commit

inventories/inventory.yml

@@ -7,3 +7,80 @@ all:
       ansible_connection: winrm
       ansible_winrm_transport: ntlm
       ansible_port: 5985
+  vars:
+    devops_env: IDEV
+    ssl_ciphers:
+      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
+      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
+      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
+      - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+      - TLS_DHE_DSS_WITH_AES_256_CBC_SHA
+      - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+      - TLS_DHE_DSS_WITH_AES_128_CBC_SHA
+    desired_features:
+      - FS-FileServer
+      - Web-Server
+      - Web-Common-Http
+      - Web-Default-Doc
+      - Web-Dir-Browsing
+      - Web-Http-Errors
+      - Web-Http-Errors
+      - Web-Static-Content
+      - Web-Health
+      - Web-Http-Logging
+      - Web-Log-Libraries
+      - Web-Request-Monitor
+      - Web-Performance
+      - Web-Stat-Compression
+      - Web-Dyn-Compression
+      - Web-Security
+      - Web-Filtering
+      - Web-Basic-Auth
+      - Web-Windows-Auth
+      - Web-App-Dev
+      - Web-Net-Ext45
+      - Web-AppInit
+      - Web-ASP
+      - Web-Asp-Net45
+      - Web-CGI
+      - Web-ISAPI-Ext
+      - Web-ISAPI-Filter
+      - Web-Includes
+      - Web-WebSockets
+      - Web-Mgmt-Compat
+      - Web-Metabase
+      - Web-Lgcy-Scripting
+      - Web-WMI
+      - Web-Scripting-Tools
+      - Web-Mgmt-Service
+      - NET-Framework-45-Features
+      - NET-Framework-45-Core
+      - NET-Framework-45-ASPNET
+      - NET-WCF-HTTP-Activation45
+      - NET-WCF-TCP-PortSharing45
+      - Server-Media-Foundation
+      - RDC
+      - PowerShellRoot
+      - PowerShell
+      - PowerShell-ISE
+      - WAS
+      - WAS-Process-Model
+      - WAS-Config-APIs
+      - WoW64-Support
+      - Windows-Defender
+
+    undesired_features:
+      - XPS-Viewer

playbook.yml

@@ -1,7 +1,6 @@
 ---
 - name: Setup Windows
   hosts: all
+  tasks:
   roles:
-    - role: windows-features
+    - role: win-initial-setup
-      tags:
-        - features

roles/win-initial-setup/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# defaults file for win-initial-setup
+iis_log_retention_days: 15
+iis_log_directory: D:\IISLogs

roles/win-initial-setup/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for win-initial-setup

roles/win-initial-setup/tasks/dotnet-crypto.yml

@@ -0,0 +1,16 @@
+---
+- name: Set Dotnet SchUseStrongCrypto
+  ansible.windows.win_regedit:
+    path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }}
+    type: dword
+    name: SchUseStrongCrypto
+    data: 1
+    state: present
+
+- name: Set Dotnet SchUseStrongCrypto
+  ansible.windows.win_regedit:
+    path: HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\{{ dotnet_version | default('v4.0.30319') }}
+    type: dword
+    name: SystemDefaultTlsVersions
+    data: 1
+    state: present

roles/win-initial-setup/tasks/install-dotnet-framework.yml

@@ -0,0 +1,4 @@
+- name: Install Dotnet Framework 4.8
+  chocolatey.chocolatey.win_chocolatey:
+    name: dotnetfx
+    state: latest

