From 256ae58dd5344588f5d570c903e7d35a90beb4d2 Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Mon, 2 Mar 2020 11:06:41 +0100 Subject: [PATCH 1/3] inital develop --- .github/auto_assign.yml | 46 +++---- .github/workflows/publish.yml | 18 +++ CHANGELOG.md | 1 + docs/index.html | 29 +++-- galaxy.yml | 40 +----- plugins/README.md | 31 +++++ roles/defender/README.md | 25 ++++ roles/defender/defaults/main.yml | 5 + roles/defender/meta/main.yml | 16 +++ roles/defender/molecule/default/molecule.yml | 21 +++ roles/defender/molecule/default/playbook.yml | 5 + roles/defender/tasks/main.yml | 5 + roles/directories/defaults/main.yml | 15 +++ roles/directories/meta/main.yml | 16 +++ .../directories/molecule/default/molecule.yml | 21 +++ .../directories/molecule/default/playbook.yml | 5 + roles/directories/tasks/directories.yml | 17 +++ roles/directories/tasks/main.yml | 10 ++ roles/directories/tasks/subdirectories.yml | 9 ++ roles/disks/defaults/main.yml | 8 ++ roles/disks/meta/main.yml | 17 +++ roles/disks/molecule/default/molecule.yml | 21 +++ roles/disks/molecule/default/playbook.yml | 5 + roles/disks/tasks/disks.yml | 25 ++++ roles/disks/tasks/main.yml | 11 ++ roles/local_administrators/defaults/main.yml | 21 +++ roles/local_administrators/meta/main.yml | 18 +++ .../molecule/default/molecule.yml | 21 +++ .../molecule/default/playbook.yml | 5 + roles/local_administrators/tasks/main.yml | 31 +++++ roles/membership/defaults/main.yml | 20 +++ roles/membership/handlers/main.yml | 9 ++ roles/membership/meta/main.yml | 17 +++ roles/membership/tasks/main.yml | 19 +++ roles/onedrive/defaults/main.yml | 8 ++ roles/onedrive/meta/main.yml | 17 +++ roles/onedrive/molecule/default/molecule.yml | 21 +++ roles/onedrive/molecule/default/playbook.yml | 5 + roles/onedrive/tasks/main.yml | 63 +++++++++ roles/optional_features/README.md | 26 ++++ roles/optional_features/defaults/main.yml | 6 + roles/optional_features/meta/main.yml | 17 +++ .../molecule/default/molecule.yml | 21 +++ .../molecule/default/playbook.yml | 5 + roles/optional_features/tasks/main.yml | 10 ++ .../tasks/optional_features.yml | 8 ++ roles/power_plan/README.md | 23 ++++ roles/power_plan/defaults/main.yml | 5 + roles/power_plan/meta/main.yml | 17 +++ .../power_plan/molecule/default/molecule.yml | 21 +++ .../power_plan/molecule/default/playbook.yml | 5 + roles/power_plan/tasks/main.yml | 6 + roles/remote_desktop/defaults/main.yml | 25 ++++ roles/remote_desktop/meta/main.yml | 18 +++ .../molecule/default/molecule.yml | 21 +++ .../molecule/default/playbook.yml | 5 + ...osoft Windows 10 Enterprise Evaluation.yml | 113 ++++++++++++++++ .../distribution/Microsoft Windows 10 Pro.yml | 121 ++++++++++++++++++ ...Microsoft Windows Server 2016 Standard.yml | 10 ++ ...Microsoft Windows Server 2019 Standard.yml | 10 ++ .../tasks/distribution/defaults.yml | 6 + roles/remote_desktop/tasks/main.yml | 24 ++++ roles/wsl/README.md | 25 ---- 63 files changed, 1150 insertions(+), 95 deletions(-) create mode 100644 .github/workflows/publish.yml create mode 100644 plugins/README.md create mode 100644 roles/defender/README.md create mode 100644 roles/defender/defaults/main.yml create mode 100644 roles/defender/meta/main.yml create mode 100644 roles/defender/molecule/default/molecule.yml create mode 100644 roles/defender/molecule/default/playbook.yml create mode 100644 roles/defender/tasks/main.yml create mode 100644 roles/directories/defaults/main.yml create mode 100644 roles/directories/meta/main.yml create mode 100644 roles/directories/molecule/default/molecule.yml create mode 100644 roles/directories/molecule/default/playbook.yml create mode 100644 roles/directories/tasks/directories.yml create mode 100644 roles/directories/tasks/main.yml create mode 100644 roles/directories/tasks/subdirectories.yml create mode 100644 roles/disks/defaults/main.yml create mode 100644 roles/disks/meta/main.yml create mode 100644 roles/disks/molecule/default/molecule.yml create mode 100644 roles/disks/molecule/default/playbook.yml create mode 100644 roles/disks/tasks/disks.yml create mode 100644 roles/disks/tasks/main.yml create mode 100644 roles/local_administrators/defaults/main.yml create mode 100644 roles/local_administrators/meta/main.yml create mode 100644 roles/local_administrators/molecule/default/molecule.yml create mode 100644 roles/local_administrators/molecule/default/playbook.yml create mode 100644 roles/local_administrators/tasks/main.yml create mode 100644 roles/membership/defaults/main.yml create mode 100644 roles/membership/handlers/main.yml create mode 100644 roles/membership/meta/main.yml create mode 100644 roles/membership/tasks/main.yml create mode 100644 roles/onedrive/defaults/main.yml create mode 100644 roles/onedrive/meta/main.yml create mode 100644 roles/onedrive/molecule/default/molecule.yml create mode 100644 roles/onedrive/molecule/default/playbook.yml create mode 100644 roles/onedrive/tasks/main.yml create mode 100644 roles/optional_features/README.md create mode 100644 roles/optional_features/defaults/main.yml create mode 100644 roles/optional_features/meta/main.yml create mode 100644 roles/optional_features/molecule/default/molecule.yml create mode 100644 roles/optional_features/molecule/default/playbook.yml create mode 100644 roles/optional_features/tasks/main.yml create mode 100644 roles/optional_features/tasks/optional_features.yml create mode 100644 roles/power_plan/README.md create mode 100644 roles/power_plan/defaults/main.yml create mode 100644 roles/power_plan/meta/main.yml create mode 100644 roles/power_plan/molecule/default/molecule.yml create mode 100644 roles/power_plan/molecule/default/playbook.yml create mode 100644 roles/power_plan/tasks/main.yml create mode 100644 roles/remote_desktop/defaults/main.yml create mode 100644 roles/remote_desktop/meta/main.yml create mode 100644 roles/remote_desktop/molecule/default/molecule.yml create mode 100644 roles/remote_desktop/molecule/default/playbook.yml create mode 100644 roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Enterprise Evaluation.yml create mode 100644 roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Pro.yml create mode 100644 roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2016 Standard.yml create mode 100644 roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2019 Standard.yml create mode 100644 roles/remote_desktop/tasks/distribution/defaults.yml create mode 100644 roles/remote_desktop/tasks/main.yml delete mode 100644 roles/wsl/README.md diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml index 8cfc9c1..19fb3c6 100644 --- a/.github/auto_assign.yml +++ b/.github/auto_assign.yml @@ -1,23 +1,23 @@ ---- -# Set to true to add reviewers to pull requests -addReviewers: true - -# Set to true to add assignees to pull requests -addAssignees: true - -# A list of reviewers