| 1 | --- |
| 2 | |
| 3 | - name: Install OpenSSH |
| 4 | ansible.windows.win_feature: |
| 5 | name: OpenSSH |
| 6 | state: present |
| 7 | # This depends on Get-WindowsFeature, provided by RSAT. Not currently available on arm |
| 8 | when: ansible_architecture != 'ARM 64-bit Processor' |
| 9 | - name: Run OpenSSH automatically |
| 10 | ansible.windows.win_service: |
| 11 | name: sshd |
| 12 | start_mode: auto |
| 13 | state: started |
| 14 | - name: Allow Terminal Server connections |
| 15 | ansible.windows.win_regedit: |
| 16 | path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' |
| 17 | name: 'fDenyTSConnections' |
| 18 | data: '0' |
| 19 | type: 'dword' |
| 20 | - name: Run RDP automatically |
| 21 | ansible.windows.win_service: |
| 22 | name: 'TermService' |
| 23 | start_mode: 'auto' |
| 24 | state: 'started' |
| 25 | - name: Turn off standy |
| 26 | ansible.windows.win_command: 'C:\Windows\system32\powercfg.exe /change standby-timeout-ac 0' |
| 27 | - name: Turn off hibernation |
| 28 | ansible.windows.win_command: 'C:\Windows\system32\powercfg.exe /hibernate off' |
| 29 | - name: Turn off disk timeouts |
| 30 | ansible.windows.win_command: 'C:\Windows\system32\powercfg.exe /change disk-timeout-ac 0' |
| 31 | - name: Install powershell |
| 32 | ansible.windows.win_package: |
| 33 | path: 'https://github.com/PowerShell/PowerShell/releases/download/v7.3.4/PowerShell-7.3.4-win-x64.msi' |
| 34 | state: 'present' |
| 35 | # get-wmiobject Win32_Product |
| 36 | product_id: '{11479679-5C7F-477F-869F-3ED956CE684D}' |
| 37 | - name: Set powershell 7 as the default shell for OpenSSH |
| 38 | ansible.windows.win_regedit: |
| 39 | path: 'HKLM:\SOFTWARE\OpenSSH' |
| 40 | name: 'DefaultShell' |
| 41 | data: 'c:/progra~1/powershell/7/pwsh.exe' |
| 42 | - name: Join domain |
| 43 | ansible.windows.win_domain_membership: |
| 44 | dns_domain_name: 'internal.efficios.com' |
| 45 | hostname: "{{ansible_hostname}}" |
| 46 | domain_ou_path: 'DC=internal,DC=efficios,DC=com' |
| 47 | state: 'domain' |
| 48 | domain_admin_user: "{{ lookup('community.general.bitwarden', '2443aefa-0b85-497d-aa0e-aef6011295c4', search='id', field='username')[0] }}" |
| 49 | domain_admin_password: "{{ lookup('community.general.bitwarden', '2443aefa-0b85-497d-aa0e-aef6011295c4', search='id', field='password')[0] }}" |
| 50 | register: domain_state |
| 51 | - name: Install python |
| 52 | ansible.windows.win_package: |
| 53 | path: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-arm64.exe' |
| 54 | state: 'present' |
| 55 | arguments: |
| 56 | - '/InstallAllUsers=1' |
| 57 | - '/SimpleInstall' |
| 58 | - '/quiet' |
| 59 | creates_path: 'C:\Windows\py.exe' |
| 60 | - name: Set administrator authorized keys |
| 61 | ansible.windows.win_template: |
| 62 | src: 'authorized_keys.j2' |
| 63 | dest: 'c:\ProgramData\ssh\administrators_authorized_keys' |
| 64 | # c.f. https://galaxy.ansible.com/ui/repo/published/community/windows/content/module/win_firewall_rule/ |
| 65 | - name: Firewall rule to alloc ICMP v4 on all type codes |
| 66 | community.windows.win_firewall_rule: |
| 67 | name: ICMP Allow incoming V4 echo request |
| 68 | enabled: true |
| 69 | state: present |
| 70 | profiles: |
| 71 | - domain |
| 72 | - private |
| 73 | - public |
| 74 | action: allow |
| 75 | direction: in |
| 76 | protocol: icmpv4 |
| 77 | icmp_type_code: '*' |
| 78 | - name: Firewall rule to allow RDP on TCP port 3389 |
| 79 | community.windows.win_firewall_rule: |
| 80 | name: Remote Desktop |
| 81 | localport: 3389 |
| 82 | action: allow |
| 83 | direction: in |
| 84 | protocol: tcp |
| 85 | profiles: |
| 86 | - domain |
| 87 | - private |
| 88 | state: present |
| 89 | enabled: true |
| 90 | - name: Reboot if domain changed |
| 91 | when: domain_state.reboot_required |
| 92 | ansible.windows.win_reboot: |