commit 70452823787877b408f4e3eb282f2f6d0cdfda16 Author: Debian Date: Thu Apr 2 15:34:53 2026 +0200 Initialize with private Repo diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c8d1a2d --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ + +#To dos + +/To-dos.txt + +ansible_deployment/logs/* + +ansible_deployment/pass/* diff --git a/README.md b/README.md new file mode 100644 index 0000000..ae353d9 --- /dev/null +++ b/README.md @@ -0,0 +1,255 @@ +# [Einleitung] + +In diesem Repo befindet sich ein Ansible Playbook zum ausrollen von Standartsoftware und Einstellungen zum Initialem einrichten eines Clients. + +# [Ansible] + +Ansible besteht aus 2 Teilen: einem Management und dem Client. Der Manager berechnet Skripte die dann über eine Shell-Session auf dem Client ausgeführt werden. Dieses Projekt ist darauf ausgelegt einzelne Tags manuell auf den Client zu pushen. +Dabei werden die Hostgruppen und Rollen in der Site nacheinander abgearbeitet. +Im Inventory befinden sich die Site-abhänigen Parameter des Deployments. + +Ansible braucht einen Linux oder Mac als Management-Server. Daher ist hier ein Docker-Compose Projekt unter ./ansible_editor hinterlegt dass einen Container mit allem startet was man braucht. Dieser stellt Visual als Weboberffläche bereit um das Playbook von Git zu klonen, an die Site anzupassen und auszuführen. + +## [Win11-Deployment] + +Am einfachsten ist unter Windows11 eine PS-Remote session einzurichten, diese muss Anfangs eingerichtet werden. +Da das cmd-let dafür relativ viel macht hab ich ein PS-Skript hinterlegt dass das wieder rückgänig macht wenn man es nicht mehr braucht. + + + + +# [Deploy Management] +Prerequesites: Docker compose + + cd ansible_editor + docker compose up -d + +Aufrufen: + http://localhost:8080/root + + + +# [Inventory Vorbereiten] + +1. Hosts in Gruppe eintragen (Adresse zu Hosts-Liste zufügen) +2. "ansible_port" eintragen ( auf client: winrm quickconfig -transport:https) +3. Benutzerdaten in Vault eintragen und gegebenenfalls Variablen für Benutzer im Inventory ersetzen + + +## [Verschlüsselte Zugangsdaten anlegen/ändern] + export EDITOR=nano + +Standartpasswort für vault_pass.yml : 2changeme +(Dieses wird beim Ausführen des Playbooks abgefragt) + +Standart im Ansible-Vault (./ansible_deployment/group_vars/all/vault_pass.yml): + + --- + vault_default_domain: . + vault_default_username: user + vault_default_userpass: user123 + +-> Diese Variablen werden im Inventory aufgerufen und zugeordnet + +### [ids] + +Es gibt mehrere Vaults für mehrere Dinge. Der Hauptvault liegt unter /group_vars/all, die anderen in den Rollen die sie benötigen. Dort können z.b. WG-Peers eingepflegt werden. Die secrets für die vaults werden in ./pass in eine textdatei .pass eingetragen + +- Standart-Vault-ID: main (Standart: 2changeme) +- Wireguard-Credentials: wg (Standart: 2changemesecret) + + +### [Ansible-Vault Befehle] + +Neuen Vault anlegen: + + ansible-vault create ./group_vars/all/vault_pass.yml + +Vault entschlüsseln: + + ansible-vault view ./group_vars/all/vault_pass.yml --ask-vault-pass + +Vault bearbeiten: + + ansible-vault edit ./group_vars/all/vault_pass.yml --ask-vault-pass + +Passwort von File ändern: + + ansible-vault rekey ./group_vars/all/vault_pass.yml --ask-vault-pass + + + + +# [Management Terminal] + + git config --global user.name "Name" + git config --global user.email "email +-> oder änderm im Dockerfile für VS-Studio + + + + cd ansible_deployment + export LANG=C.UTF-8 + ansible-playbook -v site.yml + + +## Tags nutzen: + + ansible-playbook --tags tools + + +### Verfügbare Tags für Rollen-Packete: +- system (Systemeinstellungen) +- tools (Standartprogramme installieren) +- office_tools (optional, free office-tools) + + + + + + +# [Win11 Client] + +Als Admin die Poweshell öffnen!!! + +Netzwerk darf nicht Public sein! + + Get-NetConnectionProfile + + Set-NetConnectionProfile -InterfaceAlias "*Ethernet*" -NetworkCategory Private + oder Set-NetConnectionProfile -Name "*Ethernet*" -NetworkCategory Private + + +## Anschalten Powershell-Remotesitzungen: + + Enable-PSRemoting + + +Einstellungen anzeigen(Port rausfinden): + winrm quickconfig -transport:https + + + +## Ausschalten von PS-Remotesession + + +Ausführen als Admin: disable_psremote_script.ps + + +Prüfen: Get-Service WinRM +winrm enumerate winrm/config/listener + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +# Notizen: + +Disable-PSRemoting + Stop-Service WinRM -Force + Set-Service WinRM -StartupType Disabled + + + + +Listener löschen: + winrm delete winrm/config/Listener?Address=*+Transport=HTTP + winrm delete winrm/config/Listener?Address=*+Transport=HTTPS + +Prüfen: + winrm enumerate winrm/config/listener + + + + + Disable-NetFirewallRule -DisplayGroup "Windows Remote Management" +oder löschen: + Get-NetFirewallRule -DisplayGroup "Windows Remote Management" | Remove-NetFirewallRule + +LocalAccountTokenFilterPolicy zurücksetzen + +Das wird von Remoting oft auf 1 gesetzt. + + Set-ItemProperty ` + -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name LocalAccountTokenFilterPolicy ` + -Value 0 + +Oder komplett löschen: + + Remove-ItemProperty ` + -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name LocalAccountTokenFilterPolicy + + Get-PSSessionConfiguration | Unregister-PSSessionConfiguration + + + +time: + + +detect role: +Wert Rolle +0 Standalone Workstation +1 Domain Workstation +2 Standalone Server +3 Member Server +4 Backup DC +5 Primary DC + + + +To:-do: +S-1-5-32-556 +reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /f + + + + Enter-PSSession -ComputerName 192.168.99.64 -Credential (Get-Credential) + + +/etc/krb5.conf + + [libdefaults] + default_realm = INT.ANSI.INT + dns_lookup_realm = false + dns_lookup_kdc = false + +[realms] + INT.ANSI.INT = { + kdc = 192.168.99.63 + } + +[domain_realm] + .int.ansi.int = INT.ANSI.INT + int.ansi.int = INT.ANSI.INT + + +kinit Administrator@INT.ANSI.INT \ No newline at end of file diff --git a/ansible_deployment/ansible.cfg b/ansible_deployment/ansible.cfg new file mode 100644 index 0000000..4010250 --- /dev/null +++ b/ansible_deployment/ansible.cfg @@ -0,0 +1,4 @@ +[defaults] +inventory = ./inventory.yml +vault_identity_list = wg@./pass/wg.pass,main@./pass/main.pass +log_path = ./logs/ansible.log \ No newline at end of file diff --git a/ansible_deployment/group_vars/all/vault_pass.yml b/ansible_deployment/group_vars/all/vault_pass.yml new file mode 100644 index 0000000..9107545 --- /dev/null +++ b/ansible_deployment/group_vars/all/vault_pass.yml @@ -0,0 +1,17 @@ +$ANSIBLE_VAULT;1.1;AES256 +66643239373234383936333931383238636131353736653131626465633863373764343035643362 +3339613237613539346335643939646136306438376136650a623033313736653933373939373733 +36353230666535663236363961313562633032363831353930396664633135613935326236663661 +3836333963313132350a653432656438323935323762623336366363616666653532383864306363 +35626561656164336361623036306266323133313339623433373661343863383335366131306239 +35623437333830316432643961393165383531316237386133303262303166396535323939373932 +32336433313939333034623437386239356332626564336165613362316561393763373663633432 +61356362373137323366306335306133303462353664393734363635666136663533613664333166 +31326563393937373838353730663435393833346231303939366630303532613833313137336532 +38353264323535653864326137393164396536623964383531306363383564643537306461656636 +66643165333639386462363131303461323463393632383432383964333563383238633536353138 +65343366353261643865383464313637373632633937373764346130396561373637623937343633 +61393232313761643730613666666238343630613438633566396130366232633535393164653339 +38323739356236376664313036616265636631326136346538396533653939306630636566633635 +31636166373262636438626565396536626165326263356463616233383962326339663536336161 +63353361656466383764 diff --git a/ansible_deployment/inventory.yml b/ansible_deployment/inventory.yml new file mode 100644 index 0000000..30749aa --- /dev/null +++ b/ansible_deployment/inventory.yml @@ -0,0 +1,117 @@ +--- + +# Generell + +all: + vars: + + # Ansible-Connection and Credentials + + ansible_connection: winrm + ansible_winrm_transport: ntlm + + ansible_user: '{{ vault_default_domain }}\{{ vault_default_username }}' + username: '{{ vault_default_username }}' + ansible_password: '{{ vault_default_userpass }}' + + # Windows Geo/Language Settings + + windows_language: de-DE + windows_keyboard: 0407:00000407 + windows_geo_id: 94 + + # Windows NTP Settings + + ntp_servers: + - "0.pool.ntp.org" + - "1.pool.ntp.org" + + # Energiesparoptionen + + powermanagement: + power_plan: "High performance" + lid_close_action: 0 # 0 = Do nothing + sleep_timeout_ac: 0 # 0 = Never + sleep_timeout_dc: 0 # 0 = Never + monitor_timeout_ac: 20 # Bildschirm darf ausgehen + monitor_timeout_dc: 10 + + # Windows RDP Settings + + rdp: + rdp_port: 3389 + enable_nla: true + custommember: false + member: + - membername: "" #Group-Name or Account-Name + + + # Windows Tools Uninstall Parameters + + uninstall365: + m365_match_patterns: + - "Microsoft 365" + - "Microsoft Office" + - "Office 365" + - "Microsoft Teams" + - "OneDrive" + + remove_onedrive: true + remove_store_apps: true + remove_click_to_run: true + + m365_log_path: "C:\\Temp\\m365_removal.log" + + reboot_if_required: true + + +# Testdeployment +test_domain_vm_client: + hosts: + test-vm-002.int.ansi.int: + hostname: "test-vm-002.int.ansi.int" + + ansible_port: 5986 + domain_member: true + + ansible_user: '{{ vault_domain_default_domain }}\{{ vault_domain_default_username }}' + username: '{{ vault_domain_default_username }}' + ansible_password: '{{ vault_domain_default_userpass }}' + + local_user: '{{ vault_default_domain }}\{{ vault_default_username }}' + + + wg: + non_admin: false + users: + - username: "" + + private_key: '{{ wg_private_key }}' + address: "10.66.66.13/32,fd42:42:42::13/128" + dns: "192.168.19.244,192.168.19.244" + + wireguard_peers: + - public_key: '{{ wg_p1_public_key }}' + preshared_key: '{{ wg_p1_preshared_key }}' + allowed_ips: "172.16.4.0/24" + endpoint: "93.93.202.133:56483" + + +# Client-Gruppen zum Deployen + +notebooks_client: + hosts: + + + + +workstation_client: + hosts: + + + + +# Server-Gruppen zum Deployen + +domainmember_server: + hosts: \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/dns/tasks/main.yml b/ansible_deployment/roles/windows_roles/system_roles/dns/tasks/main.yml new file mode 100644 index 0000000..98f3196 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/dns/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Configure all adapters to use DHCP-assigned DNS values + ansible.windows.win_dns_client: + adapter_names: '*' + dns_servers: [] + +#optional: + +# - name: Set multiple lookup addresses on all visible adapters (usually physical adapters that are in the Up state), with debug logging to a file +# ansible.windows.win_dns_client: +# adapter_names: '*' +# dns_servers: +# - 192.168.34.5 +# - 192.168.34.6 +# suffix_search_list: +# - "corp.contoso.com" +# - "na.corp.contoso.com" +# log_path: C:\dns_log.txt \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/configure.yml b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/configure.yml new file mode 100644 index 0000000..e64a306 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/configure.yml @@ -0,0 +1,40 @@ +--- + +- name: Configure German regional settings for system + win_shell: | + $lang="{{ windows_language }}" + + Set-WinUILanguageOverride -Language $lang + Set-WinSystemLocale $lang + Set-Culture $lang + Set-WinHomeLocation -GeoId {{ windows_geo_id }} + + $list = New-WinUserLanguageList $lang + $list[0].InputMethodTips.Clear() + $list[0].InputMethodTips.Add("{{ windows_keyboard }}") + + Set-WinUserLanguageList $list -Force + register: lang_config + +- name: Configure German language for user {{ username }} + win_shell: | + $lang="{{ windows_language }}" + + $list = New-WinUserLanguageList $lang + $list[0].InputMethodTips.Clear() + $list[0].InputMethodTips.Add("{{ windows_keyboard }}") + + Set-WinUserLanguageList $list -Force + Set-Culture $lang + Set-WinUILanguageOverride -Language $lang + become: yes + become_method: runas + become_user: "{{ username }}" + register: user_lang_config + +- name: Apply language to welcome screen and new users + win_shell: | + Copy-UserInternationalSettingsToSystem ` + -WelcomeScreen $true ` + -NewUser $true + register: welcome_config \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/install.yml b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/install.yml new file mode 100644 index 0000000..cc2b002 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/install.yml @@ -0,0 +1,23 @@ +--- +- name: Install German language pack + win_shell: | + $features = @( + "Language.Basic~~~{{ windows_language }}~0.0.1.0", + "Language.Handwriting~~~{{ windows_language }}~0.0.1.0", + "Language.OCR~~~{{ windows_language }}~0.0.1.0", + "Language.Speech~~~{{ windows_language }}~0.0.1.0", + "Language.TextToSpeech~~~{{ windows_language }}~0.0.1.0" + ) + + foreach ($feature in $features) { + $cap = Get-WindowsCapability -Online | + Where-Object Name -like $feature + + if ($cap.State -ne "Installed") { + Add-WindowsCapability -Online -Name $feature + } + } + register: lang_install + become: yes + become_method: runas + become_user: SYSTEM \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/main.yml b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/main.yml new file mode 100644 index 0000000..0512867 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: Check if German language pack is installed + win_shell: | + $cap = Get-WindowsCapability -Online | + Where-Object { $_.Name -like "Language.Basic~~~{{ windows_language }}*" } + + if ($cap -and $cap.State -eq "installed") { + exit 0 + } else { + exit 1 + } + register: german_installed + changed_when: false + failed_when: false + +- name: Install German language components + import_tasks: install.yml + when: german_installed.rc != 0 + +- name: Configure German system settings + import_tasks: configure.yml + when: german_installed.rc != 0 + +- name: Reboot if required + import_tasks: reboot.yml \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/reboot.yml b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/reboot.yml new file mode 100644 index 0000000..e9d893e --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/reboot.yml @@ -0,0 +1,10 @@ +--- + +- name: Reboot system if language changes occurred + win_reboot: + reboot_timeout: 1800 + when: > + lang_install.changed or + lang_config.changed or + user_lang_config.changed or + welcome_config.changed \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/hostname/tasks/main.yml b/ansible_deployment/roles/windows_roles/system_roles/hostname/tasks/main.yml new file mode 100644 index 0000000..6c86316 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/hostname/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Set Windows hostname + ansible.windows.win_hostname: + name: "{{ hostname }}" + register: hostname_result + when: not domain_member | bool + +- name: Reboot if hostname changed + ansible.windows.win_reboot: + when: not domain_member | bool and hostname_result.reboot_required \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/powersaver_off/tasks/main.yml b/ansible_deployment/roles/windows_roles/system_roles/powersaver_off/tasks/main.yml new file mode 100644 index 0000000..b03c5f6 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/powersaver_off/tasks/main.yml @@ -0,0 +1,48 @@ +--- +- name: Set power plan to high performance + win_shell: | + powercfg /setactive SCHEME_MIN + +- name: Disable sleep (AC) + win_shell: | + powercfg /change standby-timeout-ac {{ powermanagement.sleep_timeout_ac }} + +- name: Disable sleep (Battery) + win_shell: | + powercfg /change standby-timeout-dc {{ powermanagement.sleep_timeout_dc }} + +- name: Set monitor timeout (AC) + win_shell: | + powercfg /change monitor-timeout-ac {{ powermanagement.monitor_timeout_ac }} + +- name: Set monitor timeout (Battery) + win_shell: | + powercfg /change monitor-timeout-dc {{ powermanagement.monitor_timeout_dc }} + +- name: Set lid close action to do nothing (AC) + win_shell: | + powercfg /setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION {{ powermanagement.lid_close_action }} + +- name: Set lid close action to do nothing (Battery) + win_shell: | + powercfg /setdcvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION {{ powermanagement.lid_close_action }} + +- name: Apply power settings + win_shell: | + powercfg /setactive SCHEME_CURRENT + + + + + + + +- name: Disable NIC power saving features + win_shell: | + Get-NetAdapterAdvancedProperty | Where-Object { + $_.DisplayName -match "Energy|EEE" + } | Set-NetAdapterAdvancedProperty -DisplayValue "Disabled" -NoRestart + args: + executable: powershell + + diff --git a/ansible_deployment/roles/windows_roles/system_roles/rdp/tasks/main.yml b/ansible_deployment/roles/windows_roles/system_roles/rdp/tasks/main.yml new file mode 100644 index 0000000..5eb5c09 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/rdp/tasks/main.yml @@ -0,0 +1,58 @@ +- name: Enable Remote Desktop in registry + ansible.windows.win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Terminal Server + name: fDenyTSConnections + data: 0 + type: dword + +- name: Configure Network Level Authentication + ansible.windows.win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp + name: UserAuthentication + data: "{{ (rdp.enable_nla | default(true)) | ternary(1, 0) }}" + type: dword + +- name: Enable Remote Desktop firewall rule + win_firewall_rule: + name: RemoteDesktop-UserMode-In-TCP + localport: "{{ rdp.rdp_port | default(3389) }}" + action: allow + direction: in + protocol: tcp + state: present + enabled: yes + +- name: Ensure RDP service is running + ansible.windows.win_service: + name: TermService + start_mode: auto + state: started + + +- name: Get all local groups + ansible.windows.win_shell: Get-LocalGroup | Select-Object -ExpandProperty Name + register: local_groups + changed_when: false + +- name: Find Remote Desktop Users group (eng/de) + set_fact: + rdp_group_name: "{{ local_groups.stdout_lines | select('match','(?i)Remote.*Desktop.*Users|Remotedesktopbenutzer') | first }}" + changed_when: false + +- name: Add my user to RDP access + ansible.windows.win_group_membership: + name: "{{ rdp_group_name }}" + members: + - "{{ local_user }}" # hier die Gruppe, die RDP-Zugang bekommen soll + state: present + +- name: Add my custom group to RDP access + ansible.windows.win_group_membership: + name: "{{ rdp_group_name }}" + members: + - "{{ item.membername }}" # hier die Gruppe, die RDP-Zugang bekommen soll + state: present + when: rdp.custommember == true + loop: "{{ rdp.member }}" + loop_control: + loop_var: item diff --git a/ansible_deployment/roles/windows_roles/system_roles/time/defaults/main.yml b/ansible_deployment/roles/windows_roles/system_roles/time/defaults/main.yml new file mode 100644 index 0000000..a9f0d9a --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/time/defaults/main.yml @@ -0,0 +1,4 @@ +--- + + +ntp_type: "NTP" \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/time/handlers/main.yml b/ansible_deployment/roles/windows_roles/system_roles/time/handlers/main.yml new file mode 100644 index 0000000..dd59943 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/time/handlers/main.yml @@ -0,0 +1,14 @@ +--- + +- name: restart time service + win_service: + name: w32time + state: restarted + +- name: restart time service + win_service: + name: w32time + state: restarted + +- name: force resync + win_shell: w32tm /resync \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_controller.yml b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_controller.yml new file mode 100644 index 0000000..6aa7389 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_controller.yml @@ -0,0 +1,10 @@ +--- + +- name: Build NTP server string + set_fact: + ntp_server_string: "{{ ntp_servers | join(',') }}" + +- name: Configure DC NTP servers + win_shell: | + w32tm /config /manualpeerlist:"{{ ntp_server_string }}" /syncfromflags:manual /reliable:yes /update + notify: restart time service \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_member.yml b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_member.yml new file mode 100644 index 0000000..1569c12 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_member.yml @@ -0,0 +1,10 @@ +--- + +- name: Set timezone + win_timezone: + timezone: "W. Europe Standard Time" + +- name: Configure time sync from domain hierarchy + win_shell: | + w32tm /config /syncfromflags:domhier /update + notify: restart time service \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_standalone.yml b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_standalone.yml new file mode 100644 index 0000000..3c3ad5b --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_standalone.yml @@ -0,0 +1,28 @@ +--- + +- name: Set timezone + win_timezone: + timezone: "W. Europe Standard Time" + + + +- name: Build NTP server string + set_fact: + ntp_server_string: "{{ ntp_servers | join(',') }}" + +- name: Configure NTP servers + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters + name: NtpServer + data: "{{ ntp_server_string }}" + type: string + notify: restart time service + +- name: Set sync type + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters + name: Type + data: NTP + type: string + notify: restart time service + diff --git a/ansible_deployment/roles/windows_roles/system_roles/time/tasks/detect_role.yml b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/detect_role.yml new file mode 100644 index 0000000..7572f06 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/detect_role.yml @@ -0,0 +1,13 @@ +--- + +- name: Detect Windows domain role + win_shell: | + (Get-CimInstance Win32_ComputerSystem).DomainRole + register: domain_role + changed_when: false + +- name: Set role fact + set_fact: + windows_domain_role: "{{ domain_role.stdout | int }}" + changed_when: false + diff --git a/ansible_deployment/roles/windows_roles/system_roles/time/tasks/main.yml b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/main.yml new file mode 100644 index 0000000..04bbb4f --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/time/tasks/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Detect Windows domain role + include_tasks: detect_role.yml + +- name: Configure NTP for domain controller + include_tasks: configure_domain_controller.yml + when: windows_domain_role | int in [4,5] + +- name: Configure NTP for domain member + include_tasks: configure_domain_member.yml + when: windows_domain_role | int in [1,3] + +- name: Configure NTP for standalone host + include_tasks: configure_standalone.yml + when: windows_domain_role | trim == "0" diff --git a/ansible_deployment/roles/windows_roles/system_roles/updates/tasks/main.yml b/ansible_deployment/roles/windows_roles/system_roles/updates/tasks/main.yml new file mode 100644 index 0000000..9ab4209 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/system_roles/updates/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Install Windows updates until system is fully patched + ansible.windows.win_updates: + category_names: + - SecurityUpdates + - CriticalUpdates + - UpdateRollups + - Updates + - DefinitionUpdates + - ServicePacks + - Drivers + - FeaturePacks + - Tools + - Connectors + - Application + - Guidance + state: installed + reboot: true + reboot_timeout: 900 diff --git a/ansible_deployment/roles/windows_roles/tools_roles/7zip/files/7z2600-x64.msi b/ansible_deployment/roles/windows_roles/tools_roles/7zip/files/7z2600-x64.msi new file mode 100644 index 0000000..952703b Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/7zip/files/7z2600-x64.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/7zip/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/7zip/tasks/main.yml new file mode 100644 index 0000000..876d622 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/7zip/tasks/main.yml @@ -0,0 +1,56 @@ +--- +- name: Check if 7-Zip is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*7-Zip*" } + + if ($app) { Write-Output "installed" } + register: sevenzip_installed + changed_when: false + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: sevenzip_installed.stdout | trim != "installed" + + +- name: Ensure temp directory exists + win_file: + path: C:\temp\setup + state: directory + when: sevenzip_installed.stdout | trim != "installed" + + + +- name: Copy MSI installer to Windows host + win_copy: + src: 7z2600-x64.msi + dest: C:\temp\setup\7z.msi + force: yes + when: sevenzip_installed.stdout | trim != "installed" + + +- name: Ensure 7-Zip is installed through win_package + win_package: + path: C:\temp\setup\7z.msi + state: present + when: sevenzip_installed.stdout | trim != "installed" + +# - name: Ensure 7-Zip is not installed through win_package +# win_package: +# path: C:\temp\7z.msi +# state: absent + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent + + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/browser/files/Firefox_Setup_148.0.msi b/ansible_deployment/roles/windows_roles/tools_roles/browser/files/Firefox_Setup_148.0.msi new file mode 100644 index 0000000..5af409c Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/browser/files/Firefox_Setup_148.0.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/browser/files/googlechromestandaloneenterprise64.msi b/ansible_deployment/roles/windows_roles/tools_roles/browser/files/googlechromestandaloneenterprise64.msi new file mode 100644 index 0000000..873eac4 Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/browser/files/googlechromestandaloneenterprise64.