to be added to pull requests (GitHub user name) -reviewers: - - mleutenegger - - FreeMinded - - ndum - -# A number of reviewers added to the pull request -# Set 0 to add all the reviewers (default: 0) -numberOfReviewers: 0 -# A list of assignees, overrides reviewers if set -assignees: - - sbaerlocher -# A number of assignees to add to the pull request -# Set to 0 to add all of the assignees. -# Uses numberOfReviewers if unset. -numberOfAssignees: 0 +--- +# Set to true to add reviewers to pull requests +addReviewers: true + +# Set to true to add assignees to pull requests +addAssignees: true + +# A list of reviewers to be added to pull requests (GitHub user name) +reviewers: + - mleutenegger + - FreeMinded + - ndum + +# A number of reviewers added to the pull request +# Set 0 to add all the reviewers (default: 0) +numberOfReviewers: 0 +# A list of assignees, overrides reviewers if set +assignees: + - sbaerlocher +# A number of assignees to add to the pull request +# Set to 0 to add all of the assignees. +# Uses numberOfReviewers if unset. +numberOfAssignees: 0 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..cf62e87 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,18 @@ +--- +name: Publish Collection + +on: + release: + types: [published] + +jobs: + publish: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Publish Ansible Collection + uses: arillso/action.ansible.collection@1.0.0 + with: + api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b44963..0a6accb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,4 +7,5 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/). ### Added +- Initial develop - Initial docs diff --git a/docs/index.html b/docs/index.html index 0fa2951..251f6d0 100644 --- a/docs/index.html +++ b/docs/index.html @@ -18,7 +18,8 @@ target: '#docute', title: 'Ansible Collection for Windows functions', sourcePath: - 'https://raw.githubusercontent.com/sbaerlocher/ansible.windows', + 'https://raw.githubusercontent.com/sbaerlocher/ansible.windows/master', + // router: { mode: 'history' }, nav: [ { @@ -51,29 +52,41 @@ { title: 'Roles', children: [ + { + title: 'Defender', + link: '/roles/defender/README' + }, { title: 'Directories', - link: '/roles/directories' + link: '/roles/directories/README' }, { title: 'Disks', - link: '/roles/disks' + link: '/roles/disks/README' }, { - title: 'Local_Administrators', - link: '/roles/local_administrators' + title: 'Local Administrators', + link: '/roles/local_administrators/README' }, { title: 'Membership', - link: '/roles/membership' + link: '/roles/membership/README' }, { title: 'OneDrive', - link: '/roles/onedrive' + link: '/roles/onedrive/README' + }, + { + title: 'Optional Features', + link: '/roles/optional_features/README' + }, + { + title: 'Power Plan', + link: '/roles/power_plan/README' }, { title: 'Remote Desktop', - link: '/roles/remote_desktop' + link: '/roles/remote_desktop/README' } ] } diff --git a/galaxy.yml b/galaxy.yml index 09b8775..5e5ecf9 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,56 +1,18 @@ -### REQUIRED - -# The namespace of the collection. This can be a company/brand/organization or product namespace under which all -# content lives. May only contain alphanumeric characters and underscores. Additionally namespaces cannot start with -# underscores or numbers and cannot contain consecutive underscores +--- namespace: 'sbaerlocher' - -# The name of the collection. Has the same character restrictions as 'namespace' name: 'windows' - -# The version of the collection. Must be compatible with semantic versioning version: 0.0.1 - -# The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: README.md - -# A list of the collection's content authors. Can be just the name or in the format 'Full Name (url) -# @nicks:irc/im.site#channel' authors: - 'Simon Baerlocher (https://sbaerlocher.ch)' - -### OPTIONAL but strongly recommended - -# A short summary description of the collection description: 'Ansible Collection for Windows functions.' -# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only -# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file' license: - MIT - -# The path to the license file for the collection. This path is relative to the root of the collection. This key is -# mutually exclusive with 'license' license_file: 'LICENSE' - -# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character -# requirements as 'namespace' and 'name' tags: - windows - -# Collections that this collection requires to be installed for it to be usable. The key of the dict is the -# collection label 'namespace.name'. The value is a version range -# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version -# range specifiers can be set and are separated by ',' dependencies: {} - -# The URL of the originating SCM repository repository: 'https://www.github.com/sbaerlocher/ansible.windows' - -# The URL to any online docs documentation: 'https://sbaerlocher.github.io/ansible.windows' - -# The URL to the homepage of the collection/project homepage: 'https://sbaerlocher.ch/projects/ansible.windows' - -# The URL to the collection issue tracker issues: 'https://www.github.com/sbaerlocher/ansible.windows/issues' diff --git a/plugins/README.md b/plugins/README.md new file mode 100644 index 0000000..0685726 --- /dev/null +++ b/plugins/README.md @@ -0,0 +1,31 @@ +# Collections Plugins Directory + +This directory can be used to ship various plugins inside an Ansible collection. Each plugin is placed in a folder that +is named after the type of plugin it is in. It can also include the `module_utils` and `modules` directory that +would contain module utils and modules respectively. + +Here is an example directory of the majority of plugins currently supported by Ansible: + +``` +└── plugins + ├── action + ├── become + ├── cache + ├── callback + ├── cliconf + ├── connection + ├── filter + ├── httpapi + ├── inventory + ├── lookup + ├── module_utils + ├── modules + ├── netconf + ├── shell + ├── strategy + ├── terminal + ├── test + └── vars +``` + +A full list of plugin types can be found at [Working With Plugins](https://docs.ansible.com/ansible/2.9/plugins/plugins.html). diff --git a/roles/defender/README.md b/roles/defender/README.md new file mode 100644 index 0000000..e4fc22d --- /dev/null +++ b/roles/defender/README.md @@ -0,0 +1,25 @@ +# Ansible Role: defender + +## Description + +Disables or enables Windows defender on the Windows system. + +## Role Variables + +### defender_disable + +Disables or enables Windows defender on the Windows system. + +```yml +defender_disable: true +``` + +## Example Playbook + +```yml +- hosts: all + collections: + - sbaerlocher.windows + roles: + - defender +``` diff --git a/roles/defender/defaults/main.yml b/roles/defender/defaults/main.yml new file mode 100644 index 0000000..6aa1940 --- /dev/null +++ b/roles/defender/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for defender + +# disables or enables Windows defender on the Windows system. +defender_disable: true diff --git a/roles/defender/meta/main.yml b/roles/defender/meta/main.yml new file mode 100644 index 0000000..15f12c6 --- /dev/null +++ b/roles/defender/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Simon Baerlocher (https://sbaerlocher.ch) + description: Disables or enables Windows defender on the Windows system. + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - windows + - defender + +dependencies: [] diff --git a/roles/defender/molecule/default/molecule.yml b/roles/defender/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/defender/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/defender/molecule/default/playbook.yml b/roles/defender/molecule/default/playbook.yml new file mode 100644 index 0000000..3707a10 --- /dev/null +++ b/roles/defender/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.defender diff --git a/roles/defender/tasks/main.yml b/roles/defender/tasks/main.yml new file mode 100644 index 0000000..93dab14 --- /dev/null +++ b/roles/defender/tasks/main.yml @@ -0,0 +1,5 @@ +--- +# tasks file for defender + +- name: 'Disable or Enable Defender' + win_shell: 'Set-MpPreference -DisableRealtimeMonitoring ${{ defender_disable }}' diff --git a/roles/directories/defaults/main.yml b/roles/directories/defaults/main.yml new file mode 100644 index 0000000..3ede573 --- /dev/null +++ b/roles/directories/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# defaults file for directories + +# With directories you can specify a list of directories +# with subdirectories to be created on the target system. +directories: + - main: "{{ ansible_env.SystemDrive }}\\{{ directories_main }}" + subdirectories: + - 'facts.d' + - 'xml.d' + - 'tools.d' + - 'ansible' + +# Optional root directory to be created. +directories_main: Support diff --git a/roles/directories/meta/main.yml b/roles/directories/meta/main.yml new file mode 100644 index 0000000..31ff235 --- /dev/null +++ b/roles/directories/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Simon Baerlocher (https://sbaerlocher.ch) + description: Creates various directory structures on the target system. + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - windows + - directories + +dependencies: [] diff --git a/roles/directories/molecule/default/molecule.yml b/roles/directories/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/directories/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/directories/molecule/default/playbook.yml b/roles/directories/molecule/default/playbook.yml new file mode 100644 index 0000000..5e37a3d --- /dev/null +++ b/roles/directories/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.directories diff --git a/roles/directories/tasks/directories.yml b/roles/directories/tasks/directories.yml new file mode 100644 index 0000000..7ee99db --- /dev/null +++ b/roles/directories/tasks/directories.yml @@ -0,0 +1,17 @@ +--- +# tasks file for directories + +- name: 'create {{ directory.main }} directory' + win_file: + path: '{{ directory.main }}' + state: directory + tags: + - configuration + +- name: 'include directories' + include_tasks: subdirectories.yml + loop: '{{ directory.subdirectories }}' + loop_control: + loop_var: subdirectories + tags: + - configuration diff --git a/roles/directories/tasks/main.yml b/roles/directories/tasks/main.yml new file mode 100644 index 0000000..68b1c0c --- /dev/null +++ b/roles/directories/tasks/main.yml @@ -0,0 +1,10 @@ +--- +# tasks file for directories + +- name: 'include directories' + include_tasks: directories.yml + loop: '{{ directories }}' + loop_control: + loop_var: directory + tags: + - configuration diff --git a/roles/directories/tasks/subdirectories.yml b/roles/directories/tasks/subdirectories.yml new file mode 100644 index 0000000..a325284 --- /dev/null +++ b/roles/directories/tasks/subdirectories.yml @@ -0,0 +1,9 @@ +--- +# tasks file for directories + +- name: 'create {{ directory.main }}\{{ subdirectories }} directory' + win_file: + path: '{{ directory.main }}\\{{ subdirectories }}' + state: directory + tags: + - configuration diff --git a/roles/disks/defaults/main.yml b/roles/disks/defaults/main.yml new file mode 100644 index 0000000..0994c10 --- /dev/null +++ b/roles/disks/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# defaults file for disks + +# A list of all devices to be included on the target system. +disks: + - disk_number: 1 + drive_letter: D + new_label: Data diff --git a/roles/disks/meta/main.yml b/roles/disks/meta/main.yml new file mode 100644 index 0000000..d8bd33b --- /dev/null +++ b/roles/disks/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + role_name: disks + author: Simon Baerlocher (https://sbaerlocher.ch) + description: Initializes, formats and mounts an additional disk on the target system. + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - windows + - disks + +dependencies: [] diff --git a/roles/disks/molecule/default/molecule.yml b/roles/disks/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/disks/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/disks/molecule/default/playbook.yml b/roles/disks/molecule/default/playbook.yml new file mode 100644 index 0000000..718f328 --- /dev/null +++ b/roles/disks/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.disks diff --git a/roles/disks/tasks/disks.yml b/roles/disks/tasks/disks.yml new file mode 100644 index 0000000..79ec1a1 --- /dev/null +++ b/roles/disks/tasks/disks.yml @@ -0,0 +1,25 @@ +--- +# tasks file for disks + +- name: 'abort when the disk {{ disk.disk_number }} not exist' + fail: + msg: 'Disk does not exist. ( disk_number = {{ disk.disk_number }} )' + when: ansible_disks[disk.disk_number] is undefined + +- name: 'initialize disk {{ disk.disk_number }}' + win_shell: 'Initialize-Disk -Number {{ disk.disk_number }}' + when: ansible_disks[disk.disk_number].guid is none + +- name: 'create partition {{ disk.drive_letter }}' + win_partition: + drive_letter: '{{ disk.drive_letter }}' + partition_size: -1 + disk_number: '{{ disk.disk_number }}' + when: ansible_disks[disk.disk_number].guid is none + +- name: 'format disk {{ disk.drive_letter }}' + win_format: + drive_letter: '{{ disk.drive_letter }}' + file_system: NTFS + new_label: '{{ disk.new_label }}' + when: ansible_disks[disk.disk_number].guid is none diff --git a/roles/disks/tasks/main.yml b/roles/disks/tasks/main.yml new file mode 100644 index 0000000..351e606 --- /dev/null +++ b/roles/disks/tasks/main.yml @@ -0,0 +1,11 @@ +--- +# tasks file for kdcloud.win_disk + +- name: 'retrieve disk information' + win_disk_facts: + +- name: 'include disk' + include_tasks: disks.yml + loop: '{{ disks }}' + loop_control: + loop_var: disk diff --git a/roles/local_administrators/defaults/main.yml b/roles/local_administrators/defaults/main.yml new file mode 100644 index 0000000..c3a3488 --- /dev/null +++ b/roles/local_administrators/defaults/main.yml @@ -0,0 +1,21 @@ +--- +# defaults file for local_administrators + +# A list of users or groups that Local Administrators +# should have rights to on the device. +# +# local_administrators_defaults: +# - UserX +# - GroupX +# +local_administrators_defaults: [] +local_administrators_groups: [] +local_administrators_hosts: [] + +# If the state is enable, only the specified elements exist, +# and all other unspecified existing elements are removed. +local_administrators_pure_enable: false + +# Name of the local administrators group like e.g. +# English Administrators or German Administratoren +local_administrators_group: Administrators diff --git a/roles/local_administrators/meta/main.yml b/roles/local_administrators/meta/main.yml new file mode 100644 index 0000000..fcb9de1 --- /dev/null +++ b/roles/local_administrators/meta/main.yml @@ -0,0 +1,18 @@ +--- +galaxy_info: + author: Simon Baerlocher (https://sbaerlocher.ch) + description: Ansible role that manage Local Administraotren group. + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - winodws + - group + - administraotren + - user + +dependencies: [] diff --git a/roles/local_administrators/molecule/default/molecule.yml b/roles/local_administrators/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/local_administrators/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/local_administrators/molecule/default/playbook.yml b/roles/local_administrators/molecule/default/playbook.yml new file mode 100644 index 0000000..9e74f90 --- /dev/null +++ b/roles/local_administrators/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.local_administrators diff --git a/roles/local_administrators/tasks/main.yml b/roles/local_administrators/tasks/main.yml new file mode 100644 index 0000000..2ee546a --- /dev/null +++ b/roles/local_administrators/tasks/main.yml @@ -0,0 +1,31 @@ +--- +# tasks file for local_administrators + +- name: add local administrators hosts + set_fact: + local_administrators_defaults: '{{ var_default | union(var_hosts) }}' + when: local_administrators_hosts is defined + vars: + var_default: '{{ local_administrators_defaults }}' + var_hosts: '{{ local_administrators_hosts }}' + tags: + - configuration + +- name: add local administrators group + set_fact: + local_administrators_defaults: '{{ var_default | union(var_groups) }}' + when: local_administrators_groups is defined + vars: + var_default: '{{ local_administrators_defaults }}' + var_groups: '{{ local_administrators_groups }}' + tags: + - configuration + +- name: 'windows : Add to local Administrators' + win_group_membership: + name: '{{ local_administrators_group }}' + members: + - '{{ local_administrators_defaults }}' + state: "{{ 'pure' if local_administrators_pure_enable else 'present'}}" + tags: + - configuration diff --git a/roles/membership/defaults/main.yml b/roles/membership/defaults/main.yml new file mode 100644 index 0000000..7eac484 --- /dev/null +++ b/roles/membership/defaults/main.yml @@ -0,0 +1,20 @@ +--- +# defaults file for membership + +# the DNS name of the domain to which the targeted Windows host should be joined. +# membership_domain_name: '' + +# Username of a domain admin for the target domain (required to join or leave the domain). +membership_admin_user: '' + +# Password for the specified domain_admin_user. +membership_admin_password: '' + +# The desired OU path for adding the computer object. default: omit +membership_ou: '{{ omit }}' + +# Whether the target host should be a member of a domain or workgroup. +membership_state: 'domain' +# +# When state is workgroup, the name of the workgroup that the Windows host should be in. +# membership_workgroup_name: '' diff --git a/roles/membership/handlers/main.yml b/roles/membership/handlers/main.yml new file mode 100644 index 0000000..24a45e6 --- /dev/null +++ b/roles/membership/handlers/main.yml @@ -0,0 +1,9 @@ +--- +# handlers file for membership + +- name: Reboot Windows + win_reboot: + when: membership_state.reboot_required + +- name: Wait for connection + wait_for_connection: diff --git a/roles/membership/meta/main.yml b/roles/membership/meta/main.yml new file mode 100644 index 0000000..0877cdb --- /dev/null +++ b/roles/membership/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + author: Simon Baerlocher (https://sbaerlocher.ch) + description: Adds the target device to a domain or to a workgroup. + license: MIT + min_ansible_version: 2.9 + + platforms: + - name: Windows + versions: + - 2012R2 + galaxy_tags: + - windows + - domain + - join + +dependencies: [] diff --git a/roles/membership/tasks/main.yml b/roles/membership/tasks/main.yml new file mode 100644 index 0000000..28cfbbd --- /dev/null +++ b/roles/membership/tasks/main.yml @@ -0,0 +1,19 @@ +--- +# tasks file for membership + +- name: 'domain membership' + win_domain_membership: + dns_domain_name: '{{ membership_domain_name | default(omit) }}' + domain_admin_user: '{{ membership_admin_user | default(omit) }}' + domain_admin_password: '{{ membership_admin_password | default(omit) }}' + domain_ou_path: '{{ membership_ou | default(omit) }}' + state: "{{ 'domain' if membership_domain_name is defined else 'workgroup' }}" + workgroup_name: '{{ membership_workgroup_name | default(omit) }}' + when: membership_domain_name is defined or membership_workgroup_name is defined + register: membership_state + notify: + - Reboot Windows + - Wait for connection + tags: + - configuration + - packages diff --git a/roles/onedrive/defaults/main.yml b/roles/onedrive/defaults/main.yml new file mode 100644 index 0000000..b9e155d --- /dev/null +++ b/roles/onedrive/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# defaults file for onedrive + +# Disables OneDrive in the registry +onedrive_disable: true + +# Uninstalls OneDrive on the device. +onedrive_remove: false diff --git a/roles/onedrive/meta/main.yml b/roles/onedrive/meta/main.yml new file mode 100644 index 0000000..51c84de --- /dev/null +++ b/roles/onedrive/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + role_name: onedrive + author: Simon Baerlocher (https://sbaerlocher.ch) + description: Disables or removes Microsoft OneDrive on a Windows 10 device. + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - windows + - onedrive + +dependencies: [] diff --git a/roles/onedrive/molecule/default/molecule.yml b/roles/onedrive/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/onedrive/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/onedrive/molecule/default/playbook.yml b/roles/onedrive/molecule/default/playbook.yml new file mode 100644 index 0000000..5583e73 --- /dev/null +++ b/roles/onedrive/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.onedrive diff --git a/roles/onedrive/tasks/main.yml b/roles/onedrive/tasks/main.yml new file mode 100644 index 0000000..685c27c --- /dev/null +++ b/roles/onedrive/tasks/main.yml @@ -0,0 +1,63 @@ +--- +# tasks file for onedrive + +- block: + - name: Set facts + set_fact: + onedrive_disable: true + + - name: Check if OneDrive installed x86 + win_stat: + path: C:\\Windows\\System32\\OneDriveSetup.exe + register: register_x86_onedrive + + - name: Uninstall OneDrive x86 + become: true + become_user: SYSTEM + become_method: runas + win_shell: "C:\\Windows\\System32\\OneDriveSetup.exe /uninstall" + when: register_x86_onedrive.stat.exists | bool + + - name: Check if OneDrive installed x64 + win_stat: + path: C:\\Windows\\SysWOW64\\OneDriveSetup.exe + register: register_x64_onedrive + + - name: Uninstall OneDrive x64 + become: true + become_user: SYSTEM + become_method: runas + win_shell: "C:\\Windows\\SysWOW64\\OneDriveSetup.exe /uninstall" + when: register_x64_onedrive.stat.exists | bool + + when: onedrive_remove + +- block: + - name: OneDrive Policies + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive + name: DisableFileSyncNGSC + data: "{{ '00000001' if onedrive_disable else '00000000' }}" + type: dword + + - name: OneDrive in Explorer + win_regedit: + path: HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} + name: System.IsPinnedToNameSpaceTree + data: "{{ '00000000' if onedrive_disable else '00000001' }}" + type: dword + + - name: OneDrive in Explorer x64 + win_regedit: + path: HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} + name: System.IsPinnedToNameSpaceTree + data: "{{ '00000000' if onedrive_disable else '00000001' }}" + type: dword + when: ansible_architecture == "64-Bit" + + - name: OneDrive Start Menu in Default Profile + win_file: + path: "C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\OneDrive.lnk" + state: absent + + when: onedrive_disable | bool diff --git a/roles/optional_features/README.md b/roles/optional_features/README.md new file mode 100644 index 0000000..edb3bc2 --- /dev/null +++ b/roles/optional_features/README.md @@ -0,0 +1,26 @@ +# Ansible Role: optional_features + +## Description + +This role enables or disables Windows optional feature.. + +## Role Variables + +### optional_features + +Here is a list of Windows optional features that can be installed or uninstalled. + +```yml +optional_features: + - 'Microsoft-Windows-Subsystem-Linux': true +``` + +## Example Playbook + +```yml +- hosts: all + collections: + - sbaerlocher.windows + roles: + - optional_features +``` diff --git a/roles/optional_features/defaults/main.yml b/roles/optional_features/defaults/main.yml new file mode 100644 index 0000000..b90f494 --- /dev/null +++ b/roles/optional_features/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# defaults file for optional_features + +# Here is a list of Windows optional features that can be installed or uninstalled. +optional_features: + - 'Microsoft-Windows-Subsystem-Linux': true diff --git a/roles/optional_features/meta/main.yml b/roles/optional_features/meta/main.yml new file mode 100644 index 0000000..959d84a --- /dev/null +++ b/roles/optional_features/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + author: Simon Baerlocher (https://sbaerlocher.ch) + description: 'This role enables or disables Windows optional feature.' + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - windows + - optional + - features + +dependencies: [] diff --git a/roles/optional_features/molecule/default/molecule.yml b/roles/optional_features/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/optional_features/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/optional_features/molecule/default/playbook.yml b/roles/optional_features/molecule/default/playbook.yml new file mode 100644 index 0000000..563e028 --- /dev/null +++ b/roles/optional_features/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.optional_features diff --git a/roles/optional_features/tasks/main.yml b/roles/optional_features/tasks/main.yml new file mode 100644 index 0000000..9c0e31e --- /dev/null +++ b/roles/optional_features/tasks/main.yml @@ -0,0 +1,10 @@ +--- +# tasks file for optional-features + +- name: 'include optional features' + include_tasks: optional_features.yml + loop: '{{ optional_features | dict2items }}' + loop_control: + loop_var: optional_feature + tags: + - configuration diff --git a/roles/optional_features/tasks/optional_features.yml b/roles/optional_features/tasks/optional_features.yml new file mode 100644 index 0000000..b521fb9 --- /dev/null +++ b/roles/optional_features/tasks/optional_features.yml @@ -0,0 +1,8 @@ +--- +# tasks file for optional-features + +- name: 'windows : {{ optional_feature.key }} {{ optional_feature.value }}' + win_dsc: + resource_name: WindowsOptionalFeature + Name: '{{ optional_feature.key }}' + Ensure: "{{ 'Enable' if optional_feature.value else 'Disable' }}" diff --git a/roles/power_plan/README.md b/roles/power_plan/README.md new file mode 100644 index 0000000..93a1d12 --- /dev/null +++ b/roles/power_plan/README.md @@ -0,0 +1,23 @@ +# Ansible Role: power_plan + +## Description + +This module will change the power plan of a Windows system to the defined string. + +## Role Variables + +### power_plan + +Here you can specify the Windows Power Plan to be activated.. + +```yml +power_plan: 'high performance' +``` + +## Example Playbook + +```yml +- hosts: all + roles: + - sbaerlocher.windows.power_plan +``` diff --git a/roles/power_plan/defaults/main.yml b/roles/power_plan/defaults/main.yml new file mode 100644 index 0000000..f177101 --- /dev/null +++ b/roles/power_plan/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for power_plan + +# Here you can specify the Windows Power Plan to be activated. +power_plan: 'high performance' diff --git a/roles/power_plan/meta/main.yml b/roles/power_plan/meta/main.yml new file mode 100644 index 0000000..3e7e7de --- /dev/null +++ b/roles/power_plan/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + author: Simon Baerlocher (https://sbaerlocher.ch) + description: This role will change the power plan of a Windows system to the defined string. + license: MIT + min_ansible_version: 2.9 + + platforms: + - name: Windows + versions: + - 2012R2 + galaxy_tags: + - windows + - power + - plan + +dependencies: [] diff --git a/roles/power_plan/molecule/default/molecule.yml b/roles/power_plan/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/power_plan/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/power_plan/molecule/default/playbook.yml b/roles/power_plan/molecule/default/playbook.yml new file mode 100644 index 0000000..c31158e --- /dev/null +++ b/roles/power_plan/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.power_plan