diff --git a/roles/geerlingguy.java/.ansible-lint b/roles/geerlingguy.java/.ansible-lint new file mode 100644 index 0000000..acc8255 --- /dev/null +++ b/roles/geerlingguy.java/.ansible-lint @@ -0,0 +1,3 @@ +skip_list: + - 'yaml' + - 'role-name' diff --git a/roles/geerlingguy.java/.github/workflows/ci.yml b/roles/geerlingguy.java/.github/workflows/ci.yml new file mode 100644 index 0000000..4740eb6 --- /dev/null +++ b/roles/geerlingguy.java/.github/workflows/ci.yml @@ -0,0 +1,71 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 7 * * 2" + +defaults: + run: + working-directory: 'geerlingguy.java' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v4 + with: + path: 'geerlingguy.java' + + - name: Set up Python 3. + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint + + - name: Lint code. + run: | + yamllint . + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - rockylinux9 + - rockylinux8 + - ubuntu2204 + - ubuntu2004 + - debian12 + - debian11 + - amazonlinux2023 + + steps: + - name: Check out the codebase. + uses: actions/checkout@v4 + with: + path: 'geerlingguy.java' + + - name: Set up Python 3. + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule molecule-plugins[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/roles/geerlingguy.java/.github/workflows/release.yml b/roles/geerlingguy.java/.github/workflows/release.yml new file mode 100644 index 0000000..441b2f0 --- /dev/null +++ b/roles/geerlingguy.java/.github/workflows/release.yml @@ -0,0 +1,40 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.java' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v4 + with: + path: 'geerlingguy.java' + + - name: Set up Python 3. + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-core + + - name: Trigger a new import on Galaxy. + run: >- + ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} + $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.java/tasks/setup-Amazon.yml b/roles/geerlingguy.java/tasks/setup-Amazon.yml new file mode 100644 index 0000000..1306945 --- /dev/null +++ b/roles/geerlingguy.java/tasks/setup-Amazon.yml @@ -0,0 +1,5 @@ +--- +- name: Ensure Java is installed. + package: + name: "{{ java_packages }}" + state: present diff --git a/roles/geerlingguy.java/vars/Amazon-2.yml b/roles/geerlingguy.java/vars/Amazon-2.yml new file mode 100644 index 0000000..203660b --- /dev/null +++ b/roles/geerlingguy.java/vars/Amazon-2.yml @@ -0,0 +1,8 @@ +--- +# JDK version options include: +# - java-1.7.0-openjdk +# - java-1.8.0-openjdk +# - java-11-amazon-corretto +# - java-17-amazon-corretto +__java_packages: + - java-17-amazon-corretto diff --git a/roles/geerlingguy.java/vars/Amazon-2023.yml b/roles/geerlingguy.java/vars/Amazon-2023.yml new file mode 100644 index 0000000..86c3d5c --- /dev/null +++ b/roles/geerlingguy.java/vars/Amazon-2023.yml @@ -0,0 +1,8 @@ +--- +# JDK version options include: +# - java-1.8.0-openjdk +# - java-11-amazon-corretto +# - java-17-amazon-corretto +# - java-21-amazon-corretto +__java_packages: + - java-11-amazon-corretto diff --git a/roles/geerlingguy.java/vars/Debian-11.yml b/roles/geerlingguy.java/vars/Debian-11.yml new file mode 100644 index 0000000..bd058c2 --- /dev/null +++ b/roles/geerlingguy.java/vars/Debian-11.yml @@ -0,0 +1,6 @@ +--- +# JDK version options include: +# - java +# - openjdk-11-jdk +__java_packages: + - openjdk-11-jdk diff --git a/roles/geerlingguy.java/vars/Debian-12.yml b/roles/geerlingguy.java/vars/Debian-12.yml new file mode 100644 index 0000000..f47ebb4 --- /dev/null +++ b/roles/geerlingguy.java/vars/Debian-12.yml @@ -0,0 +1,6 @@ +--- +# JDK version options include: +# - java +# - openjdk-17-jdk +__java_packages: + - openjdk-17-jdk diff --git a/roles/geerlingguy.java/vars/RedHat-9.yml b/roles/geerlingguy.java/vars/RedHat-9.yml new file mode 100644 index 0000000..546ce8a --- /dev/null +++ b/roles/geerlingguy.java/vars/RedHat-9.yml @@ -0,0 +1,7 @@ +--- +# JDK version options include: +# - java-1.8.0-openjdk +# - java-11-openjdk +# - java-17-openjdk +__java_packages: + - java-17-openjdk diff --git a/roles/geerlingguy.java/vars/Ubuntu-22.yml b/roles/geerlingguy.java/vars/Ubuntu-22.yml new file mode 100644 index 0000000..be1737e --- /dev/null +++ b/roles/geerlingguy.java/vars/Ubuntu-22.yml @@ -0,0 +1,6 @@ +--- +# JDK version options include: +# - java +# - openjdk-18-jdk +__java_packages: + - openjdk-17-jdk diff --git a/roles/ikke_t.podman_container_systemd/tasks/deploy_pod_yaml.yml b/roles/ikke_t.podman_container_systemd/tasks/deploy_pod_yaml.yml new file mode 