Initialize with private Repo

ansible_deployment/roles/windows_roles/system_roles/dns/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Configure all adapters to use DHCP-assigned DNS values
+  ansible.windows.win_dns_client:
+    adapter_names: '*'
+    dns_servers: []
+
+#optional:
+
+# - name: Set multiple lookup addresses on all visible adapters (usually physical adapters that are in the Up state), with debug logging to a file
+#   ansible.windows.win_dns_client:
+#     adapter_names: '*'
+#     dns_servers:
+#       - 192.168.34.5
+#       - 192.168.34.6
+#     suffix_search_list:
+#       - "corp.contoso.com"
+#       - "na.corp.contoso.com"
+#     log_path: C:\dns_log.txt

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/configure.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Configure German regional settings for system
+  win_shell: |
+    $lang="{{ windows_language }}"
+
+    Set-WinUILanguageOverride -Language $lang
+    Set-WinSystemLocale $lang
+    Set-Culture $lang
+    Set-WinHomeLocation -GeoId {{ windows_geo_id }}
+
+    $list = New-WinUserLanguageList $lang
+    $list[0].InputMethodTips.Clear()
+    $list[0].InputMethodTips.Add("{{ windows_keyboard }}")
+
+    Set-WinUserLanguageList $list -Force
+  register: lang_config
+
+- name: Configure German language for user {{ username }}
+  win_shell: |
+    $lang="{{ windows_language }}"
+
+    $list = New-WinUserLanguageList $lang
+    $list[0].InputMethodTips.Clear()
+    $list[0].InputMethodTips.Add("{{ windows_keyboard }}")
+
+    Set-WinUserLanguageList $list -Force
+    Set-Culture $lang
+    Set-WinUILanguageOverride -Language $lang
+  become: yes
+  become_method: runas
+  become_user: "{{ username }}"
+  register: user_lang_config
+
+- name: Apply language to welcome screen and new users
+  win_shell: |
+    Copy-UserInternationalSettingsToSystem `
+      -WelcomeScreen $true `
+      -NewUser $true
+  register: welcome_config

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/install.yml

@@ -0,0 +1,23 @@
+---
+- name: Install German language pack
+  win_shell: |
+    $features = @(
+      "Language.Basic~~~{{ windows_language }}~0.0.1.0",
+      "Language.Handwriting~~~{{ windows_language }}~0.0.1.0",
+      "Language.OCR~~~{{ windows_language }}~0.0.1.0",
+      "Language.Speech~~~{{ windows_language }}~0.0.1.0",
+      "Language.TextToSpeech~~~{{ windows_language }}~0.0.1.0"
+    )
+
+    foreach ($feature in $features) {
+      $cap = Get-WindowsCapability -Online |
+        Where-Object Name -like $feature
+
+      if ($cap.State -ne "Installed") {
+        Add-WindowsCapability -Online -Name $feature
+      }
+    }
+  register: lang_install
+  become: yes
+  become_method: runas
+  become_user: SYSTEM

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Check if German language pack is installed
+  win_shell: |
+    $cap = Get-WindowsCapability -Online |
+      Where-Object { $_.Name -like "Language.Basic~~~{{ windows_language }}*" }
+
+    if ($cap -and $cap.State -eq "installed") {
+      exit 0
+    } else {
+      exit 1
+    }
+  register: german_installed
+  changed_when: false
+  failed_when: false
+
+- name: Install German language components
+  import_tasks: install.yml
+  when: german_installed.rc != 0
+
+- name: Configure German system settings
+  import_tasks: configure.yml
+  when: german_installed.rc != 0
+
+- name: Reboot if required
+  import_tasks: reboot.yml

