Initialize with private Repo

.gitignore

@@ -0,0 +1,8 @@
+
+#To dos
+
+/To-dos.txt
+
+ansible_deployment/logs/*
+
+ansible_deployment/pass/*

README.md

@@ -0,0 +1,255 @@
+# [Einleitung]
+
+In diesem Repo befindet sich ein Ansible Playbook zum ausrollen von Standartsoftware und Einstellungen zum Initialem einrichten eines Clients. 
+
+# [Ansible]
+
+Ansible besteht aus 2 Teilen: einem Management und dem Client. Der Manager berechnet Skripte die dann über eine Shell-Session auf dem Client ausgeführt werden. Dieses Projekt ist darauf ausgelegt einzelne Tags manuell auf den Client zu pushen.
+Dabei werden die Hostgruppen und Rollen in der Site nacheinander abgearbeitet.
+Im Inventory befinden sich die Site-abhänigen Parameter des Deployments.
+
+Ansible braucht einen Linux oder Mac als Management-Server. Daher ist hier ein Docker-Compose Projekt unter ./ansible_editor hinterlegt dass einen Container mit allem startet was man braucht. Dieser stellt Visual als Weboberffläche bereit um das Playbook von Git zu klonen, an die Site anzupassen und auszuführen.
+
+## [Win11-Deployment]
+
+Am einfachsten ist unter Windows11 eine PS-Remote session einzurichten, diese muss Anfangs eingerichtet werden.
+Da das cmd-let dafür relativ viel macht hab ich ein PS-Skript hinterlegt dass das wieder rückgänig macht wenn man es nicht mehr braucht.
+
+
+
+
+# [Deploy Management]
+Prerequesites: Docker compose
+
+    cd ansible_editor
+    docker compose up -d
+
+Aufrufen:
+    http://localhost:8080/root
+
+
+
+# [Inventory Vorbereiten]
+
+1.  Hosts in Gruppe eintragen (Adresse zu Hosts-Liste zufügen)
+2.  "ansible_port" eintragen ( auf client: winrm quickconfig -transport:https)
+3.  Benutzerdaten in Vault eintragen und gegebenenfalls Variablen für Benutzer im Inventory ersetzen
+
+
+## [Verschlüsselte Zugangsdaten anlegen/ändern]
+    export EDITOR=nano
+
+Standartpasswort für vault_pass.yml : 2changeme
+(Dieses wird beim Ausführen des Playbooks abgefragt)
+
+Standart im Ansible-Vault (./ansible_deployment/group_vars/all/vault_pass.yml):
+
+    ---
+    vault_default_domain: .
+    vault_default_username: user
+    vault_default_userpass: user123
+
+-> Diese Variablen werden im Inventory aufgerufen und zugeordnet
+
+### [ids]
+
+Es gibt mehrere Vaults für mehrere Dinge. Der Hauptvault liegt unter /group_vars/all, die anderen in den Rollen die sie benötigen. Dort können z.b. WG-Peers eingepflegt werden. Die secrets für die vaults werden in ./pass in eine textdatei <ID>.pass eingetragen
+
+- Standart-Vault-ID: main (Standart: 2changeme)
+- Wireguard-Credentials: wg (Standart: 2changemesecret)
+
+
+### [Ansible-Vault Befehle]
+
+Neuen Vault anlegen:
+
+    ansible-vault create ./group_vars/all/vault_pass.yml 
+
+Vault entschlüsseln:
+
+    ansible-vault view ./group_vars/all/vault_pass.yml --ask-vault-pass 
+
+Vault bearbeiten:
+
+    ansible-vault edit ./group_vars/all/vault_pass.yml --ask-vault-pass 
+
+Passwort von File ändern:
+
+    ansible-vault rekey ./group_vars/all/vault_pass.yml --ask-vault-pass 
+
+
+
+
+# [Management Terminal]
+
+    git config --global user.name "Name"
+    git config --global user.email "email
+-> oder änderm im Dockerfile für VS-Studio
+
+
+
+    cd ansible_deployment
+    export LANG=C.UTF-8
+    ansible-playbook -v site.yml
+
+
+## Tags nutzen:
+
+    ansible-playbook --tags tools
+
+
+### Verfügbare Tags für Rollen-Packete:
+- system (Systemeinstellungen)
+- tools (Standartprogramme installieren)
+- office_tools (optional, free office-tools)
+
+
+
+
+
+
+# [Win11 Client]
+
+Als Admin die Poweshell öffnen!!!
+
+Netzwerk darf nicht Public sein!
+
+    Get-NetConnectionProfile
+
+    Set-NetConnectionProfile -InterfaceAlias "*Ethernet*" -NetworkCategory Private
+    oder Set-NetConnectionProfile -Name "*Ethernet*" -NetworkCategory Private
+
+
+## Anschalten Powershell-Remotesitzungen:
+
+    Enable-PSRemoting 
+
+
+Einstellungen anzeigen(Port rausfinden):
+    winrm quickconfig -transport:https
+
+
+
+## Ausschalten von PS-Remotesession
+
+
+Ausführen als Admin: disable_psremote_script.ps
+
+
+Prüfen: Get-Service WinRM
+winrm enumerate winrm/config/listener
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Notizen:
+
+Disable-PSRemoting
+    Stop-Service WinRM -Force
+    Set-Service WinRM -StartupType Disabled
+
+
+
+
+Listener löschen:
+    winrm delete winrm/config/Listener?Address=*+Transport=HTTP
+    winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
+
+Prüfen: 
+    winrm enumerate winrm/config/listener
+
+
+
+
+    Disable-NetFirewallRule -DisplayGroup "Windows Remote Management"
+oder löschen:
+    Get-NetFirewallRule -DisplayGroup "Windows Remote Management" | Remove-NetFirewallRule
+
+LocalAccountTokenFilterPolicy zurücksetzen
+
+Das wird von Remoting oft auf 1 gesetzt.
+
+    Set-ItemProperty `
+    -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
+    -Name LocalAccountTokenFilterPolicy `
+    -Value 0
+
+Oder komplett löschen:
+
+    Remove-ItemProperty `
+    -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
+    -Name LocalAccountTokenFilterPolicy
+
+    Get-PSSessionConfiguration | Unregister-PSSessionConfiguration
+
+
+
+time:
+
+
+detect role:
+Wert	Rolle
+0	Standalone Workstation
+1	Domain Workstation
+2	Standalone Server
+3	Member Server
+4	Backup DC
+5	Primary DC
+
+
+
+To:-do:
+S-1-5-32-556
+reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /f
+
+
+
+ Enter-PSSession -ComputerName 192.168.99.64 -Credential (Get-Credential)
+
+
+/etc/krb5.conf
+
+ [libdefaults]
+ default_realm = INT.ANSI.INT
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+
+[realms]
+ INT.ANSI.INT = {
+  kdc = 192.168.99.63 
+ }
+
+[domain_realm]
+ .int.ansi.int = INT.ANSI.INT
+ int.ansi.int = INT.ANSI.INT
+
+
+kinit Administrator@INT.ANSI.INT