diff --git a/roles/power_plan/tasks/main.yml b/roles/power_plan/tasks/main.yml new file mode 100644 index 0000000..b990b10 --- /dev/null +++ b/roles/power_plan/tasks/main.yml @@ -0,0 +1,6 @@ +--- +# tasks file for power-plan + +- name: 'Change power plan to {{ power_plan }}' + win_power_plan: + name: '{{ power_plan }}' diff --git a/roles/remote_desktop/defaults/main.yml b/roles/remote_desktop/defaults/main.yml new file mode 100644 index 0000000..2c29f25 --- /dev/null +++ b/roles/remote_desktop/defaults/main.yml @@ -0,0 +1,25 @@ +--- +# defaults file for remote_desktop + +# Turns the Remote Desktop Service on or off. +remote_desktop_enabled: false + +# Determines the encryption level of the remote desktop connection. +# More on: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY +remote_desktop_minencryptionLevel: '3' + +# Determines on which port the Remote Desktop Service should be started. +remote_desktop_port: 3389 + +# Disables the function that can be shut down from a remote desktop. +remote_desktop_shutdown_disable: false + +# Determines the security level of the remote desktop connection. +# More on: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY +remote_desktop_securitylayer: '1' + +# Group for logging on to the Remote Desktop Service. +remote_desktop_group: 'Remotedesktopbenutzer' + +# Users or groups who are allowed to log on to the Remote Desktop. +remote_desktop_members: [] diff --git a/roles/remote_desktop/meta/main.yml b/roles/remote_desktop/meta/main.yml new file mode 100644 index 0000000..01d3de2 --- /dev/null +++ b/roles/remote_desktop/meta/main.yml @@ -0,0 +1,18 @@ +--- +galaxy_info: + role_name: remote_desktop + author: Simon Baerlocher (https://sbaerlocher.ch) + description: Enables Windows Remote Desktop Services on Windows. + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - remote + - desktop + - management + +dependencies: [] diff --git a/roles/remote_desktop/molecule/default/molecule.yml b/roles/remote_desktop/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/remote_desktop/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/remote_desktop/molecule/default/playbook.yml b/roles/remote_desktop/molecule/default/playbook.yml new file mode 100644 index 0000000..e8e3e5c --- /dev/null +++ b/roles/remote_desktop/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: sbaerlocher.windows.remote_desktop diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Enterprise Evaluation.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Enterprise Evaluation.yml new file mode 100644 index 0000000..d36e616 --- /dev/null +++ b/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Enterprise Evaluation.yml @@ -0,0 +1,113 @@ +--- +# tasks file for sbaerlocher.remote-desktop + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_DISABLE_CONNECTIONS +- name: Allow users to connect remotely by using Remote Desktop Services + win_regedit: + path: '{{ item }}' + name: fDenyTSConnections + data: 00000000 + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + register: register_remote_desktop_enabled + with_items: + - "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\" + - "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" + tags: + - configuration + +- name: Firewall Enable or Disable rule for Remote Desktop Services + win_shell: > + "{{ 'Enable-NetFirewallRule' if rd_enable else 'Disable-NetFirewallRule' }} + -DisplayGroup 'Remotedesktop'" + vars: + rd_enable: '{{ remote_desktop_enabled }}' + tags: + - configuration + +- name: Set then Remote Desktop Port + win_regedit: + path: "{{ path }}\\Control\\Terminal Server\\WinStations\\RDP-Tcp" + name: PortNumber + data: '{{ remote_desktop_port }}' + type: dword + vars: + path: "HKLM:\\SYSTEM\\CurrentControlSet" + tags: + - configuration + +- name: Firewall rule to allow RDP on TCP port 3389 + win_firewall_rule: + name: '{{ item.name }}' + description: '{{ item.description }}' + localport: '{{ remote_desktop_port }}' + action: allow + direction: in + protocol: '{{ item.protocol }}' + profiles: domain,private,public + state: present + enabled: "{{ 'true' if remote_desktop_enabled else 'false' }}" + service: termservice + program: C:\Windows\system32\svchost.exe + with_items: + - name: Remotedesktop - Benutzermodus (TCP eingehend) + description: > + Eingehende Regel für den Remotedesktopdienst, + die RDP-Datenverkehr zulässt. [TCP 3389] + protocol: tcp + - name: Remotedesktop - Benutzermodus (UDP eingehend) + description: > + Eingehende Regel für den Remotedesktopdienst, + die RDP-Datenverkehr zulässt. [UDP 3389] + protocol: udp + tags: + - configuration + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY +- name: Require use of specific security layer for remote (RDP) connections + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: SecurityLayer + data: '{{ remote_desktop_securitylayer }}' + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + tags: + - configuration + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY +- name: Set client connection encryption level + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: MinEncryptionLevel + data: '{{ remote_desktop_minencryptionLevel }}' + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + tags: + - configuration + +# https://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1368.htm +- name: Disable Shutdown Butten from Windows Start + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: NoClose + data: '1' + type: dword + state: "{{ 'present' if rd_enable and rd_shutdown_disable else 'absent' }}" + vars: + rd_enable: '{{ remote_desktop_enabled }}' + rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' + tags: + - configuration + +# https://www.howtogeek.com/246728/how-to-remove-the-shutdown-button-from-the-windows-login-screen/ +- name: Disable Shutdown Butten from Windows login screen + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + name: shutdownwithoutlogon + data: "{{ '0' if rd_enable and rd_shutdown_disable else '1' }}" + type: dword + vars: + rd_enable: '{{ remote_desktop_enabled }}' + rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' + tags: + - configuration diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Pro.