100644 index 0000000..c5618c5 --- /dev/null +++ b/roles/ikke_t.podman_container_systemd/tasks/deploy_pod_yaml.yml @@ -0,0 +1,58 @@ +--- +- name: Deploy container-pod-yaml with validation + block: + - name: Make sure unzip is installed + become: true + ansible.builtin.package: + name: unzip + state: present + + - name: Set correct kubeval version for 64bit + ansible.builtin.set_fact: + kubeval_arch: amd64 + when: ansible_architecture == "x86_64" + + - name: Set correct kubeval version for 64bit + ansible.builtin.set_fact: + kubeval_arch: 386 + when: ansible_architecture == "i386" + + - name: Continue without validation as we can't get kubeval for this arch + ansible.builtin.set_fact: + container_pod_yaml_template_validation: false + when: kubeval_arch is undefined + + - name: Get latest kubeval version + become: true + ansible.builtin.unarchive: + src: "{{ kubeval_url }}/download/kubeval-linux-{{ kubeval_arch }}.tar.gz" + dest: "/usr/local/bin" + owner: "root" + group: "root" + mode: "0755" + exclude: + - README.md + - LICENSE + remote_src: true + keep_newer: true + + - name: Deploy container configuration + ansible.builtin.template: + src: "{{ container_pod_yaml_template }}" + dest: "{{ container_pod_yaml }}" + owner: "{{ container_run_as_user }}" + group: "{{ container_run_as_group }}" + mode: '0640' + validate: /usr/local/bin/kubeval %s + notify: restart service + when: container_pod_yaml_template_validation + +- name: container-pod-yaml without validation + ansible.builtin.template: + src: "{{ container_pod_yaml_template }}" + dest: "{{ container_pod_yaml }}" + owner: "{{ container_run_as_user }}" + group: "{{ container_run_as_group }}" + mode: '0640' + notify: restart service + when: not container_pod_yaml_template_validation diff --git a/roles/ikke_t.podman_container_systemd/templates/container-pod-yaml.j2 b/roles/ikke_t.podman_container_systemd/templates/container-pod-yaml.j2 new file mode 100644 index 0000000..79cc5f8 --- /dev/null +++ b/roles/ikke_t.podman_container_systemd/templates/container-pod-yaml.j2 @@ -0,0 +1,98 @@ +apiVersion: {{ container_pod_apiversion | default('v1') }} +kind: Pod +metadata: +{% if container_pod_labels is defined %} + labels: +{% for key, value in container_pod_labels.items() %} + {{ key }}: {{ value }} +{% endfor %} +{% endif %} + name: {{ container_name }} +spec: +{% if container_pod_volumes is defined %} + # + # define exported volumes for permanent data + # + volumes: +{% for volume in container_pod_volumes %} + - name: {{ volume.name }} +{% for key, value in volume.items() %} +{% if key != 'name' %} +{% if value is mapping %} + {{ key }}: +{% for key, value in value.items() %} + {{ key }}: {{ value }} +{% endfor %} +{% else %} + {{ key }}: {{ value }} +{% endif %} +{% endif %} +{% endfor %} + +{% endfor %} +{% endif %} +{% if container_pod_containers is defined %} + # + # container definition + # + containers: +{% for container in container_pod_containers %} + - name: {{ container.name }} +{% if container.command is defined %} + commmand: {{ container.command }} +{% endif %} +{% if container.args is defined %} + args: {{ container.args }} +{% endif %} +{% if container.workingDir is defined %} + workingDir: {{ container.workingDir }} +{% endif %} + image: {{ container.image }} +{% if container.env is defined %} + env: +{% for key, value in container.env.items() %} + - name: {{ key }} + value: {{ value }} +{% endfor %} +{% endif %} +{% if container.volumeMounts is defined %} + volumeMounts: +{% for volume in container.volumeMounts %} + - name: {{ volume.name }} + mountPath: {{ volume.mountPath }} +{% endfor %} +{% endif %} +{% if container.ports is defined %} + ports: +{% for port in container.ports %} + - containerPort: {{ port.containerPort }} +{% if port.hostIP is defined %} + hostIP: {{ port.hostIP }} +{% endif %} +{% if port.hostPort is defined %} + hostPort: {{ port.hostPort }} +{% endif %} +{% if port.name is defined %} + name: {{ port.name }} +{% endif %} +{% if port.protocol is defined %} + protocol: {{ port.protocol }} +{% endif %} +{% endfor %} +{% endif %} +{% if container.securityContext is defined %} + securityContext: +{% for key, value in container.securityContext.items() %} +{% if value is mapping %} + {{ key }}: +{% for key, value in value.items() %} + {{ key }}: {{ value }} +{% endfor %} +{% else %} + {{ key }}: {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/roles/oatakan.rhel_ovirt_template/tasks/provision.yml b/roles/oatakan.rhel_ovirt_template/tasks/provision.yml