ansible_deployment/ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+inventory = ./inventory.yml
+vault_identity_list = wg@./pass/wg.pass,main@./pass/main.pass
+log_path = ./logs/ansible.log

ansible_deployment/group_vars/all/vault_pass.yml

@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+66643239373234383936333931383238636131353736653131626465633863373764343035643362
+3339613237613539346335643939646136306438376136650a623033313736653933373939373733
+36353230666535663236363961313562633032363831353930396664633135613935326236663661
+3836333963313132350a653432656438323935323762623336366363616666653532383864306363
+35626561656164336361623036306266323133313339623433373661343863383335366131306239
+35623437333830316432643961393165383531316237386133303262303166396535323939373932
+32336433313939333034623437386239356332626564336165613362316561393763373663633432
+61356362373137323366306335306133303462353664393734363635666136663533613664333166
+31326563393937373838353730663435393833346231303939366630303532613833313137336532
+38353264323535653864326137393164396536623964383531306363383564643537306461656636
+66643165333639386462363131303461323463393632383432383964333563383238633536353138
+65343366353261643865383464313637373632633937373764346130396561373637623937343633
+61393232313761643730613666666238343630613438633566396130366232633535393164653339
+38323739356236376664313036616265636631326136346538396533653939306630636566633635
+31636166373262636438626565396536626165326263356463616233383962326339663536336161
+63353361656466383764

ansible_deployment/inventory.yml

@@ -0,0 +1,117 @@
+---
+
+# Generell
+
+all:
+  vars:
+
+    # Ansible-Connection and Credentials
+
+    ansible_connection: winrm
+    ansible_winrm_transport: ntlm
+    
+    ansible_user: '{{ vault_default_domain }}\{{ vault_default_username }}'
+    username: '{{ vault_default_username }}'
+    ansible_password: '{{ vault_default_userpass }}'
+
+    # Windows Geo/Language Settings
+
+    windows_language: de-DE
+    windows_keyboard: 0407:00000407
+    windows_geo_id: 94
+
+    # Windows NTP Settings
+
+    ntp_servers:
+      - "0.pool.ntp.org"
+      - "1.pool.ntp.org"
+
+    # Energiesparoptionen
+
+    powermanagement:
+      power_plan: "High performance"
+      lid_close_action: 0        # 0 = Do nothing
+      sleep_timeout_ac: 0        # 0 = Never
+      sleep_timeout_dc: 0        # 0 = Never
+      monitor_timeout_ac: 20     # Bildschirm darf ausgehen
+      monitor_timeout_dc: 10
+
+    # Windows RDP Settings
+
+    rdp:
+      rdp_port: 3389
+      enable_nla: true 
+      custommember: false
+      member:
+        - membername: "" #Group-Name or Account-Name
+
+
+    # Windows Tools Uninstall Parameters
+
+    uninstall365:
+      m365_match_patterns:
+        - "Microsoft 365"
+        - "Microsoft Office"
+        - "Office 365"
+        - "Microsoft Teams"
+        - "OneDrive"
+
+      remove_onedrive: true
+      remove_store_apps: true
+      remove_click_to_run: true
+
+      m365_log_path: "C:\\Temp\\m365_removal.log"
+
+      reboot_if_required: true
+
+
+# Testdeployment
+test_domain_vm_client:
+  hosts:
+    test-vm-002.int.ansi.int:
+        hostname: "test-vm-002.int.ansi.int"
+
+        ansible_port: 5986
+        domain_member: true
+
+        ansible_user: '{{ vault_domain_default_domain }}\{{ vault_domain_default_username }}'
+        username: '{{ vault_domain_default_username }}'
+        ansible_password: '{{ vault_domain_default_userpass }}'
+        
+        local_user: '{{ vault_default_domain }}\{{ vault_default_username }}'
+
+        
+        wg:
+          non_admin: false
+          users:
+            - username: ""
+
+          private_key: '{{ wg_private_key }}'
+          address: "10.66.66.13/32,fd42:42:42::13/128"
+          dns: "192.168.19.244,192.168.19.244"
+
+          wireguard_peers:
+            - public_key: '{{ wg_p1_public_key }}'
+              preshared_key: '{{ wg_p1_preshared_key }}'
+              allowed_ips: "172.16.4.0/24"
+              endpoint: "93.93.202.133:56483"
+
+
+# Client-Gruppen zum Deployen
+
+notebooks_client:
+  hosts:
+
+
+
+
+workstation_client:
+  hosts:
+
+
+
+
+# Server-Gruppen zum Deployen
+
+domainmember_server:
+  hosts:

