commit
This commit is contained in:
parent
fd75bd8dda
commit
51b88e8b92
@ -7,3 +7,80 @@ all:
|
||||
ansible_connection: winrm
|
||||
ansible_winrm_transport: ntlm
|
||||
ansible_port: 5985
|
||||
vars:
|
||||
devops_env: IDEV
|
||||
ssl_ciphers:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
|
||||
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
|
||||
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
|
||||
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||||
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
|
||||
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
|
||||
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
|
||||
desired_features:
|
||||
- FS-FileServer
|
||||
- Web-Server
|
||||
- Web-Common-Http
|
||||
- Web-Default-Doc
|
||||
- Web-Dir-Browsing
|
||||
- Web-Http-Errors
|
||||
- Web-Http-Errors
|
||||
- Web-Static-Content
|
||||
- Web-Health
|
||||
- Web-Http-Logging
|
||||
- Web-Log-Libraries
|
||||
- Web-Request-Monitor
|
||||
- Web-Performance
|
||||
- Web-Stat-Compression
|
||||
- Web-Dyn-Compression
|
||||
- Web-Security
|
||||
- Web-Filtering
|
||||
- Web-Basic-Auth
|
||||
- Web-Windows-Auth
|
||||
- Web-App-Dev
|
||||
- Web-Net-Ext45
|
||||
- Web-AppInit
|
||||
- Web-ASP
|
||||
- Web-Asp-Net45
|
||||
- Web-CGI
|
||||
- Web-ISAPI-Ext
|
||||
- Web-ISAPI-Filter
|
||||
- Web-Includes
|
||||
- Web-WebSockets
|
||||
- Web-Mgmt-Compat
|
||||
- Web-Metabase
|
||||
- Web-Lgcy-Scripting
|
||||
- Web-WMI
|
||||
- Web-Scripting-Tools
|
||||
- Web-Mgmt-Service
|
||||
- NET-Framework-45-Features
|
||||
- NET-Framework-45-Core
|
||||
- NET-Framework-45-ASPNET
|
||||
- NET-WCF-HTTP-Activation45
|
||||
- NET-WCF-TCP-PortSharing45
|
||||
- Server-Media-Foundation
|
||||
- RDC
|
||||
- PowerShellRoot
|
||||
- PowerShell
|
||||
- PowerShell-ISE
|
||||
- WAS
|
||||
- WAS-Process-Model
|
||||
- WAS-Config-APIs
|
||||
- WoW64-Support
|
||||
- Windows-Defender
|
||||
|
||||
undesired_features:
|
||||
- XPS-Viewer
|
||||
|
@ -1,7 +1,6 @@
|
||||
---
|
||||
- name: Setup Windows
|
||||
hosts: all
|
||||
tasks:
|
||||
roles:
|
||||
- role: windows-features
|
||||
tags:
|
||||
- features
|
||||
- role: win-initial-setup
|
||||
|
4
roles/win-initial-setup/defaults/main.yml
Normal file
4
roles/win-initial-setup/defaults/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
# defaults file for win-initial-setup
|
||||
iis_log_retention_days: 15
|
||||
iis_log_directory: D:\IISLogs
|
2
roles/win-initial-setup/handlers/main.yml
Normal file
2
roles/win-initial-setup/handlers/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
# handlers file for win-initial-setup
|
16
roles/win-initial-setup/tasks/dotnet-crypto.yml
Normal file
16
roles/win-initial-setup/tasks/dotnet-crypto.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: Set Dotnet SchUseStrongCrypto
|
||||
ansible.windows.win_regedit:
|
||||
path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }}
|
||||
type: dword
|
||||
name: SchUseStrongCrypto
|
||||
data: 1
|
||||
state: present
|
||||
|
||||
- name: Set Dotnet SchUseStrongCrypto
|
||||
ansible.windows.win_regedit:
|
||||
path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }}
|
||||
type: dword
|
||||
name: SystemDefaultTlsVersions
|
||||
data: 1
|
||||
state: present
|
@ -0,0 +1,4 @@
|
||||
- name: Install Dotnet Framework 4.8
|
||||
chocolatey.chocolatey.win_chocolatey:
|
||||
name: dotnetfx
|
||||
state: latest
|
41
roles/win-initial-setup/tasks/main.yml
Normal file
41
roles/win-initial-setup/tasks/main.yml
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
- name: Set Cipher Suite
|
||||
ansible.builtin.import_tasks: set-cipher-suite.yml
|
||||
|
||||
- name: Set Features
|
||||
ansible.builtin.import_tasks: set-windows-features.yml
|
||||
|
||||
- name: Set DevOps Environment Variables
|
||||
ansible.windows.win_environment:
|
||||
level: machine
|
||||
variables:
|
||||
ASPNETCORE_ENVIRONMENT: "{{ devops_env }}"
|
||||
DOTNET_ENVIRONMENT: "{{ devops_env }}"
|
||||
|
||||
- name: Install Framework 4.8
|
||||
ansible.builtin.import_tasks: install-dotnet-framework.yml
|
||||
|
||||