roles/win-initial-setup/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Set Cipher Suite
+  ansible.builtin.import_tasks: set-cipher-suite.yml
+
+- name: Set Features
+  ansible.builtin.import_tasks: set-windows-features.yml
+
+- name: Set DevOps Environment Variables
+  ansible.windows.win_environment:
+    level: machine
+    variables:
+      ASPNETCORE_ENVIRONMENT: "{{ devops_env }}"
+      DOTNET_ENVIRONMENT: "{{ devops_env }}"
+
+- name: Install Framework 4.8
+  ansible.builtin.import_tasks: install-dotnet-framework.yml
+
+- name: Install Latest Microsoft Edge
+  chocolatey.chocolatey.win_chocolatey:
+    name: microsoft-edge
+    state: latest
+
+- name: Create IIS Log Retention Task
+  community.windows.win_scheduled_task:
+    state: present
+    enabled: true
+    name: IIS Log Retention
+    description: "{{ iis_log_retention_days }}-day retention"
+    allow_demand_start: true
+    allow_hard_terminate: true
+    execution_time_limit: PT1H
+    # group: NT AUTHORITY
+    username: SYSTEM
+    compatibility: 4
+    actions:
+      - path: C:\Windows\System32\forfiles.exe
+        arguments: /P "{{ iis_log_directory }}" /S /M *.log /D -{{ iis_log_retention_days }} /C "cmd /c del @PATH"
+    triggers:
+      - type: daily
+        enabled: true
+        start_boundary: "2000-10-10T03:00:00"

roles/win-initial-setup/tasks/set-cipher-suite.yml

@@ -0,0 +1,32 @@
+- name: Set Default Ciphers If None Given
+  ansible.builtin.set_fact:
+    ssl_ciphers:
+      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
+      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
+      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
+      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
+      - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+      - TLS_DHE_DSS_WITH_AES_256_CBC_SHA
+      - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+      - TLS_DHE_DSS_WITH_AES_128_CBC_SHA
+  when: ssl_ciphers is not defined
+
+- name: Set SSL Cipher Suite
+  ansible.windows.win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
+    name: Functions
+    state: present
+    type: multistring
+    data: "{{ ssl_ciphers }}"

roles/win-initial-setup/tests/test.yml

@@ -2,4 +2,4 @@
 - hosts: localhost
   remote_user: root
   roles:
-    - windows-features
+    - win-initial-setup

roles/win-initial-setup/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for win-initial-setup

roles/windows-features/defaults/main.yml

@@ -1,56 +0,0 @@
----
-# defaults file for windows-features
-desired_features:
-  - FS-FileServer
-  - Web-Server
-  - Web-Common-Http
-  - Web-Default-Doc
-  - Web-Dir-Browsing
-  - Web-Http-Errors
-  - Web-Http-Errors
-  - Web-Static-Content
-  - Web-Health
-  - Web-Http-Logging
-  - Web-Log-Libraries
-  - Web-Request-Monitor
-  - Web-Performance
-  - Web-Stat-Compression
-  - Web-Dyn-Compression
-  - Web-Security
-  - Web-Filtering
-  - Web-Basic-Auth
-  - Web-Windows-Auth
-  - Web-App-Dev
-  - Web-Net-Ext45
-  - Web-AppInit
-  - Web-ASP
-  - Web-Asp-Net45
-  - Web-CGI
-  - Web-ISAPI-Ext
-  - Web-ISAPI-Filter
-  - Web-Includes
-  - Web-WebSockets
-  - Web-Mgmt-Compat
-  - Web-Metabase
-  - Web-Lgcy-Scripting
-  - Web-WMI
-  - Web-Scripting-Tools
-  - Web-Mgmt-Service
-  - NET-Framework-45-Features
-  - NET-Framework-45-Core
-  - NET-Framework-45-ASPNET
-  - NET-WCF-HTTP-Activation45
-  - NET-WCF-TCP-PortSharing45
-  - Server-Media-Foundation
-  - RDC
-  - PowerShellRoot
-  - PowerShell
-  - PowerShell-ISE
-  - WAS
-  - WAS-Process-Model
-  - WAS-Config-APIs
-  - WoW64-Support
-  - Windows-Defender
-
-undesired_features:
-  - XPS-Viewer

roles/windows-features/handlers/main.yml

@@ -1,2 +0,0 @@
----
-# handlers file for windows-features

roles/windows-features/vars/main.yml

@@ -1,2 +0,0 @@
----
-# vars file for windows-features

tasks/install-chocolatey.yml

@@ -0,0 +1,7 @@
+---
+- name: Install chocolatey
+  win_chocolatey:
+    name:
+      - chocolatey
+      - chocolatey-core.extension
+    state: present

tasks/set-windows-features.yml

@@ -1,5 +1,4 @@
 ---
-# tasks file for windows-features
 - name: Install Desired Windows Features
   ansible.windows.win_feature:
     name: "{{ desired_features }}"