ansible_deployment/roles/windows_roles/system_roles/dns/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Configure all adapters to use DHCP-assigned DNS values
+  ansible.windows.win_dns_client:
+    adapter_names: '*'
+    dns_servers: []
+
+#optional:
+
+# - name: Set multiple lookup addresses on all visible adapters (usually physical adapters that are in the Up state), with debug logging to a file
+#   ansible.windows.win_dns_client:
+#     adapter_names: '*'
+#     dns_servers:
+#       - 192.168.34.5
+#       - 192.168.34.6
+#     suffix_search_list:
+#       - "corp.contoso.com"
+#       - "na.corp.contoso.com"
+#     log_path: C:\dns_log.txt

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/configure.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Configure German regional settings for system
+  win_shell: |
+    $lang="{{ windows_language }}"
+
+    Set-WinUILanguageOverride -Language $lang
+    Set-WinSystemLocale $lang
+    Set-Culture $lang
+    Set-WinHomeLocation -GeoId {{ windows_geo_id }}
+
+    $list = New-WinUserLanguageList $lang
+    $list[0].InputMethodTips.Clear()
+    $list[0].InputMethodTips.Add("{{ windows_keyboard }}")
+
+    Set-WinUserLanguageList $list -Force
+  register: lang_config
+
+- name: Configure German language for user {{ username }}
+  win_shell: |
+    $lang="{{ windows_language }}"
+
+    $list = New-WinUserLanguageList $lang
+    $list[0].InputMethodTips.Clear()
+    $list[0].InputMethodTips.Add("{{ windows_keyboard }}")
+
+    Set-WinUserLanguageList $list -Force
+    Set-Culture $lang
+    Set-WinUILanguageOverride -Language $lang
+  become: yes
+  become_method: runas
+  become_user: "{{ username }}"
+  register: user_lang_config
+
+- name: Apply language to welcome screen and new users
+  win_shell: |
+    Copy-UserInternationalSettingsToSystem `
+      -WelcomeScreen $true `
+      -NewUser $true
+  register: welcome_config

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/install.yml

@@ -0,0 +1,23 @@
+---
+- name: Install German language pack
+  win_shell: |
+    $features = @(
+      "Language.Basic~~~{{ windows_language }}~0.0.1.0",
+      "Language.Handwriting~~~{{ windows_language }}~0.0.1.0",
+      "Language.OCR~~~{{ windows_language }}~0.0.1.0",
+      "Language.Speech~~~{{ windows_language }}~0.0.1.0",
+      "Language.TextToSpeech~~~{{ windows_language }}~0.0.1.0"
+    )
+
+    foreach ($feature in $features) {
+      $cap = Get-WindowsCapability -Online |
+        Where-Object Name -like $feature
+
+      if ($cap.State -ne "Installed") {
+        Add-WindowsCapability -Online -Name $feature
+      }
+    }
+  register: lang_install
+  become: yes
+  become_method: runas
+  become_user: SYSTEM

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Check if German language pack is installed
+  win_shell: |
+    $cap = Get-WindowsCapability -Online |
+      Where-Object { $_.Name -like "Language.Basic~~~{{ windows_language }}*" }
+
+    if ($cap -and $cap.State -eq "installed") {
+      exit 0
+    } else {
+      exit 1
+    }
+  register: german_installed
+  changed_when: false
+  failed_when: false
+
+- name: Install German language components
+  import_tasks: install.yml
+  when: german_installed.rc != 0
+
+- name: Configure German system settings
+  import_tasks: configure.yml
+  when: german_installed.rc != 0
+
+- name: Reboot if required
+  import_tasks: reboot.yml

ansible_deployment/roles/windows_roles/system_roles/german_language/tasks/reboot.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Reboot system if language changes occurred
+  win_reboot:
+    reboot_timeout: 1800
+  when: >
+    lang_install.changed or
+    lang_config.changed or
+    user_lang_config.changed or
+    welcome_config.changed

ansible_deployment/roles/windows_roles/system_roles/hostname/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Set Windows hostname
+  ansible.windows.win_hostname:
+    name: "{{ hostname }}"
+  register: hostname_result
+  when: not domain_member | bool
+
+- name: Reboot if hostname changed
+  ansible.windows.win_reboot:
+  when: not domain_member | bool and hostname_result.reboot_required

ansible_deployment/roles/windows_roles/system_roles/powersaver_off/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+- name: Set power plan to high performance
+  win_shell: |
+    powercfg /setactive SCHEME_MIN
+
+- name: Disable sleep (AC)
+  win_shell: |
+    powercfg /change standby-timeout-ac {{ powermanagement.sleep_timeout_ac }}
+
+- name: Disable sleep (Battery)
+  win_shell: |
+    powercfg /change standby-timeout-dc {{ powermanagement.sleep_timeout_dc }}
+
+- name: Set monitor timeout (AC)
+  win_shell: |
+    powercfg /change monitor-timeout-ac {{ powermanagement.monitor_timeout_ac }}
+
+- name: Set monitor timeout (Battery)
+  win_shell: |
+    powercfg /change monitor-timeout-dc {{ powermanagement.monitor_timeout_dc }}
+
+- name: Set lid close action to do nothing (AC)
+  win_shell: |
+    powercfg /setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION {{ powermanagement.lid_close_action }}
+
+- name: Set lid close action to do nothing (Battery)
+  win_shell: |
+    powercfg /setdcvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION {{ powermanagement.lid_close_action }}
+
+- name: Apply power settings
+  win_shell: |
+    powercfg /setactive SCHEME_CURRENT
+
+
+
+
+
+
+
+- name: Disable NIC power saving features
+  win_shell: |
+    Get-NetAdapterAdvancedProperty | Where-Object {
+      $_.DisplayName -match "Energy|EEE"
+    } | Set-NetAdapterAdvancedProperty -DisplayValue "Disabled" -NoRestart
+  args:
+    executable: powershell
+
+

