diff --git a/inventories/inventory.yml b/inventories/inventory.yml index 805cdb7..ceb2b61 100644 --- a/inventories/inventory.yml +++ b/inventories/inventory.yml @@ -7,3 +7,80 @@ all: ansible_connection: winrm ansible_winrm_transport: ntlm ansible_port: 5985 + vars: + devops_env: IDEV + ssl_ciphers: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 + - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 + - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA + desired_features: + - FS-FileServer + - Web-Server + - Web-Common-Http + - Web-Default-Doc + - Web-Dir-Browsing + - Web-Http-Errors + - Web-Http-Errors + - Web-Static-Content + - Web-Health + - Web-Http-Logging + - Web-Log-Libraries + - Web-Request-Monitor + - Web-Performance + - Web-Stat-Compression + - Web-Dyn-Compression + - Web-Security + - Web-Filtering + - Web-Basic-Auth + - Web-Windows-Auth + - Web-App-Dev + - Web-Net-Ext45 + - Web-AppInit + - Web-ASP + - Web-Asp-Net45 + - Web-CGI + - Web-ISAPI-Ext + - Web-ISAPI-Filter + - Web-Includes + - Web-WebSockets + - Web-Mgmt-Compat + - Web-Metabase + - Web-Lgcy-Scripting + - Web-WMI + - Web-Scripting-Tools + - Web-Mgmt-Service + - NET-Framework-45-Features + - NET-Framework-45-Core + - NET-Framework-45-ASPNET + - NET-WCF-HTTP-Activation45 + - NET-WCF-TCP-PortSharing45 + - Server-Media-Foundation + - RDC + - PowerShellRoot + - PowerShell + - PowerShell-ISE + - WAS + - WAS-Process-Model + - WAS-Config-APIs + - WoW64-Support + - Windows-Defender + + undesired_features: + - XPS-Viewer diff --git a/playbook.yml b/playbook.yml index 5b5de20..fba6e92 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,7 +1,6 @@ --- - name: Setup Windows hosts: all + tasks: roles: - - role: windows-features - tags: - - features + - role: win-initial-setup diff --git a/roles/windows-features/.travis.yml b/roles/win-initial-setup/.travis.yml similarity index 100% rename from roles/windows-features/.travis.yml rename to roles/win-initial-setup/.travis.yml diff --git a/roles/windows-features/README.md b/roles/win-initial-setup/README.md similarity index 100% rename from roles/windows-features/README.md rename to roles/win-initial-setup/README.md diff --git a/roles/win-initial-setup/defaults/main.yml b/roles/win-initial-setup/defaults/main.yml new file mode 100644 index 0000000..3167d75 --- /dev/null +++ b/roles/win-initial-setup/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for win-initial-setup +iis_log_retention_days: 15 +iis_log_directory: D:\IISLogs diff --git a/roles/win-initial-setup/handlers/main.yml b/roles/win-initial-setup/handlers/main.yml new file mode 100644 index 0000000..bbdd5ff --- /dev/null +++ b/roles/win-initial-setup/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for win-initial-setup diff --git a/roles/windows-features/meta/main.yml b/roles/win-initial-setup/meta/main.yml similarity index 100% rename from roles/windows-features/meta/main.yml rename to roles/win-initial-setup/meta/main.yml diff --git a/roles/win-initial-setup/tasks/dotnet-crypto.yml b/roles/win-initial-setup/tasks/dotnet-crypto.yml new file mode 100644 index 0000000..68b030d --- /dev/null +++ b/roles/win-initial-setup/tasks/dotnet-crypto.yml @@ -0,0 +1,16 @@ +--- +- name: Set Dotnet SchUseStrongCrypto + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }} + type: dword + name: SchUseStrongCrypto + data: 1 + state: present + +- name: Set Dotnet SchUseStrongCrypto + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }} + type: dword + name: SystemDefaultTlsVersions + data: 1 + state: present diff --git a/roles/win-initial-setup/tasks/install-dotnet-framework.yml b/roles/win-initial-setup/tasks/install-dotnet-framework.yml new file mode 100644 index 0000000..6eab2c9 --- /dev/null +++ b/roles/win-initial-setup/tasks/install-dotnet-framework.yml @@ -0,0 +1,4 @@ +- name: Install Dotnet Framework 4.8 + chocolatey.chocolatey.win_chocolatey: + name: dotnetfx + state: latest diff --git a/roles/win-initial-setup/tasks/main.yml b/roles/win-initial-setup/tasks/main.yml new file mode 100644 index 0000000..900ed60 --- /dev/null +++ b/roles/win-initial-setup/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Set Cipher Suite + ansible.builtin.import_tasks: set-cipher-suite.yml + +- name: Set Features + ansible.builtin.import_tasks: set-windows-features.yml + +- name: Set DevOps Environment Variables + ansible.windows.win_environment: + level: machine + variables: + ASPNETCORE_ENVIRONMENT: "{{ devops_env }}" + DOTNET_ENVIRONMENT: "{{ devops_env }}" + +- name: Install Framework 4.8 + ansible.builtin.import_tasks: install-dotnet-framework.yml + +- name: Install Latest Microsoft Edge + chocolatey.chocolatey.win_chocolatey: + name: microsoft-edge + state: latest + +- name: Create IIS Log Retention