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/reboot.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Reboot system if language changes occurred
+  win_reboot:
+    reboot_timeout: 1800
+  when: >
+    lang_install.changed or
+    lang_config.changed or
+    user_lang_config.changed or
+    welcome_config.changed

ansible_deployment/roles/windows_roles/system_roles/hostname/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Set Windows hostname
+  ansible.windows.win_hostname:
+    name: "{{ hostname }}"
+  register: hostname_result
+  when: not domain_member | bool
+
+- name: Reboot if hostname changed
+  ansible.windows.win_reboot:
+  when: not domain_member | bool and hostname_result.reboot_required

ansible_deployment/roles/windows_roles/system_roles/powersaver_off/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+- name: Set power plan to high performance
+  win_shell: |
+    powercfg /setactive SCHEME_MIN
+
+- name: Disable sleep (AC)
+  win_shell: |
+    powercfg /change standby-timeout-ac {{ powermanagement.sleep_timeout_ac }}
+
+- name: Disable sleep (Battery)
+  win_shell: |
+    powercfg /change standby-timeout-dc {{ powermanagement.sleep_timeout_dc }}
+
+- name: Set monitor timeout (AC)
+  win_shell: |
+    powercfg /change monitor-timeout-ac {{ powermanagement.monitor_timeout_ac }}
+
+- name: Set monitor timeout (Battery)
+  win_shell: |
+    powercfg /change monitor-timeout-dc {{ powermanagement.monitor_timeout_dc }}
+
+- name: Set lid close action to do nothing (AC)
+  win_shell: |
+    powercfg /setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION {{ powermanagement.lid_close_action }}
+
+- name: Set lid close action to do nothing (Battery)
+  win_shell: |
+    powercfg /setdcvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION {{ powermanagement.lid_close_action }}
+
+- name: Apply power settings
+  win_shell: |
+    powercfg /setactive SCHEME_CURRENT
+
+
+
+
+
+
+
+- name: Disable NIC power saving features
+  win_shell: |
+    Get-NetAdapterAdvancedProperty | Where-Object {
+      $_.DisplayName -match "Energy|EEE"
+    } | Set-NetAdapterAdvancedProperty -DisplayValue "Disabled" -NoRestart
+  args:
+    executable: powershell
+
+

ansible_deployment/roles/windows_roles/system_roles/rdp/tasks/main.yml

@@ -0,0 +1,58 @@
+- name: Enable Remote Desktop in registry
+  ansible.windows.win_regedit:
+    path: HKLM:\System\CurrentControlSet\Control\Terminal Server
+    name: fDenyTSConnections
+    data: 0
+    type: dword
+
+- name: Configure Network Level Authentication
+  ansible.windows.win_regedit:
+    path: HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
+    name: UserAuthentication
+    data: "{{ (rdp.enable_nla | default(true)) | ternary(1, 0) }}"
+    type: dword
+
+- name: Enable Remote Desktop firewall rule
+  win_firewall_rule:
+    name: RemoteDesktop-UserMode-In-TCP
+    localport: "{{ rdp.rdp_port | default(3389) }}"
+    action: allow
+    direction: in
+    protocol: tcp
+    state: present
+    enabled: yes
+
+- name: Ensure RDP service is running
+  ansible.windows.win_service:
+    name: TermService
+    start_mode: auto
+    state: started
+
+
+- name: Get all local groups
+  ansible.windows.win_shell: Get-LocalGroup | Select-Object -ExpandProperty Name
+  register: local_groups
+  changed_when: false
+
+- name: Find Remote Desktop Users group (eng/de)
+  set_fact:
+    rdp_group_name: "{{ local_groups.stdout_lines | select('match','(?i)Remote.*Desktop.*Users|Remotedesktopbenutzer') | first }}"
+  changed_when: false
+
+- name: Add my user to RDP access
+  ansible.windows.win_group_membership:
+    name: "{{ rdp_group_name }}"
+    members:
+      - "{{ local_user }}"           # hier die Gruppe, die RDP-Zugang bekommen soll
+    state: present
+
+- name: Add my custom group to RDP access
+  ansible.windows.win_group_membership:
+    name: "{{ rdp_group_name }}"
+    members:
+      - "{{ item.membername }}"           # hier die Gruppe, die RDP-Zugang bekommen soll
+    state: present
+  when: rdp.custommember == true
+  loop: "{{ rdp.member }}"
+  loop_control:
+    loop_var: item