- name: Install Latest Microsoft Edge
|
||||
chocolatey.chocolatey.win_chocolatey:
|
||||
name: microsoft-edge
|
||||
state: latest
|
||||
|
||||
- name: Create IIS Log Retention Task
|
||||
community.windows.win_scheduled_task:
|
||||
state: present
|
||||
enabled: true
|
||||
name: IIS Log Retention
|
||||
description: "{{ iis_log_retention_days }}-day retention"
|
||||
allow_demand_start: true
|
||||
allow_hard_terminate: true
|
||||
execution_time_limit: PT1H
|
||||
# group: NT AUTHORITY
|
||||
username: SYSTEM
|
||||
compatibility: 4
|
||||
actions:
|
||||
- path: C:\Windows\System32\forfiles.exe
|
||||
arguments: /P "{{ iis_log_directory }}" /S /M *.log /D -{{ iis_log_retention_days }} /C "cmd /c del @PATH"
|
||||
triggers:
|
||||
- type: daily
|
||||
enabled: true
|
||||
start_boundary: "2000-10-10T03:00:00"
|
32
roles/win-initial-setup/tasks/set-cipher-suite.yml
Normal file
32
roles/win-initial-setup/tasks/set-cipher-suite.yml
Normal file
@ -0,0 +1,32 @@
|
||||
- name: Set Default Ciphers If None Given
|
||||
ansible.builtin.set_fact:
|
||||
ssl_ciphers:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
|
||||
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
|
||||
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
|
||||
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||||
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
|
||||
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
|
||||
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
|
||||
when: ssl_ciphers is not defined
|
||||
|
||||
- name: Set SSL Cipher Suite
|
||||
ansible.windows.win_regedit:
|
||||
path: HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
|
||||
name: Functions
|
||||
state: present
|
||||
type: multistring
|
||||
data: "{{ ssl_ciphers }}"
|
@ -2,4 +2,4 @@
|
||||
- hosts: localhost
|
||||
remote_user: root
|
||||
roles:
|
||||
- windows-features
|
||||
- win-initial-setup
|
2
roles/win-initial-setup/vars/main.yml
Normal file
2
roles/win-initial-setup/vars/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
# vars file for win-initial-setup
|
@ -1,56 +0,0 @@
|
||||
---
|
||||
# defaults file for windows-features
|
||||
desired_features:
|
||||
- FS-FileServer
|
||||
- Web-Server
|
||||
- Web-Common-Http
|
||||
- Web-Default-Doc
|
||||
- Web-Dir-Browsing
|
||||
- Web-Http-Errors
|
||||
- Web-Http-Errors
|
||||
- Web-Static-Content
|
||||
- Web-Health
|
||||
- Web-Http-Logging
|
||||
- Web-Log-Libraries
|
||||
- Web-Request-Monitor
|
||||
- Web-Performance
|
||||
- Web-Stat-Compression
|
||||
- Web-Dyn-Compression
|
||||
- Web-Security
|
||||
- Web-Filtering
|
||||
- Web-Basic-Auth
|
||||
- Web-Windows-Auth
|
||||
- Web-App-Dev
|
||||
- Web-Net-Ext45
|
||||
- Web-AppInit
|
||||
- Web-ASP
|
||||
- Web-Asp-Net45
|
||||
- Web-CGI
|
||||
- Web-ISAPI-Ext
|
||||
- Web-ISAPI-Filter
|
||||
- Web-Includes
|
||||
- Web-WebSockets
|
||||
- Web-Mgmt-Compat
|
||||
- Web-Metabase
|
||||
- Web-Lgcy-Scripting
|
||||
- Web-WMI
|
||||
- Web-Scripting-Tools
|
||||
- Web-Mgmt-Service
|
||||
- NET-Framework-45-Features
|
||||
- NET-Framework-45-Core
|
||||
- NET-Framework-45-ASPNET
|
||||
- NET-WCF-HTTP-Activation45
|
||||
- NET-WCF-TCP-PortSharing45
|
||||
- Server-Media-Foundation
|
||||
- RDC
|
||||
- PowerShellRoot
|
||||
- PowerShell
|
||||
- PowerShell-ISE
|
||||
- WAS
|
||||
- WAS-Process-Model
|
||||
- WAS-Config-APIs
|
||||
- WoW64-Support
|
||||
- Windows-Defender
|
||||
|
||||
undesired_features:
|
||||
- XPS-Viewer
|
@ -1,2 +0,0 @@
|
||||
---
|
||||
# handlers file for windows-features
|
@ -1,2 +0,0 @@
|
||||
---
|
||||
# vars file for windows-features
|
7
tasks/install-chocolatey.yml
Normal file
7
tasks/install-chocolatey.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
- name: Install chocolatey
|
||||
win_chocolatey:
|
||||
name:
|
||||
- chocolatey
|
||||
- chocolatey-core.extension
|
||||
state: present
|
@ -1,5 +1,4 @@
|
||||
---
|
||||
# tasks file for windows-features
|
||||
- name: Install Desired Windows Features
|
||||
ansible.windows.win_feature:
|
||||
name: "{{ desired_features }}"
|
Loading…
Reference in New Issue
Block a user