From 372df1b9e9ab02ea11eb9a3ba98edc68cf0104f5 Mon Sep 17 00:00:00 2001 From: Alexandre Pires Date: Sat, 5 Jul 2025 21:36:47 +0200 Subject: [PATCH] Add Windows game optimization setup and configuration scripts --- Readme.MD | 22 +- ansible/files/scripts/launcher.bat | 5 + .../host_vars/game-01.lab.alexpires.me.yml | 11 + ansible/host_vars/gpu-01.lab.alexpires.me.yml | 2 +- ansible/playbook_windows_game.yml | 7 + ansible/sectool.env | 2 + ansible/tasks/windows_game.yml | 186 ++++++++ inventory/hosts | 8 +- requirements/ansible.txt | 3 +- scripts/ConfigureRemotingForAnsible.ps1 | 435 ++++++++++++++++++ terraform/apps/dev-01/config.tf | 7 +- 11 files changed, 683 insertions(+), 5 deletions(-) create mode 100644 ansible/files/scripts/launcher.bat create mode 100644 ansible/host_vars/game-01.lab.alexpires.me.yml create mode 100644 ansible/playbook_windows_game.yml create mode 100644 ansible/tasks/windows_game.yml create mode 100644 scripts/ConfigureRemotingForAnsible.ps1 diff --git a/Readme.MD b/Readme.MD index 12c1639..0a56657 100644 --- a/Readme.MD +++ b/Readme.MD @@ -26,4 +26,24 @@ Download latest version from [here](https://github.com/contabo/cntb/releases). Setup: ``` sectool exec cntb get instances --oauth2-clientid="$CONTABO_CLIENT_ID" --oauth2-client-secret="$CONTABO_CLIENT_SECRET" --oauth2-user="$CONTABO_API_USER" --oauth2-password="$CONTABO_API_PASSWORD" -``` \ No newline at end of file +``` + +# Windows + +## Create a Dedicated “Ansible” User (One-Time Setup) + +``` +net user provision /add +net localgroup Administrators provision /add +# Prevent password expiration +wmic UserAccount where "Name='provision'" set PasswordExpires=FALSE +''' + +## Configure windows to allow Ansible to connect via WinRM + +Copy the script located in scripts "ConfigureRemotingForAnsible.ps1" and run it on the target machine. + +''' +Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass +.\ConfigureRemotingForAnsible.ps1 +''' \ No newline at end of file diff --git a/ansible/files/scripts/launcher.bat b/ansible/files/scripts/launcher.bat new file mode 100644 index 0000000..2daf4aa --- /dev/null +++ b/ansible/files/scripts/launcher.bat @@ -0,0 +1,5 @@ +@echo off +start "" "C:\Program Files (x86)\Steam\steam.exe" +start "" "C:\Program Files\Sunshine\sunshine.exe" +start "" "C:\Path\To\MetaAirLink\metaairlink.exe" +exit diff --git a/ansible/host_vars/game-01.lab.alexpires.me.yml b/ansible/host_vars/game-01.lab.alexpires.me.yml new file mode 100644 index 0000000..936cd4f --- /dev/null +++ b/ansible/host_vars/game-01.lab.alexpires.me.yml @@ -0,0 +1,11 @@ +hostname: game-01.lab.alexpires.me +ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" +ansible_password: "{{ lookup('env', 'WIN_PROVISION_PASSWORD') }}" +ansible_connection: winrm +ansible_winrm_transport: basic +ansible_winrm_server_cert_validation: ignore + +game_user: "GameUser" +game_password: "{{ lookup('env', 'WIN_GAME_PASSWORD') }}" +game_default_groups: + - Administradores # This is mandatory to install games diff --git a/ansible/host_vars/gpu-01.lab.alexpires.me.yml b/ansible/host_vars/gpu-01.lab.alexpires.me.yml index 3b0b6bb..c771ee0 100644 --- a/ansible/host_vars/gpu-01.lab.alexpires.me.yml +++ b/ansible/host_vars/gpu-01.lab.alexpires.me.yml @@ -1,7 +1,7 @@ hostname: gpu-01.lab.alexpires.me ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" -network_interface: eno1 +network_interface: enp3s0 # Users login_users: diff --git a/ansible/playbook_windows_game.yml b/ansible/playbook_windows_game.yml new file mode 100644 index 0000000..0c653ec --- /dev/null +++ b/ansible/playbook_windows_game.yml @@ -0,0 +1,7 @@ +- name: Setup Windows Game Optimization + hosts: windows_game + + tasks: + - name: Setup WakeOnLan + ansible.builtin.include_tasks: + file: tasks/windows_game.yml diff --git a/ansible/sectool.env b/ansible/sectool.env index 75b7c83..53048f0 100644 --- a/ansible/sectool.env +++ b/ansible/sectool.env @@ -13,3 +13,5 @@ KMS_KEY_ARN=$KMS_KEY_ARN GITEA_APP_TOKEN=$GITEA_APP_TOKEN CLOUDNS_AUTH_ID=$CLOUDNS_AUTH_ID CLOUDNS_PASSWORD=$CLOUDNS_PASSWORD +WIN_PROVISION_PASSWORD=$WIN_PROVISION_PASSWORD +WIN_GAME_PASSWORD=$WIN_GAME_PASSWORD diff --git a/ansible/tasks/windows_game.yml b/ansible/tasks/windows_game.yml new file mode 100644 index 0000000..d61c592 --- /dev/null +++ b/ansible/tasks/windows_game.yml @@ -0,0 +1,186 @@ +- name: Create limited GameUser + ansible.windows.win_user: + name: "{{ game_user }}" + password: "{{ game_password }}" + groups: "{{ game_default_groups }}" + account_disabled: false + password_never_expires: true + user_cannot_change_password: true + state: present + +- name: Configure auto-login for GameUser + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + name: "{{ item.name }}" + data: "{{ item.data }}" + type: string + loop: + - { name: "AutoAdminLogon", data: "1" } + - { name: "DefaultUserName", data: "{{ game_user }}" } + - { name: "DefaultPassword", data: "{{ game_password }}" } + - { name: "DefaultDomainName", data: "{{ ansible_hostname }}" } + +- name: Create launcher script directory + ansible.windows.win_file: + path: C:\GameShell + state: directory + +- name: Deploy launcher.bat + ansible.windows.win_copy: + dest: C:\GameShell\launcher.bat + content: "{{ lookup('file', 'scripts/launcher.bat') }}" + +- name: Set High Performance Power Plan + ansible.windows.win_command: powercfg -setactive SCHEME_MIN + +- name: Disable auto suspend (sleep) for plugged in + ansible.windows.win_command: powercfg -change -standby-timeout-ac 0 + +- name: Disable auto suspend (sleep) for battery + ansible.windows.win_command: powercfg -change -standby-timeout-dc 0 + +- name: Disable Windows Defender Real-Time Protection + ansible.windows.win_shell: Set-MpPreference -DisableRealtimeMonitoring $true + +- name: Remove unnecessary startup items (HKLM) + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Run + name: SecurityHealth + state: absent + +- name: Remove startup folder shortcuts (user) + ansible.windows.win_file: + path: "{{ item }}" + state: absent + with_fileglob: + - "{{ ansible_env.APPDATA }}\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.lnk" + +- name: Remove startup folder shortcuts (all users) + ansible.windows.win_file: + path: "{{ item }}" + state: absent + with_fileglob: + - "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.lnk" + +- name: Disable Xbox Game Bar and DVR + ansible.windows.win_regedit: + path: HKCU:\Software\Microsoft\Windows\CurrentVersion\GameDVR + name: AppCaptureEnabled + data: 0 + type: dword + state: present + +- name: Disable GameDVR_Enabled + ansible.windows.win_regedit: + path: HKCU:\System\GameConfigStore + name: GameDVR_Enabled + data: 0 + type: dword + state: present + +- name: Disable GameDVR_FSEBehaviorMode + ansible.windows.win_regedit: + path: HKCU:\System\GameConfigStore + name: GameDVR_FSEBehaviorMode + data: 2 + type: dword + state: present + +- name: Disable GameDVR_HonorUserFSEBehaviorMode + ansible.windows.win_regedit: + path: HKCU:\System\GameConfigStore + name: GameDVR_HonorUserFSEBehaviorMode + data: 1 + type: dword + state: present + +- name: Disable Windows notifications + ansible.windows.win_regedit: + path: HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications + name: ToastEnabled + data: 0 + type: dword + state: present + +- name: Disable background services + vars: + services_to_disable: + - WSearch + - SysMain + - DiagTrack + - XblAuthManager + - XblGameSave + - XboxGipSvc + - Fax + - MapsBroker + - RetailDemo + - RemoteRegistry + - WMPNetworkSvc + - edgeupdate + - WpnService + - BITS + - WerSvc + - Spooler + - SCardSvr + ansible.windows.win_service: + name: "{{ item }}" + start_mode: disabled + state: stopped + loop: "{{ services_to_disable }}" + +- name: Get all services + ansible.windows.win_service_info: + register: win_services + +- name: Disable scheduled telemetry tasks + vars: + scheduled_tasks_to_disable: + - "\\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater" + - "\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator" + - "\\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask" + - "\\Microsoft\\Windows\\Feedback\\Siuf\\DmClient" + - "\\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting" + ansible.windows.win_shell: | + schtasks /Change /TN "{{ item }}" /Disable + loop: "{{ scheduled_tasks_to_disable }}" + register: telemetry_task_result + failed_when: "{{ telemetry_task_result.rc != 0 and ('ERROR: The system cannot find the file specified.' not in telemetry_task_result.stderr) }}" + +- name: Disable Windows Search feature + ansible.windows.win_shell: DISM /Online /Disable-Feature /FeatureName:SearchEngine-Client-Package /NoRestart + register: disable_search_result + failed_when: > + disable_search_result.rc != 0 and + ('The specified package is not valid Windows package' not in disable_search_result.stderr) and + ('is already disabled' not in disable_search_result.stdout) + +- name: Disable Windows Media Player feature + ansible.windows.win_shell: DISM /Online /Disable-Feature /FeatureName:WindowsMediaPlayer /NoRestart + register: disable_wmp_result + failed_when: > + disable_wmp_result.rc != 0 and + ('The specified package is not valid Windows package' not in disable_wmp_result.stderr) and + ('is already disabled' not in disable_wmp_result.stdout) + +- name: Disable Print to PDF + ansible.windows.win_shell: DISM /Online /Disable-Feature /FeatureName:Printing-PrintToPDFServices-Features /NoRestart + register: disable_print_pdf_result + failed_when: > + disable_print_pdf_result.rc != 0 and + ('The specified package is not valid Windows package' not in disable_print_pdf_result.stderr) and + ('is already disabled' not in disable_print_pdf_result.stdout) + +- name: Reminder - NVIDIA Control Panel Tweaks (manual) + ansible.builtin.debug: + msg: | + Please manually set the following in NVIDIA Control Panel: + - Power Management: Prefer Maximum Performance + - Low Latency Mode: Ultra + - Vertical Sync: Off or Fast Sync (depending on monitor) + +# - name: Set custom shell to launcher.bat +# ansible.windows.win_regedit: +# path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon +# name: Shell +# data: C:\GameShell\launcher.bat +# type: string diff --git a/inventory/hosts b/inventory/hosts index 79383a6..00568a9 100644 --- a/inventory/hosts +++ b/inventory/hosts @@ -94,4 +94,10 @@ gpu-01.lab.alexpires.me gpu-01.lab.alexpires.me [auto_suspend] -gpu-01.lab.alexpires.me \ No newline at end of file +gpu-01.lab.alexpires.me + +[windows] +game-01.lab.alexpires.me + +[windows_game] +game-01.lab.alexpires.me diff --git a/requirements/ansible.txt b/requirements/ansible.txt index 711f325..63eb894 100644 --- a/requirements/ansible.txt +++ b/requirements/ansible.txt @@ -2,4 +2,5 @@ ansible ansible-lint ansible-playbook-grapher passlib -fabric \ No newline at end of file +fabric +pywinrm \ No newline at end of file diff --git a/scripts/ConfigureRemotingForAnsible.ps1 b/scripts/ConfigureRemotingForAnsible.ps1 new file mode 100644 index 0000000..e096144 --- /dev/null +++ b/scripts/ConfigureRemotingForAnsible.ps1 @@ -0,0 +1,435 @@ +#Requires -Version 3.0 + +# Configure a Windows host for remote management with Ansible +# ----------------------------------------------------------- +# +# This script checks the current WinRM (PS Remoting) configuration and makes +# the necessary changes to allow Ansible to connect, authenticate and +# execute PowerShell commands. +# +# IMPORTANT: This script uses self-signed certificates and authentication mechanisms +# that are intended for development environments and evaluation purposes only. +# Production environments and deployments that are exposed on the network should +# use CA-signed certificates and secure authentication mechanisms such as Kerberos. +# +# To run this script in Powershell: +# +# [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +# $url = "https://raw.githubusercontent.com/ansible/ansible-documentation/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" +# $file = "$env:temp\ConfigureRemotingForAnsible.ps1" +# +# (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) +# +# powershell.exe -ExecutionPolicy ByPass -File $file +# +# All events are logged to the Windows EventLog, useful for unattended runs. +# +# Use option -Verbose in order to see the verbose output messages. +# +# Use option -CertValidityDays to specify how long this certificate is valid +# starting from today. So you would specify -CertValidityDays 3650 to get +# a 10-year valid certificate. +# +# Use option -ForceNewSSLCert if the system has been SysPreped and a new +# SSL Certificate must be forced on the WinRM Listener when re-running this +# script. This is necessary when a new SID and CN name is created. +# +# Use option -EnableCredSSP to enable CredSSP as an authentication option. +# +# Use option -DisableBasicAuth to disable basic authentication. +# +# Use option -SkipNetworkProfileCheck to skip the network profile check. +# Without specifying this the script will only run if the device's interfaces +# are in DOMAIN or PRIVATE zones. Provide this switch if you want to enable +# WinRM