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/browser/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/browser/tasks/main.yml new file mode 100644 index 0000000..276316e --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/browser/tasks/main.yml @@ -0,0 +1,59 @@ +--- +- name: Check if Firefox is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*Firefox*" } + + if ($app) { Write-Output "installed" } + register: browser_installed + changed_when: false + + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: browser_installed.stdout | trim != "installed" + + +- name: Ensure temp directory exists + win_file: + path: C:\temp\setup + state: directory + when: browser_installed.stdout | trim != "installed" + + + +- name: Copy MSI installer to Windows host + win_copy: + src: "{{ item }}" + dest: C:\temp\setup\{{ item }} + force: yes + with_items: + - Firefox_Setup_148.0.msi + - googlechromestandaloneenterprise64.msi + when: browser_installed.stdout | trim != "installed" + + +- name: Ensure Browser is installed through win_package + win_package: + path: C:\temp\setup\{{ item }} + state: present + with_items: + - Firefox_Setup_148.0.msi + - googlechromestandaloneenterprise64.msi + when: browser_installed.stdout | trim != "installed" + + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent + + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/keypass/files/KeePassXC-2.7.12-Win64.msi b/ansible_deployment/roles/windows_roles/tools_roles/keypass/files/KeePassXC-2.7.12-Win64.msi new file mode 100644 index 0000000..cd0192d Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/keypass/files/KeePassXC-2.7.12-Win64.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/keypass/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/keypass/tasks/main.yml new file mode 100644 index 0000000..a827205 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/keypass/tasks/main.yml @@ -0,0 +1,50 @@ +--- +- name: Check if keypass is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*keypass*" } + + if ($app) { Write-Output "installed" } + register: keypass_installed + changed_when: false + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: keypass_installed.stdout | trim != "installed" + + +- name: Ensure temp directory exists + win_file: + path: C:\temp\setup + state: directory + when: keypass_installed.stdout | trim != "installed" + + +- name: Copy MSI installer to Windows host + win_copy: + src: KeePassXC-2.7.12-Win64.msi + dest: C:\temp\setup\keypass.msi + force: yes + when: keypass_installed.stdout | trim != "installed" + + +- name: Ensure keypass is installed through win_package + win_package: + path: C:\temp\setup\keypass.msi + state: present + when: keypass_installed.stdout | trim != "installed" + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent + + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/libre/files/LibreOffice_26.2.1_Win_x86-64.msi b/ansible_deployment/roles/windows_roles/tools_roles/libre/files/LibreOffice_26.2.1_Win_x86-64.msi new file mode 100644 index 0000000..4c79fd2 Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/libre/files/LibreOffice_26.2.1_Win_x86-64.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/libre/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/libre/tasks/main.yml new file mode 100644 index 0000000..034653a --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/libre/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: Check if LibreOffice is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*LibreOffice*" } + + if ($app) { Write-Output "installed" } + register: libre_installed + changed_when: false + + + + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: libre_installed.stdout | trim != "installed" + + +- name: Ensure temp directory exists + win_file: + path: C:\temp\setup + state: directory + when: libre_installed.stdout | trim != "installed" + + + +- name: Copy MSI installer to Windows host + win_copy: + src: LibreOffice_26.2.1_Win_x86-64.msi + dest: C:\temp\setup\libre.msi + force: yes + when: libre_installed.stdout | trim != "installed" + + +- name: Ensure Libre Office is installed through win_package + win_package: + path: C:\temp\setup\libre.msi + state: present + when: libre_installed.stdout | trim != "installed" + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent + + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/pdf24/files/pdf24-creator-11.29.1-x64.msi b/ansible_deployment/roles/windows_roles/tools_roles/pdf24/files/pdf24-creator-11.29.1-x64.msi new file mode 100644 index 0000000..f366279 Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/pdf24/files/pdf24-creator-11.29.1-x64.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/pdf24/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/pdf24/tasks/main.yml new file mode 100644 index 0000000..464d867 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/pdf24/tasks/main.yml @@ -0,0 +1,50 @@ +--- +- name: Check if pdf24 is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*pdf24*" } + + if ($app) { Write-Output "installed" } + register: pdf24_installed + changed_when: false + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: pdf24_installed.stdout | trim != "installed" + + +- name: Ensure temp directory exists + win_file: + path: C:\temp\setup + state: directory + when: pdf24_installed.stdout | trim != "installed" + + +- name: Copy MSI installer to Windows host + win_copy: + src: pdf24-creator-11.29.1-x64.msi + dest: C:\temp\setup\pdf24.msi + force: yes + when: pdf24_installed.stdout | trim != "installed" + + +- name: Ensure PDF24 is installed through win_package + win_package: + path: C:\temp\setup\pdf24.msi + state: present + when: pdf24_installed.stdout | trim != "installed" + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent + + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/files/rustdesk-1.4.6-x86_64.msi b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/files/rustdesk-1.4.6-x86_64.msi new file mode 100644 index 0000000..a59e812 Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/files/rustdesk-1.4.6-x86_64.