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Pro.yml new file mode 100644 index 0000000..ee894b5 --- /dev/null +++ b/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Pro.yml @@ -0,0 +1,121 @@ +--- +# tasks file for sbaerlocher.remote-desktop + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_DISABLE_CONNECTIONS +- name: Allow users to connect remotely by using Remote Desktop Services + win_regedit: + path: '{{ item }}' + name: fDenyTSConnections + data: 00000000 + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + register: register_remote_desktop_enabled + with_items: + - "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\" + - "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" + tags: + - configuration + +- name: Firewall Enable or Disable rule for Remote Desktop Services + win_shell: > + "{{ 'Enable-NetFirewallRule' if rd_enable else 'Disable-NetFirewallRule' }} + -DisplayGroup 'Remotedesktop'" + vars: + rd_enable: '{{ remote_desktop_enabled }}' + tags: + - configuration + +- name: Set then Remote Desktop Port + win_regedit: + path: "{{ path }}\\Control\\Terminal Server\\WinStations\\RDP-Tcp" + name: PortNumber + data: '{{ remote_desktop_port }}' + type: dword + vars: + path: "HKLM:\\SYSTEM\\CurrentControlSet" + tags: + - configuration + +- name: Firewall rule to allow RDP on TCP port 3389 + win_firewall_rule: + name: '{{ item.name }}' + description: '{{ item.description }}' + localport: '{{ remote_desktop_port }}' + action: allow + direction: in + protocol: '{{ item.protocol }}' + profiles: domain,private,public + state: present + enabled: "{{ 'true' if remote_desktop_enabled else 'false' }}" + service: termservice + program: C:\Windows\system32\svchost.exe + with_items: + - name: Remotedesktop - Benutzermodus (TCP eingehend) + description: > + Eingehende Regel für den Remotedesktopdienst, + die RDP-Datenverkehr zulässt. [TCP 3389] + protocol: tcp + - name: Remotedesktop - Benutzermodus (UDP eingehend) + description: > + Eingehende Regel für den Remotedesktopdienst, + die RDP-Datenverkehr zulässt. [UDP 3389] + protocol: udp + tags: + - configuration + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY +- name: Require use of specific security layer for remote (RDP) connections + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: SecurityLayer + data: '{{ remote_desktop_securitylayer }}' + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + tags: + - configuration + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY +- name: Set client connection encryption level + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: MinEncryptionLevel + data: '{{ remote_desktop_minencryptionLevel }}' + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + tags: + - configuration + +- name: Add User or Group to Login group for Remote Desktop + win_group_membership: + name: '{{ remote_desktop_group }}' + members: '{{ remote_desktop_members }}' + state: present + tags: + - configuration + +# https://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1368.htm +- name: Disable Shutdown Butten from Windows Start + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: NoClose + data: '1' + type: dword + state: "{{ 'present' if rd_enable and rd_shutdown_disable else 'absent' }}" + vars: + rd_enable: '{{ remote_desktop_enabled }}' + rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' + tags: + - configuration + +# https://www.howtogeek.com/246728/how-to-remove-the-shutdown-button-from-the-windows-login-screen/ +- name: Disable Shutdown Butten from Windows login screen + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + name: shutdownwithoutlogon + data: "{{ '0' if rd_enable and rd_shutdown_disable else '1' }}" + type: dword + vars: + rd_enable: '{{ remote_desktop_enabled }}' + rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' + tags: + - configuration diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2016 Standard.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2016 Standard.yml new file mode 100644 index 0000000..ac78322 --- /dev/null +++ b/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2016 Standard.yml @@ -0,0 +1,10 @@ +--- +# tasks file for sbaerlocher.remote-desktop + +- name: Add User or Group to Login group for Remote Desktop + win_group_membership: + name: '{{ remote_desktop_group }}' + members: '{{ remote_desktop_members }}' + state: present + tags: + - configuration diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2019 Standard.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2019 Standard.yml new file mode 100644 index 0000000..ac78322 --- /dev/null +++ b/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2019 Standard.yml @@ -0,0 +1,10 @@ +--- +# tasks file for sbaerlocher.remote-desktop + +- name: Add User or Group to Login group for Remote Desktop + win_group_membership: + name: '{{ remote_desktop_group }}' + members: '{{ remote_desktop_members }}' + state: present + tags: + - configuration diff --git a/roles/remote_desktop/tasks/distribution/defaults.yml b/roles/remote_desktop/tasks/distribution/defaults.yml new file mode 100644 index 0000000..dab7d1d --- /dev/null +++ b/roles/remote_desktop/tasks/distribution/defaults.yml @@ -0,0 +1,6 @@ +--- +# tasks file for sbaerlocher.remote-desktop + +- name: Message + debug: + msg: 'Your {{ ansible_system }} is not supported' diff --git a/roles/remote_desktop/tasks/main.yml b/roles/remote_desktop/tasks/main.yml new file mode 100644 index 0000000..f13625c --- /dev/null +++ b/roles/remote_desktop/tasks/main.yml @@ -0,0 +1,24 @@ +--- +# tasks file for remote_desktop + +- name: include distribution tasks + include_tasks: '{{ loop_distribution }}' + with_first_found: + - files: + - '{{ distribution }}-{{ distribution_verion }}.yml' + - '{{ distribution }}-{{ distribution_major_version }}.yml' + - '{{ distribution }}.yml' + - '{{ ansible_os_family }}.yml' + - '{{ ansible_system }}.yml' + - 'defaults.yml' + paths: + - 'distribution' + loop_control: + loop_var: loop_distribution + vars: + distribution: '{{ ansible_distribution }}' + distribution_verion: '{{ ansible_distribution_version }}' + distribution_major_version: '{{ ansible_distribution_major_version }}' + tags: + - configuration + - packages diff --git a/roles/wsl/README.md b/roles/wsl/README.md deleted file mode 100644 index a13c8a2..0000000 --- a/roles/wsl/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Ansible Role: wsl - -## Description - -The role activates the Windows Subsystem for Linux (WSL) feature on a windows device. - -## Role Variables - -### wsl_enable - -Switches the WSL on or off. - -```yml -wsl_enbale: false -``` - -## Example Playbook - -```yml -- hosts: all - collections: - - sbaerlocher.windows - roles: - - wsl -``` From cfc69597b066b620ff158ac11e482fb3b36f28c6 Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Sat, 7 Mar 2020 23:23:52 +0100 Subject: [PATCH 2/3] add startlayout --- docs/index.html | 4 + roles/startlayout/README.md | 93 +++++++++++++++++++ roles/startlayout/defaults/main.yml | 70 ++++++++++++++ roles/startlayout/meta/main.yml | 18 ++++ .../startlayout/molecule/default/molecule.yml | 21 +++++ .../startlayout/molecule/default/playbook.yml | 5 + roles/startlayout/tasks/main.yml | 12 +++ .../startlayout/templates/StartLayout.xml.j2 | 30 ++++++ 8 files changed, 253 insertions(+) create mode 100644 roles/startlayout/README.md create mode 100644 roles/startlayout/defaults/main.yml create mode 