diff options
38 files changed, 295 insertions, 165 deletions
diff --git a/ansible/.env.proxmox.example b/ansible/.env.proxmox.example index b1e272b..aa6c8b6 100644 --- a/ansible/.env.proxmox.example +++ b/ansible/.env.proxmox.example @@ -11,39 +11,41 @@ export linux_password="root" export windows_username="packer" export windows_password="packer" export windows_svc_password="Svc1234!" - -# qcow2 images -export windows_server_qcow_image="images/qemu-winserver2019.qcow2" -export linux_qcow_image="images/qemu-ubuntu-24.04-server.qcow2" +export windows_safemode_password="P4ssw0rd1234!" # proxmox vm and template details export windows_server_template_id="200" export windows_server_template_name="winserver2019-tmpl" - export linux_server_template_id="201" export linux_server_template_name="ubuntu2404-tmpl" # domain details export main_domain_name="contoso.com" +export tree_domain_name="labtree.com" +export child_domain_name="child" export main_dc01_vmid="5000" export main_dc01_hostname="dc01" -export main_dc01_ip_address="192.168.1.100" +export main_dc01_ip_address="192.168.1.105" + +export tree_dc02_vmid="5001" +export tree_dc02_hostname="dc02" +export tree_dc02_ip_address="192.168.1.106" -export main_linux_srv01_vmid="5001" +export child_dc03_vmid="5002" +export child_dc03_hostname="dc03" +export child_dc03_ip_address="192.168.1.107" + +export main_linux_srv01_vmid="5003" export main_linux_srv01_hostname="srv01" -export main_linux_srv01_ip_address="192.168.1.101" +export main_linux_srv01_ip_address="192.168.1.108" -export main_adcs01_vmid="5002" +export main_adcs01_vmid="5004" export main_adcs01_hostname="adcs01" -export main_adcs01_ip_address="192.168.1.102" +export main_adcs01_ip_address="192.168.1.109" -export main_websql01_vmid="5003" +export main_websql01_vmid="5005" export main_websql01_hostname="websql01" -export main_websql01_ip_address="192.168.1.103" - -export main_mssql02_vmid="5004" -export main_mssql02_hostname="mssql02" -export main_mssql02_ip_address="192.168.1.104" +export main_websql01_ip_address="192.168.1.110" export network_gateway="192.168.1.1" diff --git a/ansible/group_vars/all/main.yaml b/ansible/group_vars/all/main.yaml index 1969a09..9878346 100644 --- a/ansible/group_vars/all/main.yaml +++ b/ansible/group_vars/all/main.yaml @@ -1,9 +1,11 @@ +# proxmox connection details, ssh must be enabled proxmox_hostname : "{{ lookup('ansible.builtin.env', 'proxmox_hostname') }}" proxmox_username : "{{ lookup('ansible.builtin.env', 'proxmox_username') }}" proxmox_api_token_id : "{{ lookup('ansible.builtin.env', 'proxmox_api_token_id') }}" proxmox_api_token_secret : "{{ lookup('ansible.builtin.env', 'proxmox_api_token_secret') }}" proxmox_node : "{{ lookup('ansible.builtin.env', 'proxmox_node') }}" +# default local credentials for linux and windows default_win_username : "{{ lookup('ansible.builtin.env', 'windows_username') }}" default_win_password : "{{ lookup('ansible.builtin.env', 'windows_password') }}" default_win_safemode_password : "{{ lookup('ansible.builtin.env', 'windows_safemode_password') }}" @@ -13,48 +15,39 @@ default_win_svc_password : "{{ lookup('ansible.builtin.env', 'windows_svc default_linux_username : "{{ lookup('ansible.builtin.env', 'linux_username') }}" default_linux_password : "{{ lookup('ansible.builtin.env', 'linux_password') }}" -windows_server_qcow_image : "{{ lookup('ansible.builtin.env', 'windows_server_qcow_image') }}" -linux_server_qcow_image : "{{ lookup('ansible.builtin.env', 'linux_server_qcow_image') }}" - +# proxmox