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/handlers/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/handlers/main.yml new file mode 100644 index 0000000..734ae62 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/handlers/main.yml @@ -0,0 +1,8 @@ +--- + +# Handler zum Neustarten des RustDesk-Dienstes +- name: Restart RustDesk service + win_service: + name: RustDesk # Name des Windows-Dienstes + state: restarted + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/tasks/main.yml new file mode 100644 index 0000000..79d2ead --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/tasks/main.yml @@ -0,0 +1,162 @@ +--- +- name: Check if Rustdesk is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*rustdesk*" } + + if ($app) { Write-Output "installed" } + register: rustdesk_installed + changed_when: false + + + + + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: rustdesk_installed.stdout | trim != "installed" + +- name: Ensure setup directory exists + win_file: + path: C:\temp\setup + state: directory + when: rustdesk_installed.stdout | trim != "installed" + + + + + + +- name: Copy rustdesk MSI installer to Windows host + win_copy: + src: rustdesk-1.4.6-x86_64.msi + dest: C:\temp\setup\rustdesk.msi + force: yes + when: rustdesk_installed.stdout | trim != "installed" + + +- name: Ensure rustdesk is installed through win_package + win_package: + path: C:\temp\setup\rustdesk.msi + state: present + when: rustdesk_installed.stdout | trim != "installed" + + + + + + +- name: Ensure RustDesk service is enabled + win_service: + name: RustDesk + state: started + start_mode: auto + changed_when: false + + + + + +- name: Start RustDesk application + win_shell: | + Start-Process "C:\Program Files\RustDesk\rustdesk.exe" + args: + executable: powershell + become: yes + become_method: runas + become_user: "{{ username }}" + changed_when: false + +- name: Wait until RustDesk process is running + win_wait_for_process: + process_name_pattern: rustdesk + state: present + timeout: 30 + become: yes + become_method: runas + become_user: "{{ username }}" + changed_when: false + + + + + +# - name: Start RustDesk interactively in user context +# win_shell: | +# schtasks /create /tn "StartRustDesk" /tr '"C:\Program Files\RustDesk\RustDesk.exe"' /sc once /st 00:00 /rl highest /f /ru "{{ rustdesk.rustdesk_user }}" /rp "{{ rustdesk.rustdesk_user_password }}" +# schtasks /run /tn "StartRustDesk" +# schtasks /delete /tn "StartRustDesk" /f +# args: +# executable: powershell.exe +# when: rustdesk_installed.stdout | trim != "installed" + +- name: Wait until RustDesk processes are there + win_wait_for_process: + process_name_pattern: rustdesk + state: present + timeout: 30 + changed_when: false + +- name: Copy/Check RustDesk config template + win_template: + src: RustDesk2.toml + dest: C:\Users\{{ username }}\AppData\Roaming\RustDesk\config\RustDesk2.toml + register: rustdesk_template_check + when: not domain_member | bool + +- name: Stop RustDesk service + win_service: + name: RustDesk + state: stopped + start_mode: disabled + when: rustdesk_template_check.changed + +- name: Stop RustDesk process if running + win_shell: | + if (Get-Process rustdesk -ErrorAction SilentlyContinue) { + Stop-Process -Name rustdesk -Force + } + when: rustdesk_template_check.changed + + +- name: Wait until RustDesk processes are gone + win_wait_for_process: + process_name_pattern: rustdesk + state: absent + timeout: 30 + when: rustdesk_template_check.changed + + +- name: Copy RustDesk config template + win_template: + src: RustDesk2.toml + dest: C:\Users\{{ username }}\AppData\Roaming\RustDesk\config\RustDesk2.toml + notify: Restart RustDesk service + when: rustdesk_template_check.changed + + +- name: Ensure RustDesk service is enabled + win_service: + name: RustDesk + state: started + start_mode: auto + when: rustdesk_template_check.changed + + + + + + + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/templates/RustDesk2.toml b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/templates/RustDesk2.toml new file mode 100644 index 0000000..31ab731 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/rustdesk/templates/RustDesk2.toml @@ -0,0 +1,12 @@ +rendezvous_server = '93.93.202.41:21116' +serial = '' +unlock_pin = '' +trusted_devices = '' + +[options] +custom-rendezvous-server = '93.93.202.41' +key = 'NEthYaFbhCVTWMj4ZV2elX8Ux2GdYZLb0yTzcTm015E=' +stop-service = 'Y' +relay-server = '93.93.202.41' +av1-test = 'Y' +local-ip-addr = '' diff --git a/ansible_deployment/roles/windows_roles/tools_roles/thunderbird/files/Thunderbird_Setup_148.0.1.msi b/ansible_deployment/roles/windows_roles/tools_roles/thunderbird/files/Thunderbird_Setup_148.0.1.msi new file mode 100644 index 0000000..d877bd2 Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/thunderbird/files/Thunderbird_Setup_148.0.1.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/thunderbird/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/thunderbird/tasks/main.yml new file mode 100644 index 0000000..be27aaf --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/thunderbird/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: Check if Thunderbird is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*Thunderbird*" } + + if ($app) { Write-Output "installed" } + register: thunderbird_installed + changed_when: false + + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: thunderbird_installed.stdout | trim != "installed" + + +- name: Ensure temp directory exists + win_file: + path: C:\temp\setup + state: directory + when: thunderbird_installed.stdout | trim != "installed" + + +- name: Copy MSI installer to Windows host + win_copy: + src: Thunderbird_Setup_148.0.1.msi + dest: C:\temp\setup\thunderbird.msi + force: yes + when: thunderbird_installed.stdout | trim != "installed" + + +- name: Ensure thunderbird is installed through win_package + win_package: + path: C:\temp\setup\thunderbird.msi + state: present + when: thunderbird_installed.stdout | trim != "installed" + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent + + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/cleanup.yml b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/cleanup.yml new file mode 100644 index 0000000..02caf4b --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/cleanup.yml @@ -0,0 +1,30 @@ +--- +- name: Remove Store apps (Teams, Office) + win_shell: | + Get-AppxPackage -AllUsers | + Where-Object { + $_.Name -like "*Office*" -or $_.Name -like "*Teams*" + } | Remove-AppxPackage -AllUsers + when: uninstall365.remove_store_apps + args: + executable: powershell + failed_when: false + +- name: Remove OneDrive + win_shell: | + taskkill /f /im OneDrive.exe + %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall + when: uninstall365.remove_onedrive + args: + executable: cmd + failed_when: false + +- name: Remove leftover directories + win_file: + path: "{{ item }}" + state: absent + loop: + - "C:\\Program Files\\Microsoft Office" + - "C:\\Program Files (x86)\\Microsoft