ansible_deployment/roles/windows_roles/system_roles/rdp/tasks/main.yml

@@ -0,0 +1,58 @@
+- name: Enable Remote Desktop in registry
+  ansible.windows.win_regedit:
+    path: HKLM:\System\CurrentControlSet\Control\Terminal Server
+    name: fDenyTSConnections
+    data: 0
+    type: dword
+
+- name: Configure Network Level Authentication
+  ansible.windows.win_regedit:
+    path: HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
+    name: UserAuthentication
+    data: "{{ (rdp.enable_nla | default(true)) | ternary(1, 0) }}"
+    type: dword
+
+- name: Enable Remote Desktop firewall rule
+  win_firewall_rule:
+    name: RemoteDesktop-UserMode-In-TCP
+    localport: "{{ rdp.rdp_port | default(3389) }}"
+    action: allow
+    direction: in
+    protocol: tcp
+    state: present
+    enabled: yes
+
+- name: Ensure RDP service is running
+  ansible.windows.win_service:
+    name: TermService
+    start_mode: auto
+    state: started
+
+
+- name: Get all local groups
+  ansible.windows.win_shell: Get-LocalGroup | Select-Object -ExpandProperty Name
+  register: local_groups
+  changed_when: false
+
+- name: Find Remote Desktop Users group (eng/de)
+  set_fact:
+    rdp_group_name: "{{ local_groups.stdout_lines | select('match','(?i)Remote.*Desktop.*Users|Remotedesktopbenutzer') | first }}"
+  changed_when: false
+
+- name: Add my user to RDP access
+  ansible.windows.win_group_membership:
+    name: "{{ rdp_group_name }}"
+    members:
+      - "{{ local_user }}"           # hier die Gruppe, die RDP-Zugang bekommen soll
+    state: present
+
+- name: Add my custom group to RDP access
+  ansible.windows.win_group_membership:
+    name: "{{ rdp_group_name }}"
+    members:
+      - "{{ item.membername }}"           # hier die Gruppe, die RDP-Zugang bekommen soll
+    state: present
+  when: rdp.custommember == true
+  loop: "{{ rdp.member }}"
+  loop_control:
+    loop_var: item

ansible_deployment/roles/windows_roles/system_roles/time/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+
+ntp_type: "NTP"

ansible_deployment/roles/windows_roles/system_roles/time/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+
+- name: restart time service
+  win_service:
+    name: w32time
+    state: restarted
+
+- name: restart time service
+  win_service:
+    name: w32time
+    state: restarted
+
+- name: force resync
+  win_shell: w32tm /resync

ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_controller.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Build NTP server string
+  set_fact:
+    ntp_server_string: "{{ ntp_servers | join(',') }}"
+
+- name: Configure DC NTP servers
+  win_shell: |
+    w32tm /config /manualpeerlist:"{{ ntp_server_string }}" /syncfromflags:manual /reliable:yes /update
+  notify: restart time service

ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_domain_member.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Set timezone
+  win_timezone:
+    timezone: "W. Europe Standard Time"
+
+- name: Configure time sync from domain hierarchy
+  win_shell: |
+    w32tm /config /syncfromflags:domhier /update
+  notify: restart time service

ansible_deployment/roles/windows_roles/system_roles/time/tasks/configure_standalone.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Set timezone
+  win_timezone:
+    timezone: "W. Europe Standard Time"
+
+
+
+- name: Build NTP server string
+  set_fact:
+    ntp_server_string: "{{ ntp_servers | join(',') }}"
+
+- name: Configure NTP servers
+  win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
+    name: NtpServer
+    data: "{{ ntp_server_string }}"
+    type: string
+  notify: restart time service
+
+- name: Set sync type
+  win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
+    name: Type
+    data: NTP
+    type: string
+  notify: restart time service
+

ansible_deployment/roles/windows_roles/system_roles/time/tasks/detect_role.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Detect Windows domain role
+  win_shell: |
+    (Get-CimInstance Win32_ComputerSystem).DomainRole
+  register: domain_role
+  changed_when: false
+
+- name: Set role fact
+  set_fact:
+    windows_domain_role: "{{ domain_role.stdout | int }}"
+  changed_when: false
+

ansible_deployment/roles/windows_roles/system_roles/time/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Detect Windows domain role
+  include_tasks: detect_role.yml
+
+- name: Configure NTP for domain controller
+  include_tasks: configure_domain_controller.yml
+  when: windows_domain_role | int in [4,5]
+
+- name: Configure NTP for domain member
+  include_tasks: configure_domain_member.yml
+  when: windows_domain_role | int in [1,3]
+
+- name: Configure NTP for standalone host
+  include_tasks: configure_standalone.yml
+  when: windows_domain_role | trim == "0"