vm and template details windows_server_template_id : "{{ lookup('ansible.builtin.env', 'windows_server_template_id') }}" windows_server_template_name : "{{ lookup('ansible.builtin.env', 'windows_server_template_name') }}" -windows_desktop_template_id : "{{ lookup('ansible.builtin.env', 'windows_desktop_template_id') }}" -windows_desktop_template_name : "{{ lookup('ansible.builtin.env', 'windows_desktop_template_name') }}" linux_server_template_id : "{{ lookup('ansible.builtin.env', 'linux_server_template_id') }}" linux_server_template_name : "{{ lookup('ansible.builtin.env', 'linux_server_template_name') }}" -kali_template_id : "{{ lookup('ansible.builtin.env', 'kali_template_id') }}" -kali_template_name : "{{ lookup('ansible.builtin.env', 'kali_template_name') }}" +# domain details main_domain_name : "{{ lookup('ansible.builtin.env', 'main_domain_name') }}" tree_domain_name : "{{ lookup('ansible.builtin.env', 'tree_domain_name') }}" child_domain_name : "{{ lookup('ansible.builtin.env', 'child_domain_name') }}" -main_dc01_hostname : "{{ lookup('ansible.builtin.env', 'main_dc01_hostname') }}" + main_dc01_vmid : "{{ lookup('ansible.builtin.env', 'main_dc01_vmid') }}" -tree_dc02_hostname : "{{ lookup('ansible.builtin.env', 'tree_dc02_hostname') }}" +main_dc01_hostname : "{{ lookup('ansible.builtin.env', 'main_dc01_hostname') }}" +main_dc01_ip_address : "{{ lookup('ansible.builtin.env', 'main_dc01_ip_address') }}" + tree_dc02_vmid : "{{ lookup('ansible.builtin.env', 'tree_dc02_vmid') }}" -child_dc03_hostname : "{{ lookup('ansible.builtin.env', 'child_dc03_hostname') }}" +tree_dc02_hostname : "{{ lookup('ansible.builtin.env', 'tree_dc02_hostname') }}" +tree_dc02_ip_address : "{{ lookup('ansible.builtin.env', 'tree_dc02_ip_address') }}" + child_dc03_vmid : "{{ lookup('ansible.builtin.env', 'child_dc03_vmid') }}" -main_websql01_hostname : "{{ lookup('ansible.builtin.env', 'main_websql01_hostname') }}" -main_websql01_vmid : "{{ lookup('ansible.builtin.env', 'main_websql01_vmid') }}" -main_mssql02_hostname : "{{ lookup('ansible.builtin.env', 'main_mssql02_hostname') }}" -main_mssql02_vmid : "{{ lookup('ansible.builtin.env', 'main_mssql02_vmid') }}" -main_web01_hostname : "{{ lookup('ansible.builtin.env', 'main_web01_hostname') }}" -main_web01_vmid : "{{ lookup('ansible.builtin.env', 'main_web01_vmid') }}" -main_adcs01_hostname : "{{ lookup('ansible.builtin.env', 'main_adcs01_hostname') }}" -main_adcs01_vmid : "{{ lookup('ansible.builtin.env', 'main_adcs01_vmid') }}" -main_linux_srv01_hostname : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_hostname') }}" +child_dc03_hostname : "{{ lookup('ansible.builtin.env', 'child_dc03_hostname') }}" +child_dc03_ip_address : "{{ lookup('ansible.builtin.env', 'child_dc03_ip_address') }}" + main_linux_srv01_vmid : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_vmid') }}" -kali_attackbox_hostname : "{{ lookup('ansible.builtin.env', 'kali_attackbox_hostname') }}" -kali_attackbox_vmid : "{{ lookup('ansible.builtin.env', 'kali_attackbox_vmid') }}" +main_linux_srv01_hostname : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_hostname') }}" +main_linux_srv01_ip_address : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_ip_address') }}" -main_dc01_ip_address : "{{ lookup('ansible.builtin.env', 'main_dc01_ip_address') }}" -tree_dc02_ip_address : "{{ lookup('ansible.builtin.env', 'tree_dc02_ip_address') }}" -child_dc03_ip_address : "{{ lookup('ansible.builtin.env', 'child_dc03_ip_address') }}" -main_websql01_ip_address : "{{ lookup('ansible.builtin.env', 'main_websql01_ip_address') }}" -main_mssql02_ip_address : "{{ lookup('ansible.builtin.env', 'main_mssql02_ip_address') }}" -main_web01_ip_address : "{{ lookup('ansible.builtin.env', 'main_web01_ip_address') }}" +main_adcs01_vmid : "{{ lookup('ansible.builtin.env', 'main_adcs01_vmid') }}" +main_adcs01_hostname : "{{ lookup('ansible.builtin.env', 'main_adcs01_hostname') }}" main_adcs01_ip_address : "{{ lookup('ansible.builtin.env', 'main_adcs01_ip_address') }}" -main_workstation01_ip_address : "{{ lookup('ansible.builtin.env', 'main_workstation01_ip_address') }}" -main_linux_srv01_ip_address : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_ip_address') }}" -kali_attackbox_ip_address : "{{ lookup('ansible.builtin.env', 'kali_attackbox_ip_address') }}" + +main_websql01_vmid : "{{ lookup('ansible.builtin.env', 'main_websql01_vmid') }}" +main_websql01_hostname : "{{ lookup('ansible.builtin.env', 'main_websql01_hostname') }}" +main_websql01_ip_address : "{{ lookup('ansible.builtin.env', 'main_websql01_ip_address') }}" + network_gateway : "{{ lookup('ansible.builtin.env', 'network_gateway') }}" diff --git a/ansible/main.yaml b/ansible/main.yaml index bfba12d..efbaf7f 100644 --- a/ansible/main.yaml +++ b/ansible/main.yaml @@ -31,6 +31,64 @@ ansible_winrm_server_cert_validation: ignore changed_when: false + - name: "deploy {{ tree_dc02_hostname }}.{{ tree_domain_name }} vm on {{ proxmox_hostname }}" + include_role: + name: proxmox_vm + vars: + os_type : "windows" + template : "{{ windows_server_template_name }}" + id : "{{ windows_server_template_id }}" + vm : "{{ tree_dc02_hostname }}.{{ tree_domain_name }}" + newid : "{{ tree_dc02_vmid }}" + vmid : "{{ tree_dc02_vmid }}" + ip : "{{ tree_dc02_ip_address }}" + gateway : "{{ network_gateway }}" + dns : "{{ main_dc01_ip_address }}" + hostname : "{{ tree_dc02_hostname }}" + domain : "{{ tree_domain_name }}" + fqdn : "{{ tree_dc02_hostname }}.{{ tree_domain_name }}" + + - name: "add {{ tree_dc02_hostname }}.{{ tree_domain_name }} to in-memory inventory" + add_host: + name : "{{ tree_dc02_hostname }}.{{ tree_domain_name }}" + ansible_host : "{{ tree_dc02_ip_address }}" + ansible_connection : "{{ win_connector }}" + ansible_user : "{{ default_win_username }}" + ansible_password : "{{ default_win_password }}" + ansible_port : "{{ win_port }}" + ansible_winrm_transport : basic + ansible_winrm_server_cert_validation: ignore + changed_when: false + + - name: "deploy {{ child_dc03_hostname }}.{{ child_domain_name }} vm on {{ proxmox_hostname }}" + include_role: + name: proxmox_vm + vars: + os_type : "windows" + template : "{{ windows_server_template_name }}" + id : "{{ windows_server_template_id }}" + vm : "{{ child_dc03_hostname }}.{{ child_domain_name }}" + newid : "{{ child_dc03_vmid }}" + vmid : "{{ child_dc03_vmid }}" + ip : "{{ child_dc03_ip_address }}" + gateway : "{{ network_gateway }}" + dns : "{{ main_dc01_ip_address }}" + hostname : "{{ child_dc03_hostname }}" + domain : "{{ child_domain_name }}" + fqdn : "{{ child_dc03_hostname }}.{{ child_domain_name }}" + + - name: "add {{ child_dc03_hostname }}.{{ child_domain_name }} to in-memory inventory" + add_host: + name : "{{ child_dc03_hostname }}.{{ child_domain_name }}" + ansible_host : "{{ child_dc03_ip_address }}" + ansible_connection : "{{ win_connector }}" + ansible_user : "{{ default_win_username }}" + ansible_password : "{{ default_win_password }}" + ansible_port : "{{ win_port }}" + ansible_winrm_transport : basic + ansible_winrm_server_cert_validation: ignore + changed_when: false + - name: "deploy {{ main_linux_srv01_hostname }}.