on a device with an interface in PUBLIC zone. +# +# Use option -SubjectName to specify the CN name of the certificate. This +# defaults to the system's hostname and generally should not be specified. + +# Written by Trond Hindenes +# Updated by Chris Church +# Updated by Michael Crilly +# Updated by Anton Ouzounov +# Updated by Nicolas Simond +# Updated by Dag Wieërs +# Updated by Jordan Borean +# Updated by Erwan Quélin +# Updated by David Norman +# +# Version 1.0 - 2014-07-06 +# Version 1.1 - 2014-11-11 +# Version 1.2 - 2015-05-15 +# Version 1.3 - 2016-04-04 +# Version 1.4 - 2017-01-05 +# Version 1.5 - 2017-02-09 +# Version 1.6 - 2017-04-18 +# Version 1.7 - 2017-11-23 +# Version 1.8 - 2018-02-23 +# Version 1.9 - 2018-09-21 + +# Support -Verbose option +[CmdletBinding()] + +Param ( + [string]$SubjectName = $env:COMPUTERNAME, + [int]$CertValidityDays = 1095, + [switch]$SkipNetworkProfileCheck, + $CreateSelfSignedCert = $true, + [switch]$ForceNewSSLCert, + [switch]$GlobalHttpFirewallAccess, + [switch]$DisableBasicAuth = $false, + [switch]$EnableCredSSP +) + +Function Write-ProgressLog { + $Message = $args[0] + Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message +} + +Function Write-VerboseLog { + $Message = $args[0] + Write-Verbose $Message + Write-ProgressLog $Message +} + +Function Write-HostLog { + $Message = $args[0] + Write-Output $Message + Write-ProgressLog $Message +} + +Function New-LegacySelfSignedCert { + Param ( + [string]$SubjectName, + [int]$ValidDays = 1095 + ) + + $hostnonFQDN = $env:computerName + $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname + $SignatureAlgorithm = "SHA256" + + $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" + $name.Encode("CN=$SubjectName", 0) + + $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" + $key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" + $key.KeySpec = 1 + $key.Length = 4096 + $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" + $key.MachineContext = 1 + $key.Create() + + $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" + $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") + $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" + $ekuoids.Add($serverauthoid) + $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" + $ekuext.InitializeEncode($ekuoids) + + $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" + $cert.InitializeFromPrivateKey(2, $key, "") + $cert.Subject = $name + $cert.Issuer = $cert.Subject + $cert.NotBefore = (Get-Date).AddDays(-1) + $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) + + $SigOID = New-Object -ComObject X509Enrollment.CObjectId + $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) + + [string[]] $AlternativeName += $hostnonFQDN + $AlternativeName += $hostFQDN + $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames + + foreach ($AN in $AlternativeName) { + $AltName = New-Object -ComObject X509Enrollment.CAlternativeName + $AltName.InitializeFromString(0x3, $AN) + $IAlternativeNames.Add($AltName) + } + + $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames + $SubjectAlternativeName.InitializeEncode($IAlternativeNames) + + [String[]]$KeyUsage = ("DigitalSignature", "KeyEncipherment") + $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage + $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage)) + $KeyUsageObj.Critical = $true + + $cert.X509Extensions.Add($KeyUsageObj) + $cert.X509Extensions.Add($ekuext) + $cert.SignatureInformation.HashAlgorithm = $SigOID + $CERT.X509Extensions.Add($SubjectAlternativeName) + $cert.Encode() + + $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" + $enrollment.InitializeFromRequest($cert) + $certdata = $enrollment.CreateRequest(0) + $enrollment.InstallResponse(2, $certdata, 0, "") + + # extract/return the thumbprint from the generated cert + $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 + $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata)) + + return $parsed_cert.Thumbprint +} + +Function Enable-GlobalHttpFirewallAccess { + Write-Verbose "Forcing global HTTP firewall access" + # this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing + $fw = New-Object -ComObject HNetCfg.FWPolicy2 + + # try to find/enable the default rule first + $add_rule = $false + $matching_rules = $fw.Rules | Where-Object { $_.Name -eq "Windows Remote Management (HTTP-In)" } + $rule = $null + If ($matching_rules) { + If ($matching_rules -isnot [Array]) { + Write-Verbose "Editing existing single HTTP firewall rule" + $rule = $matching_rules + } + Else { + # try to find one with the All or Public profile first + Write-Verbose "Found multiple existing HTTP firewall rules..." + $rule = $matching_rules | ForEach-Object { $_.Profiles -band 4 }[0] + + If (-not $rule -or $rule -is [Array]) { + Write-Verbose "Editing an arbitrary single HTTP firewall rule (multiple existed)" + # oh well, just pick the first one + $rule = $matching_rules[0] + } + } + } + + If (-not $rule) { + Write-Verbose "Creating a new HTTP firewall rule" + $rule = New-Object -ComObject HNetCfg.FWRule + $rule.Name = "Windows Remote Management (HTTP-In)" + $rule.Description = "Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]" + $add_rule = $true + } + + $rule.Profiles = 0x7FFFFFFF + $rule.Protocol = 6 + $rule.LocalPorts = 5985 + $rule.RemotePorts = "*" + $rule.LocalAddresses = "*" + $rule.RemoteAddresses = "*" + $rule.Enabled = $true + $rule.Direction = 1 + $rule.Action = 1 + $rule.Grouping = "Windows Remote Management" + + If ($add_rule) { + $fw.Rules.Add($rule) + } + + Write-Verbose "HTTP firewall rule $($rule.Name) updated" +} + +# Setup error handling. +Trap { + $_ + Exit 1 +} +$ErrorActionPreference = "Stop" + +# Get the ID and security principal of the current user account +$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() +$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) + +# Get the security principal for the Administrator role +$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator + +# Check to see if we are currently running "as Administrator" +if (-Not $myWindowsPrincipal.IsInRole($adminRole)) { + Write-Output "ERROR: You need elevated Administrator privileges in order to run this script." + Write-Output " Start Windows PowerShell by using the Run as Administrator option." + Exit 2 +} + +$EventSource = $MyInvocation.MyCommand.Name +If (-Not $EventSource) { + $EventSource = "Powershell CLI" +} + +If ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { + New-EventLog -LogName Application -Source $EventSource +} + +# Detect PowerShell version. +If ($PSVersionTable.PSVersion.Major -lt 3) { + Write-ProgressLog "PowerShell version 3 or higher is required." + Throw "PowerShell version 3 or higher is required." +} + +# Find and start the WinRM service. +Write-Verbose "Verifying WinRM service." +If (!(Get-Service "WinRM")) { + Write-ProgressLog "Unable to find the WinRM service." + Throw "Unable to find the WinRM service." +} +ElseIf ((Get-Service "WinRM").Status -ne "Running") { + Write-Verbose "Setting WinRM service to start automatically on boot." + Set-Service -Name "WinRM" -StartupType Automatic + Write-ProgressLog "Set WinRM service to start automatically on boot." + Write-Verbose "Starting WinRM service." + Start-Service -Name "WinRM" -ErrorAction Stop + Write-ProgressLog "Started WinRM service." + +} + +# WinRM should be running; check that we have a PS session config. +If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) { + If ($SkipNetworkProfileCheck) { + Write-Verbose "Enabling PS Remoting without checking Network profile." + Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop + Write-ProgressLog "Enabled PS Remoting without checking Network profile." + } + Else { + Write-Verbose "Enabling PS Remoting." + Enable-PSRemoting -Force -ErrorAction Stop + Write-ProgressLog "Enabled PS Remoting." + } +} +Else { + Write-Verbose "PS Remoting is already enabled." +} + +# Ensure LocalAccountTokenFilterPolicy is set to 1 +# https://github.com/ansible/ansible/issues/42978 +$token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" +$token_prop_name = "LocalAccountTokenFilterPolicy" +$token_key = Get-Item -Path $token_path +$token_value = $token_key.GetValue($token_prop_name, $null) +if ($token_value -ne 1) { + Write-Verbose "Setting LocalAccountTOkenFilterPolicy to 1" + if ($null -ne $token_value) { + Remove-ItemProperty -Path $token_path -Name $token_prop_name + } + New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null +} + +# Make sure there is a SSL listener. +$listeners = Get-ChildItem WSMan:\localhost\Listener +If (!