ansible_deployment/roles/windows_roles/system_roles/updates/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Install Windows updates until system is fully patched
+  ansible.windows.win_updates:
+    category_names:
+      - SecurityUpdates
+      - CriticalUpdates
+      - UpdateRollups
+      - Updates
+      - DefinitionUpdates
+      - ServicePacks
+      - Drivers
+      - FeaturePacks
+      - Tools
+      - Connectors
+      - Application
+      - Guidance
+    state: installed
+    reboot: true
+    reboot_timeout: 900

ansible_deployment/roles/windows_roles/tools_roles/7zip/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+- name: Check if 7-Zip is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*7-Zip*" }
+
+    if ($app) { Write-Output "installed" }
+  register: sevenzip_installed
+  changed_when: false
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: sevenzip_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: sevenzip_installed.stdout | trim != "installed"
+
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: 7z2600-x64.msi
+    dest: C:\temp\setup\7z.msi
+    force: yes
+  when: sevenzip_installed.stdout | trim != "installed"
+
+
+- name: Ensure 7-Zip is installed through win_package
+  win_package:
+    path: C:\temp\setup\7z.msi
+    state: present
+  when: sevenzip_installed.stdout | trim != "installed"
+
+# - name: Ensure 7-Zip is not installed through win_package
+#   win_package:
+#     path: C:\temp\7z.msi
+#     state: absent
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/browser/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+- name: Check if Firefox is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*Firefox*" }
+
+    if ($app) { Write-Output "installed" }
+  register: browser_installed
+  changed_when: false
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: browser_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: browser_installed.stdout | trim != "installed"
+
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: "{{ item }}"
+    dest: C:\temp\setup\{{ item }}
+    force: yes
+  with_items:
+    - Firefox_Setup_148.0.msi
+    - googlechromestandaloneenterprise64.msi
+  when: browser_installed.stdout | trim != "installed"
+
+
+- name: Ensure Browser is installed through win_package
+  win_package:
+    path: C:\temp\setup\{{ item }}
+    state: present
+  with_items:
+    - Firefox_Setup_148.0.msi
+    - googlechromestandaloneenterprise64.msi
+  when: browser_installed.stdout | trim != "installed"
+
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/keypass/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: Check if keypass is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*keypass*" }
+
+    if ($app) { Write-Output "installed" }
+  register: keypass_installed
+  changed_when: false
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: keypass_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: keypass_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: KeePassXC-2.7.12-Win64.msi
+    dest: C:\temp\setup\keypass.msi
+    force: yes
+  when: keypass_installed.stdout | trim != "installed"
+
+
+- name: Ensure keypass is installed through win_package
+  win_package:
+    path: C:\temp\setup\keypass.msi
+    state: present
+  when: keypass_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/libre/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Check if LibreOffice is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*LibreOffice*" }
+
+    if ($app) { Write-Output "installed" }
+  register: libre_installed
+  changed_when: false
+
+
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: libre_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: libre_installed.stdout | trim != "installed"
+
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: LibreOffice_26.2.1_Win_x86-64.msi
+    dest: C:\temp\setup\libre.msi
+    force: yes
+  when: libre_installed.stdout | trim != "installed"
+
+
+- name: Ensure Libre Office is installed through win_package
+  win_package:
+    path: C:\temp\setup\libre.msi
+    state: present
+  when: libre_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/pdf24/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: Check if pdf24 is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*pdf24*" }
+
+    if ($app) { Write-Output "installed" }
+  register: pdf24_installed
+  changed_when: false
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: pdf24_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: pdf24_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: pdf24-creator-11.29.1-x64.msi
+    dest: C:\temp\setup\pdf24.msi
+    force: yes
+  when: pdf24_installed.stdout | trim != "installed"
+
+
+- name: Ensure PDF24 is installed through win_package
+  win_package:
+    path: C:\temp\setup\pdf24.msi
+    state: present
+  when: pdf24_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/rustdesk/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+# Handler zum Neustarten des RustDesk-Dienstes
+- name: Restart RustDesk service
+  win_service:
+    name: RustDesk      # Name des Windows-Dienstes
+    state: restarted
+