Task + community.windows.win_scheduled_task: + state: present + enabled: true + name: IIS Log Retention + description: "{{ iis_log_retention_days }}-day retention" + allow_demand_start: true + allow_hard_terminate: true + execution_time_limit: PT1H + # group: NT AUTHORITY + username: SYSTEM + compatibility: 4 + actions: + - path: C:\Windows\System32\forfiles.exe + arguments: /P "{{ iis_log_directory }}" /S /M *.log /D -{{ iis_log_retention_days }} /C "cmd /c del @PATH" + triggers: + - type: daily + enabled: true + start_boundary: "2000-10-10T03:00:00" diff --git a/roles/win-initial-setup/tasks/set-cipher-suite.yml b/roles/win-initial-setup/tasks/set-cipher-suite.yml new file mode 100644 index 0000000..1f7a0b9 --- /dev/null +++ b/roles/win-initial-setup/tasks/set-cipher-suite.yml @@ -0,0 +1,32 @@ +- name: Set Default Ciphers If None Given + ansible.builtin.set_fact: + ssl_ciphers: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 + - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 + - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA + when: ssl_ciphers is not defined + +- name: Set SSL Cipher Suite + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 + name: Functions + state: present + type: multistring + data: "{{ ssl_ciphers }}" diff --git a/roles/windows-features/tests/inventory b/roles/win-initial-setup/tests/inventory similarity index 100% rename from roles/windows-features/tests/inventory rename to roles/win-initial-setup/tests/inventory diff --git a/roles/windows-features/tests/test.yml b/roles/win-initial-setup/tests/test.yml similarity index 68% rename from roles/windows-features/tests/test.yml rename to roles/win-initial-setup/tests/test.yml index 3454a87..f5e29e8 100644 --- a/roles/windows-features/tests/test.yml +++ b/roles/win-initial-setup/tests/test.yml @@ -2,4 +2,4 @@ - hosts: localhost remote_user: root roles: - - windows-features + - win-initial-setup diff --git a/roles/win-initial-setup/vars/main.yml b/roles/win-initial-setup/vars/main.yml new file mode 100644 index 0000000..c84a310 --- /dev/null +++ b/roles/win-initial-setup/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for win-initial-setup diff --git a/roles/windows-features/defaults/main.yml b/roles/windows-features/defaults/main.yml deleted file mode 100644 index 053827f..0000000 --- a/roles/windows-features/defaults/main.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# defaults file for windows-features -desired_features: - - FS-FileServer - - Web-Server - - Web-Common-Http - - Web-Default-Doc - - Web-Dir-Browsing - - Web-Http-Errors - - Web-Http-Errors - - Web-Static-Content - - Web-Health - - Web-Http-Logging - - Web-Log-Libraries - - Web-Request-Monitor - - Web-Performance - - Web-Stat-Compression - - Web-Dyn-Compression - - Web-Security - - Web-Filtering - - Web-Basic-Auth - - Web-Windows-Auth - - Web-App-Dev - - Web-Net-Ext45 - - Web-AppInit - - Web-ASP - - Web-Asp-Net45 - - Web-CGI - - Web-ISAPI-Ext - - Web-ISAPI-Filter - - Web-Includes - - Web-WebSockets - - Web-Mgmt-Compat - - Web-Metabase - - Web-Lgcy-Scripting - - Web-WMI - - Web-Scripting-Tools - - Web-Mgmt-Service - - NET-Framework-45-Features - - NET-Framework-45-Core - - NET-Framework-45-ASPNET - - NET-WCF-HTTP-Activation45 - - NET-WCF-TCP-PortSharing45 - - Server-Media-Foundation - - RDC - - PowerShellRoot - - PowerShell - - PowerShell-ISE - - WAS - - WAS-Process-Model - - WAS-Config-APIs - - WoW64-Support - - Windows-Defender - -undesired_features: - - XPS-Viewer diff --git a/roles/windows-features/handlers/main.yml b/roles/windows-features/handlers/main.yml deleted file mode 100644 index 48decbd..0000000 --- a/roles/windows-features/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for windows-features diff --git a/roles/windows-features/vars/main.yml b/roles/windows-features/vars/main.yml deleted file mode 100644 index db563cc..0000000 --- a/roles/windows-features/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for windows-features diff --git a/tasks/install-chocolatey.yml b/tasks/install-chocolatey.yml new file mode 100644 index 0000000..6b91232 --- /dev/null +++ b/tasks/install-chocolatey.yml @@ -0,0 +1,7 @@ +--- +- name: Install chocolatey + win_chocolatey: + name: + - chocolatey + - chocolatey-core.extension + state: present diff --git a/roles/windows-features/tasks/main.yml b/tasks/set-windows-features.yml similarity index 94% rename from roles/windows-features/tasks/main.yml rename to tasks/set-windows-features.yml index e582dfb..5f2683c 100644 --- a/roles/windows-features/tasks/main.yml +++ b/tasks/set-windows-features.yml @@ -1,5 +1,4 @@ --- -# tasks file for windows-features - name: Install Desired Windows Features ansible.windows.win_feature: name: "{{ desired_features }}"