ansible_deployment/roles/windows_roles/system_roles/time/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+
+ntp_type: "NTP"

ansible_deployment/roles/windows_roles/system_roles/time/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+
+- name: restart time service
+  win_service:
+    name: w32time
+    state: restarted
+
+- name: restart time service
+  win_service:
+    name: w32time
+    state: restarted
+
+- name: force resync
+  win_shell: w32tm /resync

ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_controller.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Build NTP server string
+  set_fact:
+    ntp_server_string: "{{ ntp_servers | join(',') }}"
+
+- name: Configure DC NTP servers
+  win_shell: |
+    w32tm /config /manualpeerlist:"{{ ntp_server_string }}" /syncfromflags:manual /reliable:yes /update
+  notify: restart time service

ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_member.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Set timezone
+  win_timezone:
+    timezone: "W. Europe Standard Time"
+
+- name: Configure time sync from domain hierarchy
+  win_shell: |
+    w32tm /config /syncfromflags:domhier /update
+  notify: restart time service

ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_standalone.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Set timezone
+  win_timezone:
+    timezone: "W. Europe Standard Time"
+
+
+
+- name: Build NTP server string
+  set_fact:
+    ntp_server_string: "{{ ntp_servers | join(',') }}"
+
+- name: Configure NTP servers
+  win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
+    name: NtpServer
+    data: "{{ ntp_server_string }}"
+    type: string
+  notify: restart time service
+
+- name: Set sync type
+  win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
+    name: Type
+    data: NTP
+    type: string
+  notify: restart time service
+

ansible_deployment/roles/windows_roles/system_roles/time/tasks/detect_role.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Detect Windows domain role
+  win_shell: |
+    (Get-CimInstance Win32_ComputerSystem).DomainRole
+  register: domain_role
+  changed_when: false
+
+- name: Set role fact
+  set_fact:
+    windows_domain_role: "{{ domain_role.stdout | int }}"
+  changed_when: false
+

ansible_deployment/roles/windows_roles/system_roles/time/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Detect Windows domain role
+  include_tasks: detect_role.yml
+
+- name: Configure NTP for domain controller
+  include_tasks: configure_domain_controller.yml
+  when: windows_domain_role | int in [4,5]
+
+- name: Configure NTP for domain member
+  include_tasks: configure_domain_member.yml
+  when: windows_domain_role | int in [1,3]
+
+- name: Configure NTP for standalone host
+  include_tasks: configure_standalone.yml
+  when: windows_domain_role | trim == "0"

ansible_deployment/roles/windows_roles/system_roles/updates/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Install Windows updates until system is fully patched
+  ansible.windows.win_updates:
+    category_names:
+      - SecurityUpdates
+      - CriticalUpdates
+      - UpdateRollups
+      - Updates
+      - DefinitionUpdates
+      - ServicePacks
+      - Drivers
+      - FeaturePacks
+      - Tools
+      - Connectors
+      - Application
+      - Guidance
+    state: installed
+    reboot: true
+    reboot_timeout: 900