{{ main_domain_name }} vm on {{ proxmox_hostname }}" include_role: name: proxmox_vm @@ -88,35 +146,6 @@ ansible_winrm_server_cert_validation: ignore changed_when: false - - name: "deploy {{ main_mssql02_hostname }}.{{ main_domain_name }} vm on {{ proxmox_hostname }}" - include_role: - name: proxmox_vm - vars: - os_type : "windows" - template : "{{ windows_server_template_name }}" - id : "{{ windows_server_template_id }}" - vm : "{{ main_mssql02_hostname }}.{{ main_domain_name }}" - newid : "{{ main_mssql02_vmid }}" - vmid : "{{ main_mssql02_vmid }}" - ip : "{{ main_mssql02_ip_address }}" - gateway : "{{ network_gateway }}" - dns : "{{ main_dc01_ip_address }}" - hostname : "{{ main_mssql02_hostname }}" - domain : "{{ main_domain_name }}" - fqdn : "{{ main_mssql02_hostname }}.{{ main_domain_name }}" - - - name: "add {{ main_mssql02_hostname }}.{{ main_domain_name }} to in-memory inventory" - add_host: - name : "{{ main_mssql02_hostname }}.{{ main_domain_name }}" - ansible_host : "{{ main_mssql02_ip_address }}" - ansible_connection : "{{ win_connector }}" - ansible_user : "{{ default_win_username }}" - ansible_password : "{{ default_win_password }}" - ansible_port : "{{ win_port }}" - ansible_winrm_transport : basic - ansible_winrm_server_cert_validation: ignore - changed_when: false - - name: "deploy {{ main_websql01_hostname }}.{{ main_domain_name }} vm on {{ proxmox_hostname }}" include_role: name: proxmox_vm @@ -155,6 +184,16 @@ name: dc01 when: inventory_hostname == main_dc01_hostname + '.' + main_domain_name + - name: "configure {{ tree_dc02_hostname }}.{{ tree_domain_name }}" + include_role: + name: dc02 + when: inventory_hostname == tree_dc02_hostname + '.' + tree_domain_name + + - name: "configure {{ child_dc03_hostname }}.{{ child_domain_name }}" + include_role: + name: dc03 + when: inventory_hostname == child_dc03_hostname + '.' + child_domain_name + - name: "configure {{ main_linux_srv01_hostname }}.{{ main_domain_name }}" include_role: name: srv01 @@ -164,12 +203,7 @@ include_role: name: adcs01 when: inventory_hostname == main_adcs01_hostname + '.' + main_domain_name - - - name: "configure {{ main_mssql02_hostname }}.{{ main_domain_name }}" - include_role: - name: mssql02 - when: inventory_hostname == main_mssql02_hostname + '.' + main_domain_name - + - name: "configure {{ main_websql01_hostname }}.{{ main_domain_name }}" include_role: name: websql01 diff --git a/ansible/roles/adcs01/tasks/init.yaml b/ansible/roles/adcs01/tasks/init.yaml index 418bb5d..e329b0c 100644 --- a/ansible/roles/adcs01/tasks/init.yaml +++ b/ansible/roles/adcs01/tasks/init.yaml @@ -10,9 +10,14 @@ - name: upload ADCSTemplate module ansible.builtin.copy: src: ../../../files/adcs/ADCSTemplate - dest: C:\Program Files\WindowsPowerShell\Modules\ADCSTemplate + dest: C:\Program Files\WindowsPowerShell\Modules - name: upload adcs templates ansible.builtin.copy: src: ../../../files/adcs/templates dest: C:\setup + +- name: copy mssql installer + ansible.builtin.copy: + src: files/SQL2019-SSEI-Expr.exe + dest: C:\setup\SQL2019-SSEI-Expr.exe diff --git a/ansible/roles/adcs01/tasks/main.yaml b/ansible/roles/adcs01/tasks/main.yaml index e3f8923..4e44dc9 100644 --- a/ansible/roles/adcs01/tasks/main.yaml +++ b/ansible/roles/adcs01/tasks/main.yaml @@ -33,6 +33,16 @@ - name: reboot after adcs esc setup import_tasks: reboot.yaml +- name: execute