#ansible #playbook #playbooks #ssh #winrm #PowerShellRemoting #schedule #scheduledtask #taskscheduler #windows #ubuntu #linux #AIX **USE CASE ANSIBLE:** ### **Prerequisites:** The **SSH Server** must be installed locally. PowerShell: ``` # Check if OpenSSH Server is already installed $sshServerInstalled = Get-WindowsCapability -Online | Where-Object { $_.Name -eq 'OpenSSH.Server~~~~0.0.1.0' -and $_.State -eq 'Installed' } if (-not $sshServerInstalled) { # Install OpenSSH Server Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 # Configure SSH Server to start automatically Set-Service -Name sshd -StartupType 'Automatic' # Start SSH Server Start-Service -Name sshd # Optionally configure SSH Agent to start automatically Set-Service -Name ssh-agent -StartupType 'Automatic' Start-Service -Name ssh-agent # Configure Firewall New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 } else { Write-Output "OpenSSH Server is already installed." } # Verify SSH Server is running Get-Service -Name sshd ``` The **domain administrator account** must be added to the local Administrators group. `net localgroup Administrators "EXCHANGE\jan" /add` --- ### **2024-07-24 15:50** The above command was executed as a user in **#meshcentral** and seems to work. ### **2024-07-24 15:54** Added to the **login script**. The goal is to roll out the **SSH installation script** and include it in the **login script**. ### **2024-07-26 11:25** The **login script** works. However, I still check each PC manually. I noticed that **ESET** is interfering. The **Windows Firewall** is correctly configured via a **PowerShell script**, but **ESET's firewall** does not follow the **Windows Firewall rules** by default. Using **registry keys** and **config imports** did not enable the **"EvaluateOsFirewallRules"** option. However, it can be set via the **ESET GUI**. #### **Registry key** ``` Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Config\Settings\Firewall] "EvaluateOsFirewallRules"=dword:00000001 ``` #### **ESET settings:** `<NODE NAME="EvaluateOsFirewallRules" TYPE="number" VALUE="1" />` --- ### **2024-07-27 15:27** Just watched a video about **#Ansible #Semaphore #AnsibleSemaphore**: šŸ“Œ **[Watch here](https://www.youtube.com/watch?v=NyOSoLn5T5U)** - **Ansible in Windows Environments**: [Watch here](https://www.youtube.com/watch?v=xvhOgSrXk00) - **Ansible Playlist**: [Watch here](https://www.youtube.com/watch?v=3RiVKs8GHYQ&list=PLT98CRl2KxKEUHie1m24-wkyHpEsa4Y70) - **#WinRM** (See also: [[WinRM, PSRemoting]]) --- ## **Login Script Update** Updated the **login script** to force-enable **WinRM**, allowing **remote PC management via WinRM and SSH**. ### **Next Step: Start with Ansible Installation** --- ## **Ansible for Linux Servers** ### **SSH Setup** - Log in to **all servers via SSH** - Generate an **SSH key**: `ssh-keygen -t ed25519 -C "Comment Here..."` - A location for the **key file** will be requested. - You'll be asked for a **passphrase** (optional). - After completion, the **~/.ssh/** directory will contain: - `id_ed25519` ā†’ **Private Key** - `id_ed25519.pub` ā†’ **Public Key** - The **public key** must be copied to the **remote servers** for passwordless SSH: `ssh-copy-id -i ~/.ssh/id_ed25519.pub <server-ip-or-hostname>` - Verify: `ssh <server-ip-or-hostname>` - On the **remote host**, the key will be stored in `~/.ssh/authorized_keys`. #### **SSH Key for Ansible** - Generate a separate key for **Ansible**: `ssh-keygen -t ed25519 -C "Ansible"` - Save it with a **clear name** and **no passphrase**. - Copy the key to **all managed servers**: `ssh-copy-id -i ~/.ssh/ansible.pub <server-ip-or-hostname>` - Check which hosts have an **authorized key**: `cat ~/.ssh/authorized_keys` --- ## **GIT (Skipping for now)** `sudo apt update sudo apt install git` ### **Create a GitHub Repository** 1. Go to **Settings ā†’ SSH and GPG keys**. 2. Add the **public SSH key** (`id_ed25519.pub`). 3. Clone the repository to your local machine: `git clone <github-ssh-link>` 4. Configure Git: `git config --global user.name "boerict" git config --global user.email "[email protected]"` --- ## **Ansible Installation** ``` sudo apt update sudo apt install ansible sshpass cd /git vi inventory ``` - **Add hosts to the inventory** (preferably **FQDNs**). - Add the inventory file to **Git version control**: ``` git add inventory git commit -m "First commit of inventory file" git push origin master ``` --- ## **Ansible Commands** ``` ansible all --key-file ~/.ssh/Ansible -i /scripts/inventory -m ping ansible all -m ping ``` ### **Config File (ansible.cfg)** ``` [defaults] inventory = <inventory filename> private_key_file = ~/.ssh/Ansible ``` - Save this file in the same directory as your **inventory file**. - This overrides the default **/etc/ansible/ansible.cfg**. **Simplified Ansible command:** `ansible all -m ping` ### **List Hosts in Ansible** `ansible all --list-hosts` ### **Adding a New Host** `ssh-copy-id -i ~/.ssh/Ansible.pub <new-hostname>` --- ## **Ansible Configuration for Windows** ### **Tested with the following files in `/ansible` on a Linux host:** #### **ansible.cfg** ``` [defaults] inventory = inventory [winrm] transport = credssp port = 5985 ``` #### **inventory** ``` [windows] ict-2a.<domainname> ansible_host=192.168.3.11 [windows:vars] type=Windows ansible_user=exchange\jan ansible_password=<password> ansible_port=5985 ansible_connection=winrm ansible_winrm_transport=ntlm ansible_winrm_server_cert_validation=ignore ``` #### **Test connection:** `ansible windows -i inventory -m win_ping` --- ## **Ansible Playbook Examples** ### **Install IIS** ``` - name: Install IIS on Windows Server hosts: windows tasks: - name: Install IIS win_feature: name: Web-Server state: present ``` ### **Restart Spooler Service** ``` - name: Restart Spooler service hosts: windows tasks: - name: Restart Spooler win_service: name: Spooler state: restarted ``` **Run Playbook:** `ansible-playbook -i inventory site.yml` ---