ansible_deployment/roles/windows_roles/tools_roles/7zip/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+- name: Check if 7-Zip is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*7-Zip*" }
+
+    if ($app) { Write-Output "installed" }
+  register: sevenzip_installed
+  changed_when: false
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: sevenzip_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: sevenzip_installed.stdout | trim != "installed"
+
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: 7z2600-x64.msi
+    dest: C:\temp\setup\7z.msi
+    force: yes
+  when: sevenzip_installed.stdout | trim != "installed"
+
+
+- name: Ensure 7-Zip is installed through win_package
+  win_package:
+    path: C:\temp\setup\7z.msi
+    state: present
+  when: sevenzip_installed.stdout | trim != "installed"
+
+# - name: Ensure 7-Zip is not installed through win_package
+#   win_package:
+#     path: C:\temp\7z.msi
+#     state: absent
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/browser/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+- name: Check if Firefox is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*Firefox*" }
+
+    if ($app) { Write-Output "installed" }
+  register: browser_installed
+  changed_when: false
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: browser_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: browser_installed.stdout | trim != "installed"
+
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: "{{ item }}"
+    dest: C:\temp\setup\{{ item }}
+    force: yes
+  with_items:
+    - Firefox_Setup_148.0.msi
+    - googlechromestandaloneenterprise64.msi
+  when: browser_installed.stdout | trim != "installed"
+
+
+- name: Ensure Browser is installed through win_package
+  win_package:
+    path: C:\temp\setup\{{ item }}
+    state: present
+  with_items:
+    - Firefox_Setup_148.0.msi
+    - googlechromestandaloneenterprise64.msi
+  when: browser_installed.stdout | trim != "installed"
+
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/keypass/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: Check if keypass is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*keypass*" }
+
+    if ($app) { Write-Output "installed" }
+  register: keypass_installed
+  changed_when: false
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: keypass_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: keypass_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: KeePassXC-2.7.12-Win64.msi
+    dest: C:\temp\setup\keypass.msi
+    force: yes
+  when: keypass_installed.stdout | trim != "installed"
+
+
+- name: Ensure keypass is installed through win_package
+  win_package:
+    path: C:\temp\setup\keypass.msi
+    state: present
+  when: keypass_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/libre/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Check if LibreOffice is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*LibreOffice*" }
+
+    if ($app) { Write-Output "installed" }
+  register: libre_installed
+  changed_when: false
+
+
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: libre_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: libre_installed.stdout | trim != "installed"
+
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: LibreOffice_26.2.1_Win_x86-64.msi
+    dest: C:\temp\setup\libre.msi
+    force: yes
+  when: libre_installed.stdout | trim != "installed"
+
+
+- name: Ensure Libre Office is installed through win_package
+  win_package:
+    path: C:\temp\setup\libre.msi
+    state: present
+  when: libre_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/pdf24/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: Check if pdf24 is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*pdf24*" }
+
+    if ($app) { Write-Output "installed" }
+  register: pdf24_installed
+  changed_when: false
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: pdf24_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: pdf24_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: pdf24-creator-11.29.1-x64.msi
+    dest: C:\temp\setup\pdf24.msi
+    force: yes
+  when: pdf24_installed.stdout | trim != "installed"
+
+
+- name: Ensure PDF24 is installed through win_package
+  win_package:
+    path: C:\temp\setup\pdf24.msi
+    state: present
+  when: pdf24_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/rustdesk/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+# Handler zum Neustarten des RustDesk-Dienstes
+- name: Restart RustDesk service
+  win_service:
+    name: RustDesk      # Name des Windows-Dienstes
+    state: restarted
+