setup-mssql.ps1 + import_tasks: setup_mssql.yaml + +- name: reboot after mssql setup + import_tasks: reboot.yaml + +- name: pause 5 minutes for mssql setup to complete + pause: + minutes: 5 + - name: execute install-software.ps1 import_tasks: install_software.yaml diff --git a/ansible/roles/adcs01/tasks/setup_adcs.yaml b/ansible/roles/adcs01/tasks/setup_adcs.yaml index 9c6140e..b5fee4d 100644 --- a/ansible/roles/adcs01/tasks/setup_adcs.yaml +++ b/ansible/roles/adcs01/tasks/setup_adcs.yaml @@ -1,7 +1,7 @@ - name: setup adcs - ansible.windows.win_powershell: - script: C:\scripts\setup-adcs.ps1 - parameters: - DomainName: "{{ main_domain_name }}" - Username: "Administrator" - Password: "{{ default_win_password }}" + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-adcs.ps1 + -DomainName "{{ main_domain_name }}" + -Username Administrator + -Password "{{ default_win_password }}" diff --git a/ansible/roles/adcs01/tasks/setup_mssql.yaml b/ansible/roles/adcs01/tasks/setup_mssql.yaml new file mode 100644 index 0000000..325d946 --- /dev/null +++ b/ansible/roles/adcs01/tasks/setup_mssql.yaml @@ -0,0 +1,8 @@ +- name: execute setup-mssql.ps1 + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-mssql.ps1 + -DomainName "{{ main_domain_name }}" + -IISSvcUsername svc_iis01 + -SQLSvcUsername svc_mssql02 + -SvcPassword "{{ default_win_svc_password }}" diff --git a/ansible/roles/dc01/tasks/populate_ad.yaml b/ansible/roles/dc01/tasks/populate_ad.yaml index e65ab64..79cc715 100644 --- a/ansible/roles/dc01/tasks/populate_ad.yaml +++ b/ansible/roles/dc01/tasks/populate_ad.yaml @@ -1,7 +1,7 @@ - name: execute populate-ad.ps1 - ansible.windows.win_powershell: - script: C:\scripts\populate-ad.ps1 - parameters: - DomainName: "{{ main_domain_name }}" - UserPassword: "{{ default_win_user_password }}" - SvcPassword: "{{ default_win_svc_password }}" + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\populate-ad.ps1 + -DomainName "{{ main_domain_name }}" + -UserPassword "{{ default_win_user_password }}" + -SvcPassword "{{ default_win_svc_password }}" diff --git a/ansible/roles/dc01/tasks/setup_defender_gpo.yaml b/ansible/roles/dc01/tasks/setup_defender_gpo.yaml index 56e7809..2210129 100644 --- a/ansible/roles/dc01/tasks/setup_defender_gpo.yaml +++ b/ansible/roles/dc01/tasks/setup_defender_gpo.yaml @@ -1,5 +1,8 @@ - name: execute setup-defender-gpo.ps1 as domain admin - ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-defender-gpo.ps1 -DomainName "{{ main_domain_name }}" + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-defender-gpo.ps1 + -DomainName "{{ main_domain_name }}" become: yes become_method: runas become_user: "{{ main_domain_name }}\\Administrator" diff --git a/ansible/roles/dc01/tasks/setup_domain.yaml b/ansible/roles/dc01/tasks/setup_domain.yaml index 95c2066..ba6cedb 100644 --- a/ansible/roles/dc01/tasks/setup_domain.yaml +++ b/ansible/roles/dc01/tasks/setup_domain.yaml @@ -1,6 +1,6 @@ - name: execute setup-main-domain.ps1 - ansible.windows.win_powershell: - script: C:\scripts\setup-main-domain.ps1 - parameters: - DomainName: "{{ main_domain_name }}" - SafeModePassword: "{{ default_win_safemode_password }}" + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-main-domain.ps1 + -DomainName "{{ main_domain_name }}" + -SafeModePassword "{{ default_win_safemode_password }}" diff --git a/ansible/roles/dc01/tasks/setup_gpo.yaml b/ansible/roles/dc01/tasks/setup_gpo.yaml index fc44130..9b57d0e 100644 --- a/ansible/roles/dc01/tasks/setup_gpo.yaml +++ b/ansible/roles/dc01/tasks/setup_gpo.yaml @@ -1,5 +1,8 @@ - name: execute setup-gpo.ps1 as domain admin - ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-gpo.ps1 -DomainName "{{ main_domain_name }}" + ansible.windows.win_shell: + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-gpo.ps1 + -DomainName "{{ main_domain_name }}" become: yes become_method: runas become_user: "{{ main_domain_name }}\\Administrator" diff --git a/ansible/roles/mssql02/tasks/cleanup.yaml b/ansible/roles/dc02/tasks/cleanup.yaml index 0e59407..0e59407 100644 --- a/ansible/roles/mssql02/tasks/cleanup.yaml +++ b/ansible/roles/dc02/tasks/cleanup.yaml diff --git a/ansible/roles/dc02/tasks/init.yaml b/ansible/roles/dc02/tasks/init.yaml new file mode 100644 index 0000000..84b3c3e --- /dev/null +++ b/ansible/roles/dc02/tasks/init.yaml @@ -0,0 +1,3 @@ +- name: execute init.ps1 + ansible.windows.win_powershell: + script: C:\scripts\init.ps1 diff --git a/ansible/roles/mssql02/tasks/install_software.yaml b/ansible/roles/dc02/tasks/install_software.yaml index a5018a8..a5018a8 100644 --- a/ansible/roles/mssql02/tasks/install_software.yaml +++ b/ansible/roles/dc02/tasks/install_software.yaml diff --git a/ansible/roles/mssql02/tasks/main.yaml b/ansible/roles/dc02/tasks/main.yaml index 3822369..8cdafa8 100644 --- a/ansible/roles/mssql02/tasks/main.yaml +++ b/ansible/roles/dc02/tasks/main.yaml @@ -14,18 +14,20 @@ - name: reboot after hostname change import_tasks: reboot.yaml -- name: join domain and reboot - import_tasks: join_domain.yaml +- name: execute setup-tree-domain.ps1 + import_tasks: setup_tree_domain.yaml -- name: execute setup-mssql.ps1 - import_tasks: setup_mssql.yaml - -- name: reboot after mssql setup +- name: reboot after domain setup import_tasks: reboot.yaml -- name: pause 5 minutes for mssql setup to complete - pause: - minutes: 5 +- name: execute dc-wait-for-ready.ps1 + import_tasks: wait_for_ready.yaml + +- name: execute setup-defender-gpo.ps1 as domain admin + import_tasks: setup_defender_gpo.yaml + +- name: reboot after gpo setup + import_tasks: reboot.yaml - name: execute install-software.ps1 import_tasks: install_software.yaml diff --git a/ansible/roles/mssql02/tasks/reboot.yaml b/ansible/roles/dc02/tasks/reboot.yaml index a7266d0..f36b168 100644 --- a/ansible/roles/mssql02/tasks/reboot.yaml +++ b/ansible/roles/dc02/tasks/reboot.yaml @@ -1,3 +1,3 @@ - name: reboot - win_reboot: + ansible.windows.win_reboot: reboot_timeout: 3600 diff --git a/ansible/roles/dc02/tasks/set_hostname.yaml b/ansible/roles/dc02/tasks/set_hostname.yaml new file mode 100644 index 0000000..d279485 --- /dev/null +++ b/ansible/roles/dc02/tasks/set_hostname.yaml @@ -0,0 +1,2 @@ +- name: set hostname + win_shell: Rename-Computer -NewName "{{ tree_dc02_hostname }}" -Force diff --git a/ansible/roles/dc02/tasks/setup_defender_gpo.yaml b/ansible/roles/dc02/tasks/setup_defender_gpo.yaml new file mode 100644 index 0000000..e871b81 --- /dev/null +++ b/ansible/roles/dc02/tasks/setup_defender_gpo.yaml @@ -0,0 +1,10 @@ +- name: execute setup-defender-gpo.ps1 as domain admin + ansible.windows.win_shell: + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-defender-gpo.ps1 + -DomainName "{{ tree_domain_name }}" + become: yes + become_method: runas + become_user: "{{ tree_domain_name }}\\Administrator" + vars: + ansible_become_password: "{{ default_win_password }}" diff --git a/ansible/roles/dc02/tasks/setup_tree_domain.yaml b/ansible/roles/dc02/tasks/setup_tree_domain.yaml new file mode 100644 index 0000000..4a41c28 --- /dev/null +++ b/ansible/roles/dc02/tasks/setup_tree_domain.yaml @@ -0,0 +1,9 @@ +- name: execute setup-tree-domain.ps1 + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-tree-domain.ps1 + -ParentForestRootDomain "{{ main_domain_name }}" + -NewTreeDomainName "{{ tree_domain_name }}" + -SafeModePassword "{{ default_win_safemode_password }}" + -Username Administrator + -Password "{{ default_win_password }}" diff --git a/ansible/roles/dc02/tasks/wait_for_ready.yaml b/ansible/roles/dc02/tasks/wait_for_ready.yaml new file mode 100644 index 0000000..b077e07 --- /dev/null +++ b/ansible/roles/dc02/tasks/wait_for_ready.yaml @@ -0,0 +1,3 @@ +- name: execute dc-wait-for-ready.ps1 + ansible.windows.win_powershell: + script: C:\scripts\dc-wait-for-ready.ps1 diff --git a/ansible/roles/dc03/tasks/cleanup.yaml b/ansible/roles/dc03/tasks/cleanup.yaml new file mode 100644 index 0000000..0e59407 --- /dev/null +++ b/ansible/roles/dc03/tasks/cleanup.yaml @@ -0,0 +1,3 @@ +- name: execute cleanup.ps1 + ansible.windows.win_powershell: + script: C:\scripts\cleanup.ps1 diff --git a/ansible/roles/dc03/tasks/init.yaml b/ansible/roles/dc03/tasks/init.yaml new file mode 100644 index 0000000..84b3c3e --- /dev/null +++ b/ansible/roles/dc03/tasks/init.yaml @@ -0,0 +1,3 @@ +- name: execute init.ps1 + ansible.windows.win_powershell: + script: C:\scripts\init.ps1 diff --git a/ansible/roles/dc03/tasks/install_software.yaml b/ansible/roles/dc03/tasks/install_software.yaml new file mode 100644 index 0000000..a5018a8 --- /dev/null +++ b/ansible/roles/dc03/tasks/install_software.yaml @@ -0,0 +1,3 @@ +- name: execute install-software.ps1 + ansible.windows.win_powershell: + script: C:\scripts\install-software.ps1 diff --git a/ansible/roles/dc03/tasks/main.yaml b/ansible/roles/dc03/tasks/main.yaml new file mode 100644 index 0000000..e487caf --- /dev/null +++ b/ansible/roles/dc03/tasks/main.yaml @@ -0,0 +1,36 @@ +- name: wait for winrm to be available + ansible.builtin.wait_for: + host: "{{ ansible_host }}" + port: "{{ ansible_port }}" + timeout: 300 + delegate_to: localhost + +- name: execute init.ps1 + import_tasks: init.yaml + +- name: set hostname + import_tasks: set_hostname.yaml + +- name: reboot after hostname change + import_tasks: reboot.yaml + +- name: execute setup-child-domain.ps1 + import_tasks: setup_child_domain.yaml + +- name: reboot after domain setup + import_tasks: reboot.yaml + +- name: execute dc-wait-for-ready.ps1 + import_tasks: wait_for_ready.yaml + +- name: execute setup-defender-gpo.ps1 as domain admin + import_tasks: setup_defender_gpo.yaml + +- name: reboot after gpo setup + import_tasks: reboot.yaml + +- name: execute install-software.ps1 + import_tasks: install_software.yaml + +- name: execute cleanup.ps1 + import_tasks: cleanup.yaml diff --git a/ansible/roles/dc03/tasks/reboot.yaml b/ansible/roles/dc03/tasks/reboot.yaml new file mode 100644 index 0000000..f36b168 --- /dev/null +++ b/ansible/roles/dc03/tasks/reboot.yaml @@ -0,0 +1,3 @@ +- name: reboot + ansible.windows.win_reboot: + reboot_timeout: 3600 diff --git a/ansible/roles/dc03/tasks/set_hostname.yaml b/ansible/roles/dc03/tasks/set_hostname.yaml new file mode 100644 index 0000000..9f697b7 --- /dev/null +++ b/ansible/roles/dc03/tasks/set_hostname.yaml @@ -0,0 +1,2 @@ +- name: set hostname + win_shell: Rename-Computer -NewName "{{ child_dc03_hostname }}" -Force diff --git a/ansible/roles/dc03/tasks/setup_child_domain.yaml b/ansible/roles/dc03/tasks/setup_child_domain.yaml new file mode 100644 index 