Office" + - "C:\\ProgramData\\Microsoft\\Office" + ignore_errors: true \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/detect.yml b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/detect.yml new file mode 100644 index 0000000..5990d1e --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/detect.yml @@ -0,0 +1,34 @@ +--- +- name: Scan registry for installed software + win_shell: | + $patterns = @({{ uninstall365.m365_match_patterns | map('to_json') | join(',') }}) + $results = @() + + foreach ($path in @({{ registry_paths | map('to_json') | join(',') }})) { + if (Test-Path $path) { + Get-ChildItem $path | ForEach-Object { + $disp = $_.GetValue("DisplayName") + $uninstall = $_.GetValue("UninstallString") + + if ($disp) { + foreach ($p in $patterns) { + if ($disp -like "*$p*") { + $results += [PSCustomObject]@{ + Name = $disp + UninstallString = $uninstall + } + } + } + } + } + } + } + + $results | ConvertTo-Json -Compress + args: + executable: powershell + register: m365_detect_raw + +- name: Parse detected apps + set_fact: + m365_installed: "{{ m365_detect_raw.stdout | default('[]') | from_json }}" \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/main.yml new file mode 100644 index 0000000..92f9f0c --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Ensure log directory exists + win_file: + path: C:\Temp + state: directory + +- name: Detect installed M365 products + include_tasks: detect.yml + +- name: Uninstall via registry + include_tasks: uninstall_registry.yml + when: m365_installed | length > 0 + +- name: Remove Click-to-Run installations + include_tasks: uninstall_c2r.yml + when: uninstall365.remove_click_to_run + +- name: Cleanup leftovers + include_tasks: cleanup.yml + +- name: Reboot if required + include_tasks: reboot.yml \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/reboot.yml b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/reboot.yml new file mode 100644 index 0000000..4cd7f24 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/reboot.yml @@ -0,0 +1,17 @@ +--- +- name: Check if reboot is required + win_shell: | + if (Test-Path "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\RebootRequired") { + exit 1 + } else { + exit 0 + } + register: reboot_check + failed_when: reboot_check.rc == 1 + changed_when: reboot_check.rc == 1 + +- name: Reboot system if needed + win_reboot: + msg: "Reboot after M365 removal" + pre_reboot_delay: 10 + when: uninstall365.reboot_if_required and reboot_check.rc == 1 \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_c2r.yml b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_c2r.yml new file mode 100644 index 0000000..85f202a --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_c2r.yml @@ -0,0 +1,19 @@ +--- +- name: Check if Click-to-Run exists + win_stat: + path: "{{ click_to_run_exe }}" + register: c2r_stat + +- name: Remove Click-to-Run Office + win_shell: | + "{{ click_to_run_exe }}" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=AllProducts displaylevel=false + when: c2r_stat.stat.exists + args: + executable: cmd + register: c2r_remove + failed_when: false + +- name: Log C2R removal + win_lineinfile: + path: "{{ uninstall365.m365_log_path }}" + line: "Click-to-Run removal executed" \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_registry.yml b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_registry.yml new file mode 100644 index 0000000..206b2d6 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_registry.yml @@ -0,0 +1,25 @@ +--- +- name: Uninstall detected applications + win_shell: | + $apps = {{ m365_installed | to_json }} + + foreach ($app in $apps) { + if ($app.UninstallString) { + $cmd = $app.UninstallString + + if ($cmd -notmatch "/quiet") { + $cmd += " /quiet /norestart" + } + + Start-Process -FilePath "cmd.exe" -ArgumentList "/c $cmd" -Wait + } + } + args: + executable: powershell + register: uninstall_result + failed_when: false + +- name: Log uninstall results + win_lineinfile: + path: "{{ uninstall365.m365_log_path }}" + line: "Registry uninstall executed at {{ ansible_date_time.iso8601 }}" \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/vars/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/vars/main.yml new file mode 100644 index 0000000..193a05e --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/vars/main.yml @@ -0,0 +1,6 @@ +--- +registry_paths: + - HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall + - HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall + +click_to_run_exe: "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/wireguard/files/wireguard-amd64-0.5.3.msi b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/files/wireguard-amd64-0.5.3.msi new file mode 100644 index 0000000..f97ea54 Binary files /dev/null and b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/files/wireguard-amd64-0.5.3.msi differ diff --git a/ansible_deployment/roles/windows_roles/tools_roles/wireguard/tasks/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..85d3c6b --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/tasks/main.yml @@ -0,0 +1,67 @@ +--- +- name: Check if wireguard is installed + win_shell: | + $paths = @( + "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", + "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" + ) + + $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue | + Where-Object { $_.DisplayName -like "*wireguard*" } + + if ($app) { Write-Output "installed" } + register: wireguard_installed + changed_when: false + + + +- name: Ensure temp directory exists + win_file: + path: C:\temp + state: directory + when: wireguard_installed.stdout | trim != "installed" + + +- name: Ensure temp directory exists + win_file: + path: C:\temp\setup + state: directory + when: wireguard_installed.stdout | trim != "installed" + + +- name: Copy MSI installer to Windows host + win_copy: + src: wireguard-amd64-0.5.3.msi + dest: C:\temp\setup\wg.msi + force: yes + when: wireguard_installed.stdout | trim != "installed" + + +- name: Ensure wireguard is installed through win_package + win_package: + path: C:\temp\setup\wg.msi + state: present + when: wireguard_installed.stdout | trim != "installed" + +- name: Copy/Check wireguard config template + win_template: + src: wg.conf + dest: C:\Users\{{ username }}\Documents + +- name: Add User to Netzwerkkonfigurationsoperatoren + ansible.windows.win_group_membership: + name: "S-1-5-32-556" + members: + - "{{ item.username }}" + state: present + when: wg.non_admin == true + loop: "{{ wg.users }}" + loop_control: + loop_var: item + +- name: Ensure setup directory is deleted + win_file: + path: C:\temp\setup + state: absent + + diff --git a/ansible_deployment/roles/windows_roles/tools_roles/wireguard/templates/wg.conf b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/templates/wg.conf new file mode 100644 index 0000000..1d2ee58 --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/templates/wg.conf @@ -0,0 +1,13 @@ +[Interface] +PrivateKey = {{ wg.private_key }} +Address = {{ wg.address }} +DNS = {{ wg.dns }} + +{% for peer in wg.wireguard_peers %} +[Peer] +PublicKey = {{ peer.public_key }} +PreSharedKey = {{ peer.preshared_key }} +AllowedIPs = {{ peer.allowed_ips }} +Endpoint = {{ peer.endpoint }} +PersistentKeepalive = 25 +{% endfor %} \ No newline at end of file diff --git a/ansible_deployment/roles/windows_roles/tools_roles/wireguard/vars/main.yml b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/vars/main.yml new file mode 100644 index 0000000..624922a --- /dev/null +++ b/ansible_deployment/roles/windows_roles/tools_roles/wireguard/vars/main.yml @@ -0,0 +1,15 @@ +$ANSIBLE_VAULT;1.2;AES256;wg +63663332616565356139353765316636313435623339333663373363333964316335323966636538 +3061653236383236383530333131306130613435623032390a616533613632326465653330373861 +33303566363461383763393638663465373162323461336136386339303838336433383436313739 +3736373166353030660a363730613363666166356332303931303134336463306637376266353864 +36373461303363643239333864613865633934616364353635643539666163663330373261646166 +64333363623661346232386461656137643239376562666461353762646436326434386537326237 +61366131376138643932366639363530396565363838363061333036663931333463396534303633 +61346530653531343863313739353939363834383166313530303933313430336534663136313963 +66383539643735313638373736613839393961303266363034343332373738626462366461623539 +64313038306534306339663766323964346262663131366134666634633132356234616363623433 +63353637626661393533666665363236653334613266666533656630343130356431633037373330 +36313833313964383836393233316461323332623538663431653632626230333533643665613330 +34363438363939356432323164303761326464333961666334356230626335323263663133663034 +6165653064343433376233313236343961393434333465346365 diff --git a/ansible_deployment/site.yml b/ansible_deployment/site.yml new file mode 100644 index 0000000..9302146 --- /dev/null +++ b/ansible_deployment/site.yml @@ -0,0 +1,157 @@ +- name: Generic setups + hosts: all + gather_facts: false + vars_files: + - ./group_vars/all/vault_pass.yml + + + + +# Completely Tested Setup!!! + +- name: specific setups for test-vm + hosts: test_domain_vm_client + gather_facts: false + roles: + - role: windows_roles/system_roles/german_language + tags: + - system + - language + - role: windows_roles/system_roles/hostname + tags: + - system + - hostname + - role: windows_roles/system_roles/dns + tags: + - system + - dns + - role: windows_roles/system_roles/time + tags: + - system + - time + - role: windows_roles/system_roles/powersaver_off + tags: + - system + - powersaver_off + - role: windows_roles/system_roles/rdp + tags: + - system + - rdp + - role: windows_roles/system_roles/updates + tags: + - system + - updates + - role: windows_roles/tools_roles/7zip + tags: + - 7zip + - tools + - role: windows_roles/tools_roles/rustdesk + tags: + - rustdesk + - tools + - role: windows_roles/tools_roles/browser + tags: + - browser + - tools + + + - role: windows_roles/tools_roles/pdf24 + tags: + - pdf + - office_tools + - role: windows_roles/tools_roles/libre + tags: + - office + - office_tools + - role: windows_roles/tools_roles/thunderbird + tags: + - mail + - office_tools + - role: windows_roles/tools_roles/wireguard + tags: + - wg + - tools + - role: windows_roles/tools_roles/keypass + tags: + - passvault + - tools + + + + + + + + + + +# windows notebooks +- name: specific setups for nbk + hosts: notebooks_client + gather_facts: false + roles: + - role: windows_roles/system_roles/german_language + tags: + - system + - language + - role: windows_roles/system_roles/hostname + tags: + - system + - hostname + - role: windows_roles/system_roles/dns + tags: + - system + - dns + - role: windows_roles/system_roles/time + tags: + - system + - time + - role: windows_roles/system_roles/powersaver_off + tags: + - system + - powersaver_off + - role: windows_roles/system_roles/rdp + tags: + - system + - rdp + - role: windows_roles/system_roles/updates + tags: + - system + - updates + - role: windows_roles/tools_roles/7zip + tags: + - 7zip + - tools + - role: windows_roles/tools_roles/rustdesk + tags: + - rustdesk + - tools + - role: windows_roles/tools_roles/browser + tags: + - browser + - tools + - role: windows_roles/tools_roles/wireguard + tags: + - wg + - tools + + - role: windows_roles/tools_roles/pdf24 + tags: + - pdf + - office_tools + - role: windows_roles/tools_roles/keypass + tags: + - passvault + - tools + + +# windows workstations +- name: specific setups for wks + hosts: workstation_client + gather_facts: false + + +# windows Domainmember-server +- name: specific setups for Member-Server + hosts: domainmember_server + gather_facts: false \ No newline at end of file diff --git a/disable_psremote_script.ps1 b/disable_psremote_script.ps1 new file mode 100644 index 0000000..7f318ea --- /dev/null +++ b/disable_psremote_script.ps1 @@ -0,0 +1,32 @@ + +Write-Host "Deaktiviere PowerShell Remoting..." -ForegroundColor Yellow + +# Autostart deaktivieren +Write-Host "Deaktiviere WinRM Autostart..." +Set-Service WinRM -StartupType Disabled + +# WinRM Dienst stoppen +if (Get-Service WinRM -ErrorAction SilentlyContinue) { + Write-Host "Stoppe WinRM Dienst..." + Stop-Service WinRM -Force +} + +# Listener entfernen +Write-Host "Entferne WinRM Listener..." +winrm delete winrm/config/Listener?Address=*+Transport=HTTP 2>$null +winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>$null + +# Firewallregeln deaktivieren +Write-Host "Deaktiviere Firewall Regeln..." +Disable-NetFirewallRule -DisplayGroup "Windows Remote Management" + +# LocalAccountTokenFilterPolicy zurücksetzen +Write-Host "Setze LocalAccountTokenFilterPolicy zurück..." +$path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" + +if (Test-Path $path) { + Set-ItemProperty -Path $path -Name LocalAccountTokenFilterPolicy -Value 0 -Type DWord +} + +Write-Host "PowerShell Remoting wurde deaktiviert." -ForegroundColor Green +