ansible_deployment/roles/windows_roles/tools_roles/rustdesk/tasks/main.yml

@@ -0,0 +1,162 @@
+---
+- name: Check if Rustdesk is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*rustdesk*" }
+
+    if ($app) { Write-Output "installed" }
+  register: rustdesk_installed
+  changed_when: false
+
+
+
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: rustdesk_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: rustdesk_installed.stdout | trim != "installed"
+
+
+
+
+
+
+- name: Copy rustdesk MSI installer to Windows host
+  win_copy:
+    src: rustdesk-1.4.6-x86_64.msi
+    dest: C:\temp\setup\rustdesk.msi
+    force: yes
+  when: rustdesk_installed.stdout | trim != "installed"
+
+
+- name: Ensure rustdesk is installed through win_package
+  win_package:
+    path: C:\temp\setup\rustdesk.msi
+    state: present
+  when: rustdesk_installed.stdout | trim != "installed"
+
+
+
+
+
+
+- name: Ensure RustDesk service is enabled
+  win_service:
+    name: RustDesk
+    state: started
+    start_mode: auto
+  changed_when: false
+
+
+
+
+
+- name: Start RustDesk application
+  win_shell: |
+    Start-Process "C:\Program Files\RustDesk\rustdesk.exe"
+  args:
+    executable: powershell
+  become: yes
+  become_method: runas
+  become_user: "{{ username }}"
+  changed_when: false
+
+- name: Wait until RustDesk process is running
+  win_wait_for_process:
+    process_name_pattern: rustdesk
+    state: present
+    timeout: 30
+  become: yes
+  become_method: runas
+  become_user: "{{ username }}"
+  changed_when: false
+
+
+
+
+
+# - name: Start RustDesk interactively in user context
+#   win_shell: |
+#     schtasks /create /tn "StartRustDesk" /tr '"C:\Program Files\RustDesk\RustDesk.exe"' /sc once /st 00:00 /rl highest /f /ru "{{ rustdesk.rustdesk_user }}" /rp "{{ rustdesk.rustdesk_user_password }}"
+#     schtasks /run /tn "StartRustDesk"
+#     schtasks /delete /tn "StartRustDesk" /f
+#   args:
+#     executable: powershell.exe
+#   when: rustdesk_installed.stdout | trim != "installed"
+
+- name: Wait until RustDesk processes are there
+  win_wait_for_process:
+    process_name_pattern: rustdesk
+    state: present
+    timeout: 30
+  changed_when: false
+  
+- name: Copy/Check RustDesk config template
+  win_template:
+    src: RustDesk2.toml
+    dest: C:\Users\{{ username }}\AppData\Roaming\RustDesk\config\RustDesk2.toml
+  register: rustdesk_template_check
+  when: not domain_member | bool
+
+- name: Stop RustDesk service
+  win_service:
+    name: RustDesk
+    state: stopped
+    start_mode: disabled
+  when: rustdesk_template_check.changed
+
+- name: Stop RustDesk process if running
+  win_shell: |
+    if (Get-Process rustdesk -ErrorAction SilentlyContinue) {
+        Stop-Process -Name rustdesk -Force
+    }
+  when: rustdesk_template_check.changed
+
+
+- name: Wait until RustDesk processes are gone
+  win_wait_for_process:
+    process_name_pattern: rustdesk
+    state: absent
+    timeout: 30
+  when: rustdesk_template_check.changed
+
+
+- name: Copy RustDesk config template
+  win_template:
+    src: RustDesk2.toml
+    dest: C:\Users\{{ username }}\AppData\Roaming\RustDesk\config\RustDesk2.toml
+  notify: Restart RustDesk service 
+  when: rustdesk_template_check.changed
+
+
+- name: Ensure RustDesk service is enabled
+  win_service:
+    name: RustDesk
+    state: started
+    start_mode: auto
+  when: rustdesk_template_check.changed 
+
+
+
+
+
+
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent

ansible_deployment/roles/windows_roles/tools_roles/rustdesk/templates/RustDesk2.toml

@@ -0,0 +1,12 @@
+rendezvous_server = '93.93.202.41:21116'
+serial = ''
+unlock_pin = ''
+trusted_devices = ''
+
+[options]
+custom-rendezvous-server = '93.93.202.41'
+key = 'NEthYaFbhCVTWMj4ZV2elX8Ux2GdYZLb0yTzcTm015E='
+stop-service = 'Y'
+relay-server = '93.93.202.41'
+av1-test = 'Y'
+local-ip-addr = ''

ansible_deployment/roles/windows_roles/tools_roles/thunderbird/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+- name: Check if Thunderbird is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*Thunderbird*" }
+
+    if ($app) { Write-Output "installed" }
+  register: thunderbird_installed
+  changed_when: false
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: thunderbird_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: thunderbird_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: Thunderbird_Setup_148.0.1.msi
+    dest: C:\temp\setup\thunderbird.msi
+    force: yes
+  when: thunderbird_installed.stdout | trim != "installed"
+
+
+- name: Ensure thunderbird is installed through win_package
+  win_package:
+    path: C:\temp\setup\thunderbird.msi
+    state: present
+  when: thunderbird_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/cleanup.yml