0000000..3d8a970 --- /dev/null +++ b/ansible/roles/dc03/tasks/setup_child_domain.yaml @@ -0,0 +1,9 @@ +- name: execute setup-child-domain.ps1 + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-child-domain.ps1 + -ParentDomainName "{{ main_domain_name }}" + -ChildDOmainName "{{ child_domain_name }}" + -SafeModePassword "P4ssw0rd1234!" + -Username Administrator + -Password "{{ default_win_password }}" diff --git a/ansible/roles/dc03/tasks/setup_defender_gpo.yaml b/ansible/roles/dc03/tasks/setup_defender_gpo.yaml new file mode 100644 index 0000000..fe4d6de --- /dev/null +++ b/ansible/roles/dc03/tasks/setup_defender_gpo.yaml @@ -0,0 +1,10 @@ +- name: execute setup-defender-gpo.ps1 as domain admin + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-defender-gpo.ps1 + -DomainName "{{ child_domain_name }}" + become: yes + become_method: runas + become_user: "{{ child_domain_name }}\\Administrator" + vars: + ansible_become_password: "{{ default_win_password }}" diff --git a/ansible/roles/dc03/tasks/wait_for_ready.yaml b/ansible/roles/dc03/tasks/wait_for_ready.yaml new file mode 100644 index 0000000..b077e07 --- /dev/null +++ b/ansible/roles/dc03/tasks/wait_for_ready.yaml @@ -0,0 +1,3 @@ +- name: execute dc-wait-for-ready.ps1 + ansible.windows.win_powershell: + script: C:\scripts\dc-wait-for-ready.ps1 diff --git a/ansible/roles/mssql02/tasks/init.yaml b/ansible/roles/mssql02/tasks/init.yaml deleted file mode 100644 index a75d6cc..0000000 --- a/ansible/roles/mssql02/tasks/init.yaml +++ /dev/null @@ -1,9 +0,0 @@ -- name: execute init.ps1 - ansible.windows.win_powershell: - script: C:\scripts\init.ps1 - -- name: copy mssql installer - ansible.builtin.copy: - src: files/SQL2019-SSEI-Expr.exe - dest: C:\setup\SQL2019-SSEI-Expr.exe - diff --git a/ansible/roles/mssql02/tasks/join_domain.yaml b/ansible/roles/mssql02/tasks/join_domain.yaml deleted file mode 100644 index 6736ba2..0000000 --- a/ansible/roles/mssql02/tasks/join_domain.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- name: join domain - ansible.windows.win_domain_membership: - dns_domain_name: "{{ main_domain_name }}" - domain_admin_user: "{{ main_domain_name }}\\Administrator" - domain_admin_password: "{{ default_win_password }}" - state: domain - register: domain_state - -- name: reboot - win_reboot: - reboot_timeout: 3600 - when: domain_state.reboot_required - diff --git a/ansible/roles/mssql02/tasks/set_hostname.yaml b/ansible/roles/mssql02/tasks/set_hostname.yaml deleted file mode 100644 index ffea2ae..0000000 --- a/ansible/roles/mssql02/tasks/set_hostname.yaml +++ /dev/null @@ -1,2 +0,0 @@ -- name: set hostname - win_shell: Rename-Computer -NewName "{{ main_mssql02_hostname }}" -Force diff --git a/ansible/roles/mssql02/tasks/setup_mssql.yaml b/ansible/roles/mssql02/tasks/setup_mssql.yaml deleted file mode 100644 index a219c82..0000000 --- a/ansible/roles/mssql02/tasks/setup_mssql.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- name: execute setup-mssql.ps1 - ansible.windows.win_powershell: - script: C:\scripts\setup-mssql.ps1 - parameters: - DomainName: "{{ main_domain_name }}" - SvcUsername: svc_mssql02 - SvcPassword: "{{ default_win_svc_password }}" diff --git a/ansible/roles/websql01/tasks/setup_mssql_link.yaml b/ansible/roles/websql01/tasks/setup_mssql_link.yaml index 1227d62..8e54ed8 100644 --- a/ansible/roles/websql01/tasks/setup_mssql_link.yaml +++ b/ansible/roles/websql01/tasks/setup_mssql_link.yaml @@ -1,5 +1,5 @@ - name: execute setup-mssql-link.ps1 - ansible.windows.win_