ansible_deployment/roles/windows_roles/tools_roles/rustdesk/tasks/main.yml

@@ -0,0 +1,162 @@
+---
+- name: Check if Rustdesk is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*rustdesk*" }
+
+    if ($app) { Write-Output "installed" }
+  register: rustdesk_installed
+  changed_when: false
+
+
+
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: rustdesk_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: rustdesk_installed.stdout | trim != "installed"
+
+
+
+
+
+
+- name: Copy rustdesk MSI installer to Windows host
+  win_copy:
+    src: rustdesk-1.4.6-x86_64.msi
+    dest: C:\temp\setup\rustdesk.msi
+    force: yes
+  when: rustdesk_installed.stdout | trim != "installed"
+
+
+- name: Ensure rustdesk is installed through win_package
+  win_package:
+    path: C:\temp\setup\rustdesk.msi
+    state: present
+  when: rustdesk_installed.stdout | trim != "installed"
+
+
+
+
+
+
+- name: Ensure RustDesk service is enabled
+  win_service:
+    name: RustDesk
+    state: started
+    start_mode: auto
+  changed_when: false
+
+
+
+
+
+- name: Start RustDesk application
+  win_shell: |
+    Start-Process "C:\Program Files\RustDesk\rustdesk.exe"
+  args:
+    executable: powershell
+  become: yes
+  become_method: runas
+  become_user: "{{ username }}"
+  changed_when: false
+
+- name: Wait until RustDesk process is running
+  win_wait_for_process:
+    process_name_pattern: rustdesk
+    state: present
+    timeout: 30
+  become: yes
+  become_method: runas
+  become_user: "{{ username }}"
+  changed_when: false
+
+
+
+
+
+# - name: Start RustDesk interactively in user context
+#   win_shell: |
+#     schtasks /create /tn "StartRustDesk" /tr '"C:\Program Files\RustDesk\RustDesk.exe"' /sc once /st 00:00 /rl highest /f /ru "{{ rustdesk.rustdesk_user }}" /rp "{{ rustdesk.rustdesk_user_password }}"
+#     schtasks /run /tn "StartRustDesk"
+#     schtasks /delete /tn "StartRustDesk" /f
+#   args:
+#     executable: powershell.exe
+#   when: rustdesk_installed.stdout | trim != "installed"
+
+- name: Wait until RustDesk processes are there
+  win_wait_for_process:
+    process_name_pattern: rustdesk
+    state: present
+    timeout: 30
+  changed_when: false
+  
+- name: Copy/Check RustDesk config template
+  win_template:
+    src: RustDesk2.toml
+    dest: C:\Users\{{ username }}\AppData\Roaming\RustDesk\config\RustDesk2.toml
+  register: rustdesk_template_check
+  when: not domain_member | bool
+
+- name: Stop RustDesk service
+  win_service:
+    name: RustDesk
+    state: stopped
+    start_mode: disabled
+  when: rustdesk_template_check.changed
+
+- name: Stop RustDesk process if running
+  win_shell: |
+    if (Get-Process rustdesk -ErrorAction SilentlyContinue) {
+        Stop-Process -Name rustdesk -Force
+    }
+  when: rustdesk_template_check.changed
+
+
+- name: Wait until RustDesk processes are gone
+  win_wait_for_process:
+    process_name_pattern: rustdesk
+    state: absent
+    timeout: 30
+  when: rustdesk_template_check.changed
+
+
+- name: Copy RustDesk config template
+  win_template:
+    src: RustDesk2.toml
+    dest: C:\Users\{{ username }}\AppData\Roaming\RustDesk\config\RustDesk2.toml
+  notify: Restart RustDesk service 
+  when: rustdesk_template_check.changed
+
+
+- name: Ensure RustDesk service is enabled
+  win_service:
+    name: RustDesk
+    state: started
+    start_mode: auto
+  when: rustdesk_template_check.changed 
+
+
+
+
+
+
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent

ansible_deployment/roles/windows_roles/tools_roles/rustdesk/templates/RustDesk2.toml

@@ -0,0 +1,12 @@
+rendezvous_server = '93.93.202.41:21116'
+serial = ''
+unlock_pin = ''
+trusted_devices = ''
+
+[options]
+custom-rendezvous-server = '93.93.202.41'
+key = 'NEthYaFbhCVTWMj4ZV2elX8Ux2GdYZLb0yTzcTm015E='
+stop-service = 'Y'
+relay-server = '93.93.202.41'
+av1-test = 'Y'
+local-ip-addr = ''

ansible_deployment/roles/windows_roles/tools_roles/thunderbird/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+- name: Check if Thunderbird is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*Thunderbird*" }
+
+    if ($app) { Write-Output "installed" }
+  register: thunderbird_installed
+  changed_when: false
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: thunderbird_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: thunderbird_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: Thunderbird_Setup_148.0.1.msi
+    dest: C:\temp\setup\thunderbird.msi
+    force: yes
+  when: thunderbird_installed.stdout | trim != "installed"
+
+
+- name: Ensure thunderbird is installed through win_package
+  win_package:
+    path: C:\temp\setup\thunderbird.msi
+    state: present
+  when: thunderbird_installed.stdout | trim != "installed"
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/cleanup.yml

@@ -0,0 +1,30 @@
+---
+- name: Remove Store apps (Teams, Office)
+  win_shell: |
+    Get-AppxPackage -AllUsers |
+    Where-Object {
+      $_.Name -like "*Office*" -or $_.Name -like "*Teams*"
+    } | Remove-AppxPackage -AllUsers
+  when: uninstall365.remove_store_apps
+  args:
+    executable: powershell
+  failed_when: false
+
+- name: Remove OneDrive
+  win_shell: |
+    taskkill /f /im OneDrive.exe
+    %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
+  when: uninstall365.remove_onedrive
+  args:
+    executable: cmd
+  failed_when: false
+
+- name: Remove leftover directories
+  win_file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "C:\\Program Files\\Microsoft Office"
+    - "C:\\Program Files (x86)\\Microsoft Office"
+    - "C:\\ProgramData\\Microsoft\\Office"
+  ignore_errors: true

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/detect.yml

@@ -0,0 +1,34 @@
+---
+- name: Scan registry for installed software
+  win_shell: |
+    $patterns = @({{ uninstall365.m365_match_patterns | map('to_json') | join(',') }})
+    $results = @()
+
+    foreach ($path in @({{ registry_paths | map('to_json') | join(',') }})) {
+      if (Test-Path $path) {
+        Get-ChildItem $path | ForEach-Object {
+          $disp = $_.GetValue("DisplayName")
+          $uninstall = $_.GetValue("UninstallString")
+
+          if ($disp) {
+            foreach ($p in $patterns) {
+              if ($disp -like "*$p*") {
+                $results += [PSCustomObject]@{
+                  Name = $disp
+                  UninstallString = $uninstall
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    $results | ConvertTo-Json -Compress
+  args:
+    executable: powershell
+  register: m365_detect_raw
+
+- name: Parse detected apps
+  set_fact:
+    m365_installed: "{{ m365_detect_raw.stdout | default('[]') | from_json }}"