new file mode 100644 index 0000000..9fbfd47 --- /dev/null +++ b/roles/oatakan.rhel_ovirt_template/tasks/provision.yml @@ -0,0 +1,116 @@ +--- + +- block: + - include_tasks: make_iso.yml + + - include_tasks: provision_vm.yml + + - name: refresh inventory + meta: refresh_inventory + + - name: clear gathered facts + meta: clear_facts + + - name: clear any host errors + meta: clear_host_errors + + - name: add host + add_host: + hostname: template_vm + ansible_host: '{{ template_vm_ip_address }}' + host_key_checking: false + ansible_user: "{{ local_account_username }}" + ansible_password: "{{ local_account_password }}" + ansible_port: "{{ vm_ansible_port | default('22') }}" + ansible_ssh_common_args: '-o UserKnownHostsFile=/dev/null' + ansible_python_interpreter: auto + + - name: run setup module + setup: + delegate_to: template_vm + connection: ssh + + - block: + - include_role: + name: oatakan.rhn + apply: + delegate_to: template_vm + connection: ssh + become: yes + + - include_role: + name: oatakan.rhel_upgrade + apply: + delegate_to: template_vm + connection: ssh + become: yes + when: install_updates|bool + + - include_role: + name: oatakan.rhel_template_build + apply: + delegate_to: template_vm + connection: ssh + become: yes + vars: + target_ovirt: yes + + always: + - include_role: + name: oatakan.rhn + apply: + delegate_to: template_vm + connection: ssh + become: yes + vars: + role_action: unregister + + - name: force handlers to run before stoppping the vm + meta: flush_handlers + + - name: refresh SSO credentials + ovirt.ovirt.ovirt_auth: + url: "{{ lookup('env', 'OVIRT_URL')|default(ovirt.url, true) }}" + username: "{{ lookup('env', 'OVIRT_USERNAME')|default(ovirt.username, true) }}" + password: "{{ lookup('env', 'OVIRT_PASSWORD')|default(ovirt.password, true) }}" + insecure: yes + + - include_tasks: stop_vm.yml + + - include_tasks: convert_to_template.yml + + - include_tasks: export_ovf.yml + when: export_ovf|bool + + rescue: + - name: refresh SSO credentials + ovirt.ovirt.ovirt_auth: + url: "{{ lookup('env', 'OVIRT_URL')|default(ovirt.url, true) }}" + username: "{{ lookup('env', 'OVIRT_USERNAME')|default(ovirt.username, true) }}" + password: "{{ lookup('env', 'OVIRT_PASSWORD')|default(ovirt.password, true) }}" + insecure: yes + + - include_tasks: remove_template.yml + when: remove_vm_on_error|bool + + always: + - name: refresh SSO credentials + ovirt.ovirt.ovirt_auth: + url: "{{ lookup('env', 'OVIRT_URL')|default(ovirt.url, true) }}" + username: "{{ lookup('env', 'OVIRT_USERNAME')|default(ovirt.username, true) }}" + password: "{{ lookup('env', 'OVIRT_PASSWORD')|default(ovirt.password, true) }}" + insecure: yes + + - include_tasks: remove_vm.yml + + - include_tasks: datastore_iso_remove.yml + + - name: remove temporary directory + file: + path: "{{ temp_directory }}" + state: absent + + - name: logout from oVirt + ovirt.ovirt.ovirt_auth: + state: absent + ovirt_auth: "{{ ovirt_auth }}" \ No newline at end of file diff --git a/roles/oatakan.rhel_ovirt_template/templates/rhel9/ks.cfg.j2 b/roles/oatakan.rhel_ovirt_template/templates/rhel9/ks.cfg.j2 new file mode 100644 index 0000000..42dd53b --- /dev/null +++ b/roles/oatakan.rhel_ovirt_template/templates/rhel9/ks.cfg.j2 @@ -0,0 +1,115 @@ +firewall --disabled + +cdrom +lang en_US.UTF-8 +keyboard us +timezone UTC + +{% if template.networks is defined and template.networks[0].ip is defined and template.networks[0].gateway is defined and template.networks[0].netmask is defined %} +network --bootproto=static --ip={{ template.networks[0].ip }} --netmask={{ template.networks[0].netmask }} --gateway={{ template.networks[0].gateway }}{% if template.networks[0].dns_servers is defined %} --nameserver={{ template.networks[0].dns_servers|join(',') }}{% endif %} +{% else %} +network --bootproto=dhcp +{% endif %} + +network --hostname=localhost.localdomain +rootpw {{ local_administrator_password }} +authselect --enableshadow --passalgo=sha512 + +{% if template_selinux_enabled is undefined or not template_selinux_enabled %} +selinux --disabled +{% endif %} +text +skipx + +eula --agreed + +bootloader --append="no_timer_check" +clearpart --all --initlabel +part /boot/efi --fstype="efi" --size=200 --fsoptions="umask=0077,shortname=winnt" --asprimary +part /boot --fstype="xfs" --size=1024 --asprimary +part pv.00 --fstype="lvmpv" --size=1 --grow --asprimary +volgroup vg00 --pesize=4096 pv.00 +logvol swap --fstype="swap" --size=4096 --name=swap --vgname=vg00 +logvol / --fstype="xfs" --size=1 --grow --name=root --vgname=vg00 + +authselect --useshadow --enablemd5 +firstboot --disabled +services --enabled=NetworkManager,sshd +reboot +# this doesn't seem to work in RHEL 8.0 +#user --name={{ local_account_username }} --plaintext --password {{ local_account_password }} --groups={{ local_account_username }},wheel + +%packages --ignoremissing --excludedocs +@Base +@Core +openssh-clients +sudo +openssl-devel +readline-devel +zlib-devel +kernel-headers +kernel-devel +gcc +make +perl +curl +wget +ntp +nfs-utils +net-tools +vim +curl +unbound-libs +bzip2 +sshpass +openssl + +# unnecessary firmware +-aic94xx-firmware +-atmel-firmware +-b43-openfwwf +-bfa-firmware +-ipw2100-firmware +-ipw2200-firmware +-ivtv-firmware +-iwl100-firmware +-iwl1000-firmware +-iwl3945-firmware +-iwl4965-firmware +-iwl5000-firmware +-iwl5150-firmware +-iwl6000-firmware +-iwl6000g2a-firmware +-iwl6050-firmware +-libertas-usb8388-firmware +-ql2100-firmware +-ql2200-firmware +-ql23xx-firmware +-ql2400-firmware +-ql2500-firmware +-rt61pci-firmware +-rt73usb-firmware +-xorg-x11-drv-ati-firmware +-zd1211-firmware +%end + +%post +# update root certs +# wget -O/etc/pki/tls/certs/ca-bundle.crt https://curl.haxx.se/ca/cacert.pem --no-check-certificate +# yum reinstall ca-certificates + +{% if permit_root_login_with_password %} +sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config +{% endif %} + +# sudo +groupadd {{ local_account_username }} +useradd -g {{ local_account_username }} -G {{ local_account_username }},wheel -d /home/{{ local_account_username }} -m -p $(openssl passwd -1 {{ local_account_password }}) {{ local_account_username }} +yum install -y sudo +echo "{{ local_account_username }} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/{{ local_account_username }} +sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers +{% if template_selinux_enabled is undefined or not template_selinux_enabled %} +sed -i s'/SELINUX=enforcing/SELINUX=disabled'/g /etc/selinux/config +{% endif %} +yum clean all +%end \ No newline at end of file diff --git a/roles/oatakan.rhel_template_build/.ansible-lint b/roles/oatakan.rhel_template_build/.ansible-lint new file mode 100644 index 0000000..c99c792 --- /dev/null +++ b/roles/oatakan.rhel_template_build/.ansible-lint @@ -0,0 +1,3 @@ +skip_list: + - 'name[casing]' + - 'key-order[task]' diff --git a/roles/oatakan.rhel_template_build/vars/main.yml b/roles/oatakan.rhel_template_build/vars/main.yml new file mode 100644 index 0000000..af82ecc --- /dev/null +++ b/roles/oatakan.rhel_template_build/vars/main.yml @@ -0,0 +1,3 @@ +--- + +parallels_tools_iso_file: "/home/{{ local_account_username }}/prl-tools-lin.iso" diff --git a/roles/oatakan.windows_template_build/tasks/clean_up.yml b/roles/oatakan.windows_template_build/tasks/clean_up.yml new file mode 100644 index 0000000..e5bc0e5 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/clean_up.yml @@ -0,0 +1,41 @@ +--- + +- name: remove page file + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Session Manager\Memory Management + name: PagingFiles + data: "" + state: present + register: cleanup_pagefile_removal + +- name: reboot server after clearing page file + win_reboot: + when: cleanup_pagefile_removal is changed + +- name: cleanup the temp folders + win_file: + path: '{{ item }}' + state: absent + ignore_errors: true + loop: + - C:\Temp + - C:\Windows\Panther + - C:\Windows\Temp + +- name: cleanup the C:\Recovery folder + win_shell: Remove-Item -Path C:\Recovery -Force -Recurse + ignore_errors: true + +- name: check to see if WinSXS ManifestCache folder exist + win_stat: + path: '{{ ansible_env.windir }}\winsxs\ManifestCache' + register: winsxs_dir + +- name: clear out the WinSXS ManifestCache folder + win_shell: | + &cmd.exe /c Takeown /f %windir%\winsxs\ManifestCache\* + &cmd.exe /c Icacls %windir%\winsxs\ManifestCache\* /GRANT administrators:F + &cmd.exe /c Del /q %windir%\winsxs\ManifestCache\* + when: + - winsxs_dir.stat is defined + - winsxs_dir.stat.exists \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/clean_up_components.yml b/roles/oatakan.windows_template_build/tasks/clean_up_components.yml new file mode 100644 index 0000000..35a8a5d --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/clean_up_components.yml @@ -0,0 +1,14 @@ +--- + +- name: clean up components and update files + win_shell: Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase + when: "'Windows Server 2008' not in ansible_distribution" + ignore_errors: true + +- include_tasks: clean_up_with_cleanmgr.yml + when: "'Windows Server 2008' in ansible_distribution" + +- name: clean up components and update files + win_shell: Dism.exe /online /Cleanup-Image /SpSuperseded + when: "'Windows Server 2008' in ansible_distribution" + ignore_errors: true \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/clean_up_with_cleanmgr.yml b/roles/oatakan.windows_template_build/tasks/clean_up_with_cleanmgr.yml new file mode 100644 index 0000000..14358f1 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/clean_up_with_cleanmgr.yml @@ -0,0 +1,64 @@ +--- + +- block: + + - name: check for cleanmgr executable + win_stat: + path: '{{ ansible_env.windir }}\System32\cleanmgr.exe' + register: check_cleanmgr_file + + - include_tasks: copy_cleanmgr.yml + vars: + os_short_name: 2008r2 + when: + - not check_cleanmgr_file.stat.exists + - ('Windows Server 2008 R2' in ansible_distribution) + + - include_tasks: copy_cleanmgr.yml + vars: + os_short_name: 2012 + when: + - not check_cleanmgr_file.stat.exists + - ('Windows Server 2012' in ansible_distribution) + - (not 'Windows Server 2012 R2' in ansible_distribution) + + - name: get free space + win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json + register: free_space_before_cleanup + + - name: ensure cleanup registry paths exist + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }} + loop: "{{ cleanup_registry_keys }}" + + - name: set cleanup registry keys + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }} + name: StateFlags0012 + data: 2 + type: dword + loop: "{{ cleanup_registry_keys }}" + + - name: run cleanmgr + win_shell: cleanmgr /sagerun:12 + + - name: wait for cleanmgr to finish + win_shell: (get-wmiobject win32_process | where-object {$_.processname -eq 'cleanmgr.exe'} | measure).count + register: check_cleanmgr_process + until: check_cleanmgr_process.stdout is defined and check_cleanmgr_process.stdout|int == 0 + delay: 5 + retries: 300 + + - name: get free space + win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json + register: free_space_after_cleanup + + - debug: + msg: + - "Free space before cleanup: {{ ((free_space_before_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB" + - "Free space after cleanup: {{ ((free_space_after_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB" + + rescue: + - name: ignore any errors + debug: + msg: "ignoring any error with clean up with cleanmgr" \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/disable_auto_logon.yml b/roles/oatakan.windows_template_build/tasks/disable_auto_logon.yml new file mode 100644 index 0000000..952846e --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/disable_auto_logon.yml @@ -0,0 +1,8 @@ +--- + +- name: disable auto login + win_regedit: + path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + name: "{{ item.name }}" + state: absent + loop: "{{ autologin_registry }}" \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/enable_rdp.yml b/roles/oatakan.windows_template_build/tasks/enable_rdp.yml new file mode 100644 index 0000000..1a27ff1 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/enable_rdp.yml @@ -0,0 +1,18 @@ +--- + +- name: enable RDP port + win_firewall_rule: + name: Remote Desktop + localport: 3389 + action: allow + direction: in + protocol: tcp + state: present + enabled: true + +- name: enable RDP + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Terminal Server + name: fDenyTSConnections + data: 0 + type: dword diff --git a/roles/oatakan.windows_template_build/tasks/enable_tlsv12.yml b/roles/oatakan.windows_template_build/tasks/enable_tlsv12.yml new file mode 100644 index 0000000..bab6ac1 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/enable_tlsv12.yml @@ -0,0 +1,43 @@ +--- + +- block: + - name: test SSL connection + win_shell: "[System.Net.WebRequest]::Create('https://github.com').GetResponse()" + + rescue: + - name: enable TLSv1.2 support + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }} + name: '{{ item.property }}' + data: '{{ item.value }}' + type: dword + state: present + register: enable_tls12 + loop: + - type: Server + property: Enabled + value: 1 + - type: Server + property: DisabledByDefault + value: 0 + - type: Client + property: Enabled + value: 1 + - type: Client + property: DisabledByDefault + value: 0 + + - name: enable strong crypto + win_regedit: + path: HKLM:\{{ item }} + name: SchUseStrongCrypto + data: 1 + type: dword + state: present + loop: + - 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319' + - 