-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathWin32NT-common.yml
225 lines (194 loc) · 5.96 KB
/
Win32NT-common.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
---
- name: Install applications
win_chocolatey:
name: "{{ common_windows_packages }}"
register: result
until: result is succeeded
- name: Install openssh
win_chocolatey:
name: openssh
params: /SSHServerFeature /KeyBasedAuthenticationFeature
- name: Disable common authorized key file for administrators group in sshd_config
win_lineinfile:
path: '%ProgramData%\ssh\sshd_config'
regexp: "AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys"
line: "# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys"
- name: Firewall rule to allow SSH on TCP port 22
win_firewall_rule:
name: OpenSSH
localport: 22
action: allow
direction: in
protocol: tcp
- name: Set Desktop Solid Color
win_regedit:
path: 'HKCU:\Control Panel\Colors'
name: Background
data: "74 84 89"
- name: Disable Logon Background Image
win_regedit:
path: 'HKLM:\Software\Policies\Microsoft\Windows\System'
name: DisableLogonBackgroundImage
data: 1
type: dword
- name: Start NTP service (w32time)
win_service:
name: w32time
state: started
start_mode: auto
- name: Configure NTP
win_command: w32tm /config /manualpeerlist:"{{ ntp_servers[0] }}" /reliable:yes /update
changed_when: false
- name: Remove all current pagefiles
win_pagefile:
remove_all: yes
automatic: no
state: absent
- name: Disable Hibernate Mode
win_command: powercfg -h off
changed_when: false
when: ansible_distribution is search("Microsoft Windows 10")
- name: Disable Secure Logon using Registry (Ctrl+Alt+Del sequence for logging)
win_regedit:
path: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
name: DisableCAD
data: 1
type: dword
- name: Enable Administrator account
win_user:
name: Administrator
account_disabled: no
when: ansible_distribution is search("Microsoft Windows 10")
- name: Enable Remote Desktop
win_regedit:
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'
name: fDenyTSConnections
data: 0
type: dword
- name: Allow connections from computers running any version of Remote Desktop (less secure)
win_regedit:
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'
name: UserAuthentication
data: 0
type: dword
# Can't use ansible module because of: https://github.com/ansible/ansible/issues/32478
- name: Enable Firewall Inbound Rules Group
win_shell: Enable-NetFirewallRule -DisplayGroup "{{ item }}"
changed_when: false
loop:
- Remote Desktop
- Windows Remote Management
- name: Use the plaintext WinRM transport and force it to use basic authentication
win_shell: winrm set winrm/config/service '@{AllowUnencrypted="true"}'
# Can't use ansible module because of: https://github.com/ansible/ansible/issues/32478
- name: Allow ICMP
win_shell: Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)" -enabled True
changed_when: false
- name: Show file extensions in Explorer
win_regedit:
path: 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
name: HideFileExt
data: 0
type: dword
- name: Show hidden files
win_regedit:
path: 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
name: "{{ item }}"
data: 1
type: dword
loop:
- Hidden
- SuperHidden
- name: Enable QuickEdit mode
win_regedit:
path: 'HKCU:\Console'
name: QuickEdit
data: 1
type: dword
when: ansible_distribution is search("Microsoft Windows Server 2012")
- name: Enable telnet
win_feature:
name: telnet-client
when: ansible_distribution is not search("Microsoft Windows 10")
- name: Configure PuTTY
win_regedit:
path: 'HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions\Default%20Settings'
name: "{{ item.name }}"
data: "{{ item.data }}"
type: dword
loop:
- name: TCPKeepalives
data: 1
- name: PingIntervalSecs
data: 30
- name: Compression
data: 1
- name: AgentFwd
data: 1
- name: LinuxFunctionKeys
data: 1
- name: MouseIsXterm
data: 1
- name: ConnectionSharing
data: 1
- name: Configure WinSCP
win_copy:
src: win/WinSCP.ini
dest: '%PROGRAMFILES(x86)%\WinSCP\WinSCP.ini'
- name: Enable allowGlobalConfirmation for Chocolatey
win_chocolatey_feature:
name: allowGlobalConfirmation
- name: Put Doublecmd link to desktop
win_copy:
src: '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Double Commander\Double Commander.lnk'
dest: '%PUBLIC%\Desktop\'
remote_src: true
- name: Create config directory for Doublecmd
win_file:
path: '%APPDATA%\doublecmd'
state: directory
- name: Upload Dolublecmd configuration file
win_copy:
src: win/doublecmd.xml
dest: '%APPDATA%\doublecmd\doublecmd.xml'
- name: Add choco upgrade scheduled task
win_scheduled_task:
name: choco upgrade
description: Chocolatey update task - updates all apps installed by Chocolatey
actions:
- path: choco.exe
arguments: upgrade all -y
triggers:
- type: daily
start_boundary: "2017-10-09T01:00:00"
run_level: highest
username: SYSTEM
- name: Upload bginfo config file
win_copy:
src: win/bginfo.bgi
dest: '%PROGRAMDATA%\bginfo.bgi'
- name: Start bginfo after login
win_regedit:
path: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
name: bginfo
data: 'C:\ProgramData\chocolatey\bin\bginfo.exe C:\ProgramData\bginfo.bgi /silent /timer:0 /nolicprompt'
- name: Install windows updates
win_updates:
category_names:
- Application
- Connectors
- CriticalUpdates
- DefinitionUpdates
- DeveloperKits
- FeaturePacks
- Guidance
- SecurityUpdates
- ServicePacks
- Tools
- UpdateRollups
- Updates
register: windows_updates
- name: Windows reboot
win_reboot:
reboot_timeout: 10000
when: windows_updates.reboot_required and allow_windows_reboot_during_win_updates