@@ -0,0 +1,30 @@
+---
+- name: Remove Store apps (Teams, Office)
+  win_shell: |
+    Get-AppxPackage -AllUsers |
+    Where-Object {
+      $_.Name -like "*Office*" -or $_.Name -like "*Teams*"
+    } | Remove-AppxPackage -AllUsers
+  when: uninstall365.remove_store_apps
+  args:
+    executable: powershell
+  failed_when: false
+
+- name: Remove OneDrive
+  win_shell: |
+    taskkill /f /im OneDrive.exe
+    %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
+  when: uninstall365.remove_onedrive
+  args:
+    executable: cmd
+  failed_when: false
+
+- name: Remove leftover directories
+  win_file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "C:\\Program Files\\Microsoft Office"
+    - "C:\\Program Files (x86)\\Microsoft Office"
+    - "C:\\ProgramData\\Microsoft\\Office"
+  ignore_errors: true

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/detect.yml

@@ -0,0 +1,34 @@
+---
+- name: Scan registry for installed software
+  win_shell: |
+    $patterns = @({{ uninstall365.m365_match_patterns | map('to_json') | join(',') }})
+    $results = @()
+
+    foreach ($path in @({{ registry_paths | map('to_json') | join(',') }})) {
+      if (Test-Path $path) {
+        Get-ChildItem $path | ForEach-Object {
+          $disp = $_.GetValue("DisplayName")
+          $uninstall = $_.GetValue("UninstallString")
+
+          if ($disp) {
+            foreach ($p in $patterns) {
+              if ($disp -like "*$p*") {
+                $results += [PSCustomObject]@{
+                  Name = $disp
+                  UninstallString = $uninstall
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    $results | ConvertTo-Json -Compress
+  args:
+    executable: powershell
+  register: m365_detect_raw
+
+- name: Parse detected apps
+  set_fact:
+    m365_installed: "{{ m365_detect_raw.stdout | default('[]') | from_json }}"

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure log directory exists
+  win_file:
+    path: C:\Temp
+    state: directory
+
+- name: Detect installed M365 products
+  include_tasks: detect.yml
+
+- name: Uninstall via registry
+  include_tasks: uninstall_registry.yml
+  when: m365_installed | length > 0
+
+- name: Remove Click-to-Run installations
+  include_tasks: uninstall_c2r.yml
+  when: uninstall365.remove_click_to_run
+
+- name: Cleanup leftovers
+  include_tasks: cleanup.yml
+
+- name: Reboot if required
+  include_tasks: reboot.yml

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/reboot.yml

@@ -0,0 +1,17 @@
+---
+- name: Check if reboot is required
+  win_shell: |
+    if (Test-Path "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\RebootRequired") {
+      exit 1
+    } else {
+      exit 0
+    }
+  register: reboot_check
+  failed_when: reboot_check.rc == 1
+  changed_when: reboot_check.rc == 1
+
+- name: Reboot system if needed
+  win_reboot:
+    msg: "Reboot after M365 removal"
+    pre_reboot_delay: 10
+  when: uninstall365.reboot_if_required and reboot_check.rc == 1

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_c2r.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if Click-to-Run exists
+  win_stat:
+    path: "{{ click_to_run_exe }}"
+  register: c2r_stat
+
+- name: Remove Click-to-Run Office
+  win_shell: |
+    "{{ click_to_run_exe }}" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=AllProducts displaylevel=false
+  when: c2r_stat.stat.exists
+  args:
+    executable: cmd
+  register: c2r_remove
+  failed_when: false
+
+- name: Log C2R removal
+  win_lineinfile:
+    path: "{{ uninstall365.m365_log_path }}"
+    line: "Click-to-Run removal executed"