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' + + - name: reboot if TLS config was applied + win_reboot: + when: enable_tls12 is changed \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/install_dism.yml b/roles/oatakan.windows_template_build/tasks/install_dism.yml new file mode 100644 index 0000000..fe14548 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/install_dism.yml @@ -0,0 +1,66 @@ +--- +- block: + - name: ensure Windows ADK with DISM is installed + win_package: + path: https://go.microsoft.com/fwlink/?linkid=873065 # version 10.0.17134.0 + product_id: '{{ _product_id }}' + expected_return_code: + - 0 + - 3010 + arguments: "{{ _arguments | join(' ') }}" + notify: + - get Windows ADK uninstall command + - uninstall Windows ADK + rescue: + - block: + - name: download DISM + win_get_url: + url: https://go.microsoft.com/fwlink/?linkid=873065 + dest: '{{ temp_directory }}\adksetup.exe' + register: download_dism + retries: 5 + delay: 5 + until: download_dism is success + + - name: ensure Windows ADK with DISM is installed (retry) + win_package: + path: '{{ temp_directory }}\adksetup.exe' # version 10.0.17134.0 + product_id: '{{ _product_id }}' + expected_return_code: + - 0 + - 3010 + arguments: "{{ _arguments | join(' ') }}" + register: install_dism + ignore_errors: true + notify: + - get Windows ADK uninstall command + - uninstall Windows ADK + rescue: + - name: ensure Windows ADK with DISM is installed (chocolatey) + win_chocolatey: + name: windows-adk-deploy + state: present + version: 10.0.17134.0 + register: install_windows_adk_deploy + ignore_errors: true + notify: ensure Windows ADK with DISM is removed + vars: + _product_id: '{d794748d-72e9-45d7-9ab7-83d6c4c80f7f}' + _arguments: + - /quiet + - /norestart + - /features {{ _features | join(' ') }} + _features: + - OptionId.DeploymentTools + - OptionId.WindowsPreinstallationEnvironment + - OptionId.ImagingAndConfigurationDesigner + - OptionId.UserStateMigrationTool + +- name: ensure PATH contains Windows ADK + win_path: + scope: machine + state: present + elements: 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM' + +- pause: + seconds: 10 \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/remove_apps-alt-2.yml b/roles/oatakan.windows_template_build/tasks/remove_apps-alt-2.yml new file mode 100644 index 0000000..f7cf45d --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/remove_apps-alt-2.yml @@ -0,0 +1,96 @@ +--- + +- name: remove default apps + win_shell: | + $ErrorActionPreference = "Stop" + $apps = @( + "Microsoft.3DBuilder", + "Microsoft.Appconnector", + "Microsoft.BingFinance", + "Microsoft.BingNews", + "Microsoft.BingSports", + "Microsoft.BingWeather", + "Microsoft.FreshPaint", + "Microsoft.Getstarted", + "Microsoft.MicrosoftOfficeHub", + "Microsoft.MicrosoftSolitaireCollection", + "Microsoft.MicrosoftStickyNotes", + "Microsoft.Office.OneNote", + "Microsoft.OneConnect", + "Microsoft.People", + "Microsoft.SkypeApp", + "Microsoft.Windows.Photos", + "Microsoft.WindowsAlarms", + "Microsoft.WindowsCalculator", + "Microsoft.WindowsCamera", + "Microsoft.WindowsMaps", + "Microsoft.WindowsPhone", + "Microsoft.WindowsSoundRecorder", + "Microsoft.XboxApp", + "Microsoft.ZuneMusic", + "Microsoft.ZuneVideo", + "Microsoft.WindowsCommunicationsApps", + "Microsoft.MinecraftUWP", + "Microsoft.MicrosoftPowerBIForWindows", + "Microsoft.NetworkSpeedTest", + "Microsoft.CommsPhone", + "Microsoft.ConnectivityStore", + "Microsoft.Messaging", + "Microsoft.Office.Sway", + "Microsoft.OneConnect", + "Microsoft.WindowsFeedbackHub", + "Microsoft.BingFoodAndDrink", + "Microsoft.BingTravel", + "Microsoft.BingHealthAndFitness", + "Microsoft.WindowsReadingList", + "Microsoft.MSPaint", + "Microsoft.Microsoft3DViewer", + "Microsoft.Print3D", + "9E2F88E3.Twitter", + "PandoraMediaInc.29680B314EFC2", + "Flipboard.Flipboard", + "ShazamEntertainmentLtd.Shazam", + "king.com.CandyCrushSaga", + "king.com.CandyCrushSodaSaga", + "king.com.