100644 roles/startlayout/meta/main.yml create mode 100644 roles/startlayout/molecule/default/molecule.yml create mode 100644 roles/startlayout/molecule/default/playbook.yml create mode 100644 roles/startlayout/tasks/main.yml create mode 100644 roles/startlayout/templates/StartLayout.xml.j2 diff --git a/docs/index.html b/docs/index.html index 251f6d0..9789dd5 100644 --- a/docs/index.html +++ b/docs/index.html @@ -87,6 +87,10 @@ { title: 'Remote Desktop', link: '/roles/remote_desktop/README' + }, + { + title: 'Startlayout', + link: '/roles/startlayout/README' } ] } diff --git a/roles/startlayout/README.md b/roles/startlayout/README.md new file mode 100644 index 0000000..e09d99b --- /dev/null +++ b/roles/startlayout/README.md @@ -0,0 +1,93 @@ +# Ansible Role: startlayout + +## Description + +With this role the default start menu and task bar of a new profile can be defined. + +## Role Variables + +### startlayout_start + +List and groups of application in Start menu. + +```yml +startlayout_start: + - group: Computer + icons: + - Size: '2x2' + Column: '0' + Row: '0' + DesktopApplicationLinkPath: "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\File Explorer.lnk" + - Size: '2x2' + Column: '2' + Row: '0' + DesktopApplicationLinkPath: "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\computer.lnk" + - group: Browser + icons: + - Size: '2x2' + Column: '0' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Mozilla Firefox.lnk" + - group: Office + icons: + - Size: '2x2' + Column: '0' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Acrobat Reader DC.lnk" + - Size: '2x2' + Column: '2' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk" + - Size: '2x2' + Column: '0' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk" + - Size: '2x2' + Column: '2' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk" + - Size: '2x2' + Column: '2' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word.lnk" + - Size: '2x2' + Column: '0' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook.lnk" + - Size: '2x2' + Column: '2' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel.lnk" +``` + +### startlayout_task + +List of Application that are pinned to the taskbar. + +```yml +startlayout_task: + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\File Explorer.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Firefox.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel.lnk" +``` + +## Example Playbook + +```yml +- hosts: all + roles: + - sbaerlocher.windows.startlayout +``` diff --git a/roles/startlayout/defaults/main.yml b/roles/startlayout/defaults/main.yml new file mode 100644 index 0000000..09ffa59 --- /dev/null +++ b/roles/startlayout/defaults/main.yml @@ -0,0 +1,70 @@ +--- +# defaults file for startlayout + +# List and groups of application in Start menu. +startlayout_start: + - group: Computer + icons: + - Size: '2x2' + Column: '0' + Row: '0' + DesktopApplicationLinkPath: "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\File Explorer.lnk" + - Size: '2x2' + Column: '2' + Row: '0' + DesktopApplicationLinkPath: "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\computer.lnk" + - group: Browser + icons: + - Size: '2x2' + Column: '0' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Mozilla Firefox.lnk" + - group: Office + icons: + - Size: '2x2' + Column: '0' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Acrobat Reader DC.lnk" + - Size: '2x2' + Column: '2' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk" + - Size: '2x2' + Column: '0' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk" + - Size: '2x2' + Column: '2' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk" + - Size: '2x2' + Column: '2' + Row: '0' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word.lnk" + - Size: '2x2' + Column: '0' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook.lnk" + - Size: '2x2' + Column: '2' + Row: '2' + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel.lnk" + +# List of Application that are pinned to the taskbar. +startlayout_task: + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\File Explorer.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Firefox.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Word.lnk" + - taskbar: DesktopApp + DesktopApplicationLinkPath: "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Excel.lnk" diff --git a/roles/startlayout/meta/main.yml b/roles/startlayout/meta/main.yml new file mode 100644 index 0000000..0db6c02 --- /dev/null +++ b/roles/startlayout/meta/main.yml @@ -0,0 +1,18 @@ +--- +galaxy_info: + role_name: startlayout + author: Simon Baerlocher (https://sbaerlocher.ch) + description: With this role the default start menu and task bar of a new profile can be defined. + license: MIT + min_ansible_version: 2.9 + platforms: + - name: Windows + versions: + - all + + galaxy_tags: + - windows + - startlayout + - taskbarlayout + +dependencies: [] diff --git a/roles/startlayout/molecule/default/molecule.yml b/roles/startlayout/molecule/default/molecule.yml new file mode 100644 index 0000000..265a5ef --- /dev/null +++ b/roles/startlayout/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest' + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/startlayout/molecule/default/playbook.yml b/roles/startlayout/molecule/default/playbook.yml new file mode 100644 index 0000000..b9e085d --- /dev/null +++ b/roles/startlayout/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - sbaerlocher.windows.startlayout diff --git a/roles/startlayout/tasks/main.yml b/roles/startlayout/tasks/main.yml new file mode 100644 index 0000000..9e83a9b --- /dev/null +++ b/roles/startlayout/tasks/main.yml @@ -0,0 +1,12 @@ +--- +# tasks file for startlayout + +- name: 'Create startlayout' + win_template: + src: 'StartLayout.xml.j2' + dest: "{{ ansible_env.TEMP }}\\StartLayout.xml" + register: register_startlayout + +- name: 'Import startlayout' + win_shell: "Import-StartLayout -LayoutPath {{ ansible_env.TEMP }}\\StartLayout.xml -MountPath $env:SystemDrive\\" + when: register_startlayout.changed diff --git a/roles/startlayout/templates/StartLayout.xml.j2 b/roles/startlayout/templates/StartLayout.xml.j2 new file mode 100644 index 0000000..a32dc09 --- /dev/null +++ b/roles/startlayout/templates/StartLayout.xml.j2 @@ -0,0 +1,30 @@ + + + + + +{% for startlayout in startlayout_start %} + +{% for item in startlayout.icons %} + +{% endfor %} + +{% endfor %} + + + + + + +{% for tasklayout in startlayout_task %} + +{% endfor %} + + + + From 29b153ce9cef36245438fcaf297243785b13fe1e Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Sun, 8 Mar 2020 22:02:15 +0100 Subject: [PATCH 3/3] update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a6accb..d898d66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/). ## master +## 0.0.1 + ### Added - Initial develop