="{{ win_architecture | default('amd64') }}" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<SkipAutoActivation>{{ settings.skip_auto_activation | default('true') }}</SkipAutoActivation>
</component>
</settings>

13
roles/oatakan.windows_template_build/vars/main.yml
View File

@@ -21,4 +21,15 @@ autologin_registry:
- name: DefaultUserName
data: "{{ unattend.local_accounts[0].name }}"
- name: DefaultPassword
data: "{{ unattend.local_accounts[0].password }}"
data: "{{ unattend.local_accounts[0].password }}"
win_architecture_list:
arm_64_bit_processor: arm64
arm_32_bit_processor: arm
64_bit: amd64
32_bit: x86
win_architecture: "{{ win_architecture_list[(ansible_architecture | default('64-bit'))|replace('-','_')|replace(' ','_')|lower] }}"
os_version: "{{ ansible_kernel.split('.')[0] }}.{{ ansible_kernel.split('.')[1] }}"
os_version_name: "os_{{ ansible_kernel.split('.')[0] }}_{{ ansible_kernel.split('.')[1] }}"