This commit is contained in:
Price Hiller 2022-09-18 19:43:28 -05:00
parent fd75bd8dda
commit 51b88e8b92
19 changed files with 188 additions and 65 deletions

View File

@ -7,3 +7,80 @@ all:
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_port: 5985
vars:
devops_env: IDEV
ssl_ciphers:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
desired_features:
- FS-FileServer
- Web-Server
- Web-Common-Http
- Web-Default-Doc
- Web-Dir-Browsing
- Web-Http-Errors
- Web-Http-Errors
- Web-Static-Content
- Web-Health
- Web-Http-Logging
- Web-Log-Libraries
- Web-Request-Monitor
- Web-Performance
- Web-Stat-Compression
- Web-Dyn-Compression
- Web-Security
- Web-Filtering
- Web-Basic-Auth
- Web-Windows-Auth
- Web-App-Dev
- Web-Net-Ext45
- Web-AppInit
- Web-ASP
- Web-Asp-Net45
- Web-CGI
- Web-ISAPI-Ext
- Web-ISAPI-Filter
- Web-Includes
- Web-WebSockets
- Web-Mgmt-Compat
- Web-Metabase
- Web-Lgcy-Scripting
- Web-WMI
- Web-Scripting-Tools
- Web-Mgmt-Service
- NET-Framework-45-Features
- NET-Framework-45-Core
- NET-Framework-45-ASPNET
- NET-WCF-HTTP-Activation45
- NET-WCF-TCP-PortSharing45
- Server-Media-Foundation
- RDC
- PowerShellRoot
- PowerShell
- PowerShell-ISE
- WAS
- WAS-Process-Model
- WAS-Config-APIs
- WoW64-Support
- Windows-Defender
undesired_features:
- XPS-Viewer

View File

@ -1,7 +1,6 @@
---
- name: Setup Windows
hosts: all
tasks:
roles:
- role: windows-features
tags:
- features
- role: win-initial-setup

View File

@ -0,0 +1,4 @@
---
# defaults file for win-initial-setup
iis_log_retention_days: 15
iis_log_directory: D:\IISLogs

View File

@ -0,0 +1,2 @@
---
# handlers file for win-initial-setup

View File

@ -0,0 +1,16 @@
---
- name: Set Dotnet SchUseStrongCrypto
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }}
type: dword
name: SchUseStrongCrypto
data: 1
state: present
- name: Set Dotnet SchUseStrongCrypto
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }}
type: dword
name: SystemDefaultTlsVersions
data: 1
state: present

View File

@ -0,0 +1,4 @@
- name: Install Dotnet Framework 4.8
chocolatey.chocolatey.win_chocolatey:
name: dotnetfx
state: latest

View File

@ -0,0 +1,41 @@
---
- name: Set Cipher Suite
ansible.builtin.import_tasks: set-cipher-suite.yml
- name: Set Features
ansible.builtin.import_tasks: set-windows-features.yml
- name: Set DevOps Environment Variables
ansible.windows.win_environment:
level: machine
variables:
ASPNETCORE_ENVIRONMENT: "{{ devops_env }}"
DOTNET_ENVIRONMENT: "{{ devops_env }}"
- name: Install Framework 4.8
ansible.builtin.import_tasks: install-dotnet-framework.yml
- name: Install Latest Microsoft Edge
chocolatey.chocolatey.win_chocolatey:
name: microsoft-edge
state: latest
- name: Create IIS Log Retention Task
community.windows.win_scheduled_task:
state: present
enabled: true
name: IIS Log Retention
description: "{{ iis_log_retention_days }}-day retention"
allow_demand_start: true
allow_hard_terminate: true
execution_time_limit: PT1H
# group: NT AUTHORITY
username: SYSTEM
compatibility: 4
actions:
- path: C:\Windows\System32\forfiles.exe
arguments: /P "{{ iis_log_directory }}" /S /M *.log /D -{{ iis_log_retention_days }} /C "cmd /c del @PATH"
triggers:
- type: daily
enabled: true
start_boundary: "2000-10-10T03:00:00"

View File

@ -0,0 +1,32 @@
- name: Set Default Ciphers If None Given
ansible.builtin.set_fact:
ssl_ciphers:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
when: ssl_ciphers is not defined
- name: Set SSL Cipher Suite
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
name: Functions
state: present
type: multistring
data: "{{ ssl_ciphers }}"

View File

@ -2,4 +2,4 @@
- hosts: localhost
remote_user: root
roles:
- windows-features
- win-initial-setup

View File

@ -0,0 +1,2 @@
---
# vars file for win-initial-setup

View File

@ -1,56 +0,0 @@
---
# defaults file for windows-features
desired_features:
- FS-FileServer
- Web-Server
- Web-Common-Http
- Web-Default-Doc
- Web-Dir-Browsing
- Web-Http-Errors
- Web-Http-Errors
- Web-Static-Content
- Web-Health
- Web-Http-Logging
- Web-Log-Libraries
- Web-Request-Monitor
- Web-Performance
- Web-Stat-Compression
- Web-Dyn-Compression
- Web-Security
- Web-Filtering
- Web-Basic-Auth
- Web-Windows-Auth
- Web-App-Dev
- Web-Net-Ext45
- Web-AppInit
- Web-ASP
- Web-Asp-Net45
- Web-CGI
- Web-ISAPI-Ext
- Web-ISAPI-Filter
- Web-Includes
- Web-WebSockets
- Web-Mgmt-Compat
- Web-Metabase
- Web-Lgcy-Scripting
- Web-WMI
- Web-Scripting-Tools
- Web-Mgmt-Service
- NET-Framework-45-Features
- NET-Framework-45-Core
- NET-Framework-45-ASPNET
- NET-WCF-HTTP-Activation45
- NET-WCF-TCP-PortSharing45
- Server-Media-Foundation
- RDC
- PowerShellRoot
- PowerShell
- PowerShell-ISE
- WAS
- WAS-Process-Model
- WAS-Config-APIs
- WoW64-Support
- Windows-Defender
undesired_features:
- XPS-Viewer

View File

@ -1,2 +0,0 @@
---
# handlers file for windows-features

View File

@ -1,2 +0,0 @@
---
# vars file for windows-features

View File

@ -0,0 +1,7 @@
---
- name: Install chocolatey
win_chocolatey:
name:
- chocolatey
- chocolatey-core.extension
state: present

View File

@ -1,5 +1,4 @@
---
# tasks file for windows-features
- name: Install Desired Windows Features
ansible.windows.win_feature:
name: "{{ desired_features }}"