($listeners | Where-Object { $_.Keys -like "TRANSPORT=HTTPS" })) { + # We cannot use New-SelfSignedCertificate on 2012R2 and earlier + $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays + Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" + + # Create the hashtables of settings to be used. + $valueset = @{ + Hostname = $SubjectName + CertificateThumbprint = $thumbprint + } + + $selectorset = @{ + Transport = "HTTPS" + Address = "*" + } + + Write-Verbose "Enabling SSL listener." + New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset + Write-ProgressLog "Enabled SSL listener." +} +Else { + Write-Verbose "SSL listener is already active." + + # Force a new SSL cert on Listener if the $ForceNewSSLCert + If ($ForceNewSSLCert) { + + # We cannot use New-SelfSignedCertificate on 2012R2 and earlier + $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays + Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" + + $valueset = @{ + CertificateThumbprint = $thumbprint + Hostname = $SubjectName + } + + # Delete the listener for SSL + $selectorset = @{ + Address = "*" + Transport = "HTTPS" + } + Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset + + # Add new Listener with new SSL cert + New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset + } +} + +# Check for basic authentication. +$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object { $_.Name -eq "Basic" } + +If ($DisableBasicAuth) { + If (($basicAuthSetting.Value) -eq $true) { + Write-Verbose "Disabling basic auth support." + Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false + Write-ProgressLog "Disabled basic auth support." + } + Else { + Write-Verbose "Basic auth is already disabled." + } +} +Else { + If (($basicAuthSetting.Value) -eq $false) { + Write-Verbose "Enabling basic auth support." + Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true + Write-ProgressLog "Enabled basic auth support." + } + Else { + Write-Verbose "Basic auth is already enabled." + } +} + +# If EnableCredSSP if set to true +If ($EnableCredSSP) { + # Check for CredSSP authentication + $credsspAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object { $_.Name -eq "CredSSP" } + If (($credsspAuthSetting.Value) -eq $false) { + Write-Verbose "Enabling CredSSP auth support." + Enable-WSManCredSSP -role server -Force + Write-ProgressLog "Enabled CredSSP auth support." + } +} + +If ($GlobalHttpFirewallAccess) { + Enable-GlobalHttpFirewallAccess +} + +# Configure firewall to allow WinRM HTTPS connections. +$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" +$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any +If ($fwtest1.count -lt 5) { + Write-Verbose "Adding firewall rule to allow WinRM HTTPS." + netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow + Write-ProgressLog "Added firewall rule to allow WinRM HTTPS." +} +ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) { + Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile." + netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any + Write-ProgressLog "Updated firewall rule to allow WinRM HTTPS for any profile." +} +Else { + Write-Verbose "Firewall rule already exists to allow WinRM HTTPS." +} + +# Test a remoting connection to localhost, which should work. +$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { $using:env:COMPUTERNAME } -ErrorVariable httpError -ErrorAction SilentlyContinue +$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck + +$httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue + +If ($httpResult -and $httpsResult) { + Write-Verbose "HTTP: Enabled | HTTPS: Enabled" +} +ElseIf ($httpsResult -and !$httpResult) { + Write-Verbose "HTTP: Disabled | HTTPS: Enabled" +} +ElseIf ($httpResult -and !$httpsResult) { + Write-Verbose "HTTP: Enabled | HTTPS: Disabled" +} +Else { + Write-ProgressLog "Unable to establish an HTTP or HTTPS remoting session." + Throw "Unable to establish an HTTP or HTTPS remoting session." +} +Write-VerboseLog "PS Remoting has been successfully configured for Ansible." diff --git a/terraform/apps/dev-01/config.tf b/terraform/apps/dev-01/config.tf index 3aea57b..cc34e68 100644 --- a/terraform/apps/dev-01/config.tf +++ b/terraform/apps/dev-01/config.tf @@ -72,6 +72,11 @@ locals { type = "CNAME" content = "dev-01.${local.lab_domain}." }, + { + name = "game-01" + type = "A" + content = "10.19.4.245" + }, ] } ] @@ -105,7 +110,7 @@ locals { ollama_proxy = { enabled = true - mac = "a0:8c:fd:e2:3c:fa" + mac = "04:7c:16:d6:63:66" ip = "10.19.4.106" port = "11434" scheme = "http"