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure log directory exists
+  win_file:
+    path: C:\Temp
+    state: directory
+
+- name: Detect installed M365 products
+  include_tasks: detect.yml
+
+- name: Uninstall via registry
+  include_tasks: uninstall_registry.yml
+  when: m365_installed | length > 0
+
+- name: Remove Click-to-Run installations
+  include_tasks: uninstall_c2r.yml
+  when: uninstall365.remove_click_to_run
+
+- name: Cleanup leftovers
+  include_tasks: cleanup.yml
+
+- name: Reboot if required
+  include_tasks: reboot.yml

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/reboot.yml

@@ -0,0 +1,17 @@
+---
+- name: Check if reboot is required
+  win_shell: |
+    if (Test-Path "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\RebootRequired") {
+      exit 1
+    } else {
+      exit 0
+    }
+  register: reboot_check
+  failed_when: reboot_check.rc == 1
+  changed_when: reboot_check.rc == 1
+
+- name: Reboot system if needed
+  win_reboot:
+    msg: "Reboot after M365 removal"
+    pre_reboot_delay: 10
+  when: uninstall365.reboot_if_required and reboot_check.rc == 1

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_c2r.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if Click-to-Run exists
+  win_stat:
+    path: "{{ click_to_run_exe }}"
+  register: c2r_stat
+
+- name: Remove Click-to-Run Office
+  win_shell: |
+    "{{ click_to_run_exe }}" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=AllProducts displaylevel=false
+  when: c2r_stat.stat.exists
+  args:
+    executable: cmd
+  register: c2r_remove
+  failed_when: false
+
+- name: Log C2R removal
+  win_lineinfile:
+    path: "{{ uninstall365.m365_log_path }}"
+    line: "Click-to-Run removal executed"

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/tasks/uninstall_registry.yml

@@ -0,0 +1,25 @@
+---
+- name: Uninstall detected applications
+  win_shell: |
+    $apps = {{ m365_installed | to_json }}
+
+    foreach ($app in $apps) {
+      if ($app.UninstallString) {
+        $cmd = $app.UninstallString
+
+        if ($cmd -notmatch "/quiet") {
+          $cmd += " /quiet /norestart"
+        }
+
+        Start-Process -FilePath "cmd.exe" -ArgumentList "/c $cmd" -Wait
+      }
+    }
+  args:
+    executable: powershell
+  register: uninstall_result
+  failed_when: false
+
+- name: Log uninstall results
+  win_lineinfile:
+    path: "{{ uninstall365.m365_log_path }}"
+    line: "Registry uninstall executed at {{ ansible_date_time.iso8601 }}"

ansible_deployment/roles/windows_roles/tools_roles/uninstall_ms365/vars/main.yml

@@ -0,0 +1,6 @@
+---
+registry_paths:
+  - HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall
+  - HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
+
+click_to_run_exe: "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe"

ansible_deployment/roles/windows_roles/tools_roles/wireguard/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+- name: Check if wireguard is installed
+  win_shell: |
+    $paths = @(
+      "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
+      "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+    )
+
+    $app = Get-ItemProperty $paths -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -like "*wireguard*" }
+
+    if ($app) { Write-Output "installed" }
+  register: wireguard_installed
+  changed_when: false
+
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp
+    state: directory
+  when: wireguard_installed.stdout | trim != "installed"
+
+
+- name: Ensure temp directory exists
+  win_file:
+    path: C:\temp\setup
+    state: directory
+  when: wireguard_installed.stdout | trim != "installed"
+
+
+- name: Copy MSI installer to Windows host
+  win_copy:
+    src: wireguard-amd64-0.5.3.msi
+    dest: C:\temp\setup\wg.msi
+    force: yes
+  when: wireguard_installed.stdout | trim != "installed"
+
+
+- name: Ensure wireguard is installed through win_package
+  win_package:
+    path: C:\temp\setup\wg.msi
+    state: present
+  when: wireguard_installed.stdout | trim != "installed"
+
+- name: Copy/Check wireguard config template
+  win_template:
+    src: wg.conf
+    dest: C:\Users\{{ username }}\Documents
+
+- name: Add User to Netzwerkkonfigurationsoperatoren
+  ansible.windows.win_group_membership:
+    name: "S-1-5-32-556"
+    members:
+      - "{{ item.username }}"
+    state: present
+  when: wg.non_admin == true
+  loop: "{{ wg.users }}"
+  loop_control:
+    loop_var: item
+
+- name: Ensure setup directory is deleted
+  win_file:
+    path: C:\temp\setup
+    state: absent
+
+

ansible_deployment/roles/windows_roles/tools_roles/wireguard/templates/wg.conf

@@ -0,0 +1,13 @@
+[Interface]
+PrivateKey = {{ wg.private_key }}
+Address = {{ wg.address }}
+DNS = {{ wg.dns }}
+
+{% for peer in wg.wireguard_peers %}
+[Peer]
+PublicKey = {{ peer.public_key }}
+PreSharedKey = {{ peer.preshared_key }}
+AllowedIPs = {{ peer.allowed_ips }}
+Endpoint = {{ peer.endpoint }}
+PersistentKeepalive = 25
+{% endfor %}