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_registry.yml

@@ -0,0 +1,25 @@
+---
+- name: Uninstall detected applications
+  win_shell: |
+    $apps = {{ m365_installed | to_json }}
+
+    foreach ($app in $apps) {
+      if ($app.UninstallString) {
+        $cmd = $app.UninstallString
+
+        if ($cmd -notmatch "/quiet") {
+          $cmd += " /quiet /norestart"
+        }
+
+        Start-Process -FilePath "cmd.exe" -ArgumentList "/c $cmd" -Wait
+      }
+    }
+  args:
+    executable: powershell
+  register: uninstall_result
+  failed_when: false
+
+- name: Log uninstall results
+  win_lineinfile:
+    path: "{{ uninstall365.m365_log_path }}"
+    line: "Registry uninstall executed at {{ ansible_date_time.iso8601 }}"

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/vars/main.yml

@@ -0,0 +1,6 @@
+---
+registry_paths:
+  - HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall
+  - HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
+
+click_to_run_exe: "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe"

ansible_deployment/roles/windows_roles/tools_roles/wireguard/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+- name: Check if wireguard is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*wireguard*" }
+
+    if ($app) { Write-Output "installed" }
+  register: wireguard_installed
+  changed_when: false
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: wireguard_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: wireguard_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: wireguard-amd64-0.5.3.msi
+    dest: C:\temp\setup\wg.msi
+    force: yes
+  when: wireguard_installed.stdout | trim != "installed"
+
+
+- name: Ensure wireguard is installed through win_package
+  win_package:
+    path: C:\temp\setup\wg.msi
+    state: present
+  when: wireguard_installed.stdout | trim != "installed"
+
+- name: Copy/Check wireguard config template
+  win_template:
+    src: wg.conf
+    dest: C:\Users\{{ username }}\Documents
+
+- name: Add User to Netzwerkkonfigurationsoperatoren
+  ansible.windows.win_group_membership:
+    name: "S-1-5-32-556"
+    members:
+      - "{{ item.username }}"
+    state: present
+  when: wg.non_admin == true
+  loop: "{{ wg.users }}"
+  loop_control:
+    loop_var: item
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/wireguard/templates/wg.conf

@@ -0,0 +1,13 @@
+[Interface]
+PrivateKey = {{ wg.private_key }}
+Address = {{ wg.address }}
+DNS = {{ wg.dns }}
+
+{% for peer in wg.wireguard_peers %}
+[Peer]
+PublicKey = {{ peer.public_key }}
+PreSharedKey = {{ peer.preshared_key }}
+AllowedIPs = {{ peer.allowed_ips }}
+Endpoint = {{ peer.endpoint }}
+PersistentKeepalive = 25
+{% endfor %}

ansible_deployment/roles/windows_roles/tools_roles/wireguard/vars/main.yml

@@ -0,0 +1,15 @@
+$ANSIBLE_VAULT;1.2;AES256;wg
+63663332616565356139353765316636313435623339333663373363333964316335323966636538
+3061653236383236383530333131306130613435623032390a616533613632326465653330373861
+33303566363461383763393638663465373162323461336136386339303838336433383436313739
+3736373166353030660a363730613363666166356332303931303134336463306637376266353864
+36373461303363643239333864613865633934616364353635643539666163663330373261646166
+64333363623661346232386461656137643239376562666461353762646436326434386537326237
+61366131376138643932366639363530396565363838363061333036663931333463396534303633
+61346530653531343863313739353939363834383166313530303933313430336534663136313963
+66383539643735313638373736613839393961303266363034343332373738626462366461623539
+64313038306534306339663766323964346262663131366134666634633132356234616363623433
+63353637626661393533666665363236653334613266666533656630343130356431633037373330
+36313833313964383836393233316461323332623538663431653632626230333533643665613330
+34363438363939356432323164303761326464333961666334356230626335323263663133663034
+6165653064343433376233313236343961393434333465346365