*", + "ClearChannelRadioDigital.iHeartRadio", + "4DF9E0F8.Netflix", + "6Wunderkinder.Wunderlist", + "Drawboard.DrawboardPDF", + "2FE3CB00.PicsArt-PhotoStudio", + "D52A8D61.FarmVille2CountryEscape", + "TuneIn.TuneInRadio", + "GAMELOFTSA.Asphalt8Airborne", + "TheNewYorkTimes.NYTCrossword", + "DB6EA5DB.CyberLinkMediaSuiteEssentials", + "Facebook.Facebook", + "flaregamesGmbH.RoyalRevolt2", + "Playtika.CaesarsSlotsFreeCasino", + "A278AB0D.MarchofEmpires", + "KeeperSecurityInc.Keeper", + "ThumbmunkeysLtd.PhototasticCollage", + "XINGAG.XING", + "89006A2E.AutodeskSketchBook", + "D5EA27B7.Duolingo-LearnLanguagesforFree", + "46928bounde.EclipseManager", + "ActiproSoftwareLLC.562882FEEB491" + ) + foreach ($app in $apps) { + Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage -AllUsers + Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -like $app } | Remove-AppxProvisionedPackage -Online + } + register: cleanup_win10_remove + until: cleanup_win10_remove is successful + retries: 5 + delay: 1 + ignore_errors: true + +- name: prevent suggested applications from returning + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content + name: DisableWindowsConsumerFeatures + data: 1 + datatype: dword + +- name: reboot to effect pending changes + win_reboot: \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/remove_apps-alt.yml b/roles/oatakan.windows_template_build/tasks/remove_apps-alt.yml new file mode 100644 index 0000000..a1f236f --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/remove_apps-alt.yml @@ -0,0 +1,30 @@ +--- + +- name: remove user apps + script: RemoveUserApps.ps1 + register: cleanup_win10_remove + until: cleanup_win10_remove is successful + retries: 3 + delay: 1 + ignore_errors: true + +#- name: disable windows store +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\WindowsStore +# name: AutoDownload +# data: 00000002 +# type: dword +# +#- name: disable content delivery manager +# win_regedit: +# path: HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager +# name: SilentInstalledAppsEnabled +# data: 00000000 +# type: dword +# +#- name: disable windows store +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\CloudContent +# name: DisableWindowsConsumerFeatures +# data: 00000001 +# type: dword \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/remove_apps.yml b/roles/oatakan.windows_template_build/tasks/remove_apps.yml new file mode 100644 index 0000000..d0125d6 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/remove_apps.yml @@ -0,0 +1,97 @@ +--- + +- name: Setup the xWebAdministration module + win_psmodule: + name: DSCR_AppxPackage + state: present + +- name: remove packages + win_dsc: + resource_name: cAppxProvisionedPackageSet + Ensure: Absent + PackageName: + - Microsoft.3DBuilder + - Microsoft.Appconnector + - Microsoft.BingFinance + - Microsoft.BingNews + - Microsoft.BingSports + - Microsoft.BingWeather + - Microsoft.FreshPaint + - Microsoft.Getstarted + - Microsoft.MicrosoftOfficeHub + - Microsoft.MicrosoftSolitaireCollection + - Microsoft.MicrosoftStickyNotes + - Microsoft.Office.OneNote + - Microsoft.OneConnect + - Microsoft.People + - Microsoft.SkypeApp + - Microsoft.Windows.Photos + - Microsoft.WindowsAlarms + - Microsoft.WindowsCalculator + - Microsoft.WindowsCamera + - Microsoft.WindowsMaps + - Microsoft.WindowsPhone + - Microsoft.WindowsSoundRecorder + - Microsoft.XboxApp + - Microsoft.ZuneMusic + - Microsoft.ZuneVideo + - Microsoft.WindowsCommunicationsApps + - Microsoft.MinecraftUWP + - Microsoft.MicrosoftPowerBIForWindows + - Microsoft.NetworkSpeedTest + - Microsoft.CommsPhone + - Microsoft.ConnectivityStore + - Microsoft.Messaging + - Microsoft.Office.Sway + - Microsoft.OneConnect + - Microsoft.WindowsFeedbackHub + - Microsoft.BingFoodAndDrink + - Microsoft.BingTravel + - Microsoft.BingHealthAndFitness + - Microsoft.WindowsReadingList + - Microsoft.MSPaint + - Microsoft.Microsoft3DViewer + - Microsoft.Print3D + - 9E2F88E3.Twitter + - PandoraMediaInc.29680B314EFC2 + - Flipboard.Flipboard + - ShazamEntertainmentLtd.Shazam + - king.com.CandyCrushSaga + - king.com.CandyCrushSodaSaga + - king.com.* + - ClearChannelRadioDigital.iHeartRadio + - 4DF9E0F8.Netflix + - 6Wunderkinder.Wunderlist + - Drawboard.DrawboardPDF + - 2FE3CB00.PicsArt-PhotoStudio + - D52A8D61.FarmVille2CountryEscape + - TuneIn.TuneInRadio + - GAMELOFTSA.Asphalt8Airborne + - TheNewYorkTimes.NYTCrossword + - DB6EA5DB.CyberLinkMediaSuiteEssentials + - Facebook.Facebook + - flaregamesGmbH.RoyalRevolt2 + - Playtika.CaesarsSlotsFreeCasino + - A278AB0D.MarchofEmpires + - KeeperSecurityInc.Keeper + - ThumbmunkeysLtd.PhototasticCollage + - XINGAG.XING + - 89006A2E.AutodeskSketchBook + - D5EA27B7.Duolingo-LearnLanguagesforFree + - 46928bounde.EclipseManager + - ActiproSoftwareLLC.562882FEEB491- + register: cleanup_win10_remove + until: cleanup_win10_remove is successful + retries: 3 + delay: 1 + ignore_errors: true + +- name: prevent suggested applications from returning + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content + name: DisableWindowsConsumerFeatures + data: 1 + datatype: dword + +- name: reboot to effect pending changes + win_reboot: \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/remove_onedrive.yml b/roles/oatakan.windows_template_build/tasks/remove_onedrive.yml new file mode 100644 index 0000000..4e50499 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/remove_onedrive.yml @@ -0,0 +1,33 @@ +--- + +- name: kill onedrive process + win_shell: Stop-Process -Name OneDrive + ignore_errors: true + +- name: uninstall onedrive + win_shell: '{{ ansible_env.SystemRoot }}\SysWOW64\OneDriveSetup.exe /uninstall' + ignore_errors: true + +- name: remove onedrivesync package + win_shell: get-appxpackage *Microsoft.OneDriveSync* | remove-appxpackage -AllUsers + ignore_errors: true + +- name: remove onedrive directories + win_file: + path: '{{ item }}' + state: absent + ignore_errors: true + loop: + - '{{ ansible_env.USERPROFILE }}\OneDrive' + - '{{ ansible_env.LOCALAPPDATA }}\Microsoft\OneDrive' + - '{{ ansible_env.ProgramData }}\Microsoft OneDrive' + - C:\OneDriveTemp + +- name: delete registry keys + win_regedit: + path: '{{ item }}' + state: absent + delete_key: true + loop: + - HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} + - HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/update_agent_win2008.yml b/roles/oatakan.windows_template_build/tasks/update_agent_win2008.yml new file mode 100644 index 0000000..5b47060 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/update_agent_win2008.yml @@ -0,0 +1,13 @@ +--- +# this updates windows update which is needed to install further updates +# see https://docs.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent + +- name: ensure Windows Update Agent on 2008 is installed + win_package: + path: "{{ windows_update_agent_url }}" + arguments: + - /quiet + - /norestart + - /wuforce + creates_path: C:\Windows\System32\wuaueng.dll + creates_version: 7.6.7600.320 \ No newline at end of file diff --git a/roles/oatakan.windows_update/tasks/force_user_registry.yml b/roles/oatakan.windows_update/tasks/force_user_registry.yml new file mode 100644 index 0000000..1022fcb --- /dev/null +++ b/roles/oatakan.windows_update/tasks/force_user_registry.yml @@ -0,0 +1,10 @@ +--- + +- name: disable force unload registry - {{ task_state | default('present') }} + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DisableForceUnload + data: 1 + type: dword + state: "{{ task_state | default('present') }}" + register: disable_force_unload_registry \ No newline at end of file diff --git a/roles/oatakan.windows_update/tasks/install_dism.yml b/roles/oatakan.windows_update/tasks/install_dism.yml new file mode 100644 index 0000000..fe14548 --- /dev/null +++ b/roles/oatakan.windows_update/tasks/install_dism.yml @@ -0,0 +1,66 @@ +--- +- block: + - name: ensure Windows ADK with DISM is installed + win_package: + path: https://go.microsoft.com/fwlink/?linkid=873065 # version 10.0.17134.0 + product_id: '{{ _product_id }}' + expected_return_code: + - 0 + - 3010 + arguments: "{{ _arguments | join(' ') }}" + notify: + - get Windows ADK uninstall command + - uninstall Windows ADK + rescue: + - block: + - name: download DISM + win_get_url: + url: https://go.microsoft.com/fwlink/?linkid=873065 + dest: '{{ temp_directory }}\adksetup.exe' + register: download_dism + retries: 5 + delay: 5 + until: download_dism is success + + - name: ensure Windows ADK with DISM is installed (retry) + win_package: + path: '{{ temp_directory }}\adksetup.exe' # version 10.0.17134.0 + product_id: '{{ _product_id }}' + expected_return_code: + - 0 + - 3010 + arguments: "{{ _arguments | join(' ') }}" + register: install_dism + ignore_errors: true + notify: + - get Windows ADK uninstall command + - uninstall Windows ADK + rescue: + - name: ensure Windows ADK with DISM is installed (chocolatey) + win_chocolatey: + name: windows-adk-deploy + state: present + version: 10.0.17134.0 + register: install_windows_adk_deploy + ignore_errors: true + notify: ensure Windows ADK with DISM is removed + vars: + _product_id: '{d794748d-72e9-45d7-9ab7-83d6c4c80f7f}' + _arguments: + - /quiet + - /norestart + - /features {{ _features | join(' ') }} + _features: + - OptionId.DeploymentTools + - OptionId.WindowsPreinstallationEnvironment + - OptionId.ImagingAndConfigurationDesigner + - OptionId.UserStateMigrationTool + +- name: ensure PATH contains Windows ADK + win_path: + scope: machine + state: present + elements: 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM' + +- pause: + seconds: 10 \ No newline at end of file