ansible_deployment/roles/windows_roles/tools_roles/wireguard/vars/main.yml

@@ -0,0 +1,15 @@
+$ANSIBLE_VAULT;1.2;AES256;wg
+63663332616565356139353765316636313435623339333663373363333964316335323966636538
+3061653236383236383530333131306130613435623032390a616533613632326465653330373861
+33303566363461383763393638663465373162323461336136386339303838336433383436313739
+3736373166353030660a363730613363666166356332303931303134336463306637376266353864
+36373461303363643239333864613865633934616364353635643539666163663330373261646166
+64333363623661346232386461656137643239376562666461353762646436326434386537326237
+61366131376138643932366639363530396565363838363061333036663931333463396534303633
+61346530653531343863313739353939363834383166313530303933313430336534663136313963
+66383539643735313638373736613839393961303266363034343332373738626462366461623539
+64313038306534306339663766323964346262663131366134666634633132356234616363623433
+63353637626661393533666665363236653334613266666533656630343130356431633037373330
+36313833313964383836393233316461323332623538663431653632626230333533643665613330
+34363438363939356432323164303761326464333961666334356230626335323263663133663034
+6165653064343433376233313236343961393434333465346365

ansible_deployment/site.yml

@@ -0,0 +1,157 @@
+- name: Generic setups
+  hosts: all
+  gather_facts: false
+  vars_files:
+    - ./group_vars/all/vault_pass.yml
+
+
+
+
+# Completely Tested Setup!!!
+
+- name: specific setups for test-vm
+  hosts: test_domain_vm_client
+  gather_facts: false
+  roles: 
+    - role: windows_roles/system_roles/german_language
+      tags:
+        - system
+        - language
+    - role: windows_roles/system_roles/hostname
+      tags:
+        - system
+        - hostname
+    - role: windows_roles/system_roles/dns
+      tags:
+        - system
+        - dns
+    - role: windows_roles/system_roles/time
+      tags:
+        - system
+        - time    
+    - role: windows_roles/system_roles/powersaver_off
+      tags:
+        - system
+        - powersaver_off  
+    - role: windows_roles/system_roles/rdp
+      tags:
+        - system
+        - rdp
+    - role: windows_roles/system_roles/updates
+      tags:
+        - system
+        - updates
+    - role: windows_roles/tools_roles/7zip
+      tags:
+        - 7zip
+        - tools
+    - role: windows_roles/tools_roles/rustdesk
+      tags:
+        - rustdesk
+        - tools
+    - role: windows_roles/tools_roles/browser
+      tags:
+        - browser
+        - tools
+
+
+    - role: windows_roles/tools_roles/pdf24
+      tags:
+        - pdf
+        - office_tools
+    - role: windows_roles/tools_roles/libre
+      tags:
+        - office
+        - office_tools
+    - role: windows_roles/tools_roles/thunderbird
+      tags:
+        - mail
+        - office_tools
+    - role: windows_roles/tools_roles/wireguard
+      tags:
+        - wg
+        - tools
+    - role: windows_roles/tools_roles/keypass
+      tags:
+        - passvault
+        - tools
+
+
+
+
+
+
+
+
+
+
+# windows notebooks
+- name: specific setups for nbk
+  hosts: notebooks_client
+  gather_facts: false
+  roles:
+    - role: windows_roles/system_roles/german_language
+      tags:
+        - system
+        - language
+    - role: windows_roles/system_roles/hostname
+      tags:
+        - system
+        - hostname
+    - role: windows_roles/system_roles/dns
+      tags:
+        - system
+        - dns
+    - role: windows_roles/system_roles/time
+      tags:
+        - system
+        - time    
+    - role: windows_roles/system_roles/powersaver_off
+      tags:
+        - system
+        - powersaver_off  
+    - role: windows_roles/system_roles/rdp
+      tags:
+        - system
+        - rdp
+    - role: windows_roles/system_roles/updates
+      tags:
+        - system
+        - updates
+    - role: windows_roles/tools_roles/7zip
+      tags:
+        - 7zip
+        - tools
+    - role: windows_roles/tools_roles/rustdesk
+      tags:
+        - rustdesk
+        - tools
+    - role: windows_roles/tools_roles/browser
+      tags:
+        - browser
+        - tools
+    - role: windows_roles/tools_roles/wireguard
+      tags:
+        - wg
+        - tools
+
+    - role: windows_roles/tools_roles/pdf24
+      tags:
+        - pdf
+        - office_tools
+    - role: windows_roles/tools_roles/keypass
+      tags:
+        - passvault
+        - tools
+
+
+# windows workstations
+- name: specific setups for wks
+  hosts: workstation_client
+  gather_facts: false
+
+
+# windows Domainmember-server
+- name: specific setups for Member-Server
+  hosts: domainmember_server
+  gather_facts: false

disable_psremote_script.ps1

@@ -0,0 +1,32 @@
+
+Write-Host "Deaktiviere PowerShell Remoting..." -ForegroundColor Yellow
+
+# Autostart deaktivieren
+Write-Host "Deaktiviere WinRM Autostart..."
+Set-Service WinRM -StartupType Disabled
+
+# WinRM Dienst stoppen
+if (Get-Service WinRM -ErrorAction SilentlyContinue) {
+    Write-Host "Stoppe WinRM Dienst..."
+    Stop-Service WinRM -Force 
+}
+
+# Listener entfernen
+Write-Host "Entferne WinRM Listener..."
+winrm delete winrm/config/Listener?Address=*+Transport=HTTP 2>$null
+winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>$null
+
+# Firewallregeln deaktivieren
+Write-Host "Deaktiviere Firewall Regeln..."
+Disable-NetFirewallRule -DisplayGroup "Windows Remote Management"
+
+# LocalAccountTokenFilterPolicy zurücksetzen
+Write-Host "Setze LocalAccountTokenFilterPolicy zurück..."
+$path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+
+if (Test-Path $path) {
+    Set-ItemProperty -Path $path -Name LocalAccountTokenFilterPolicy -Value 0 -Type DWord
+}
+
+Write-Host "PowerShell Remoting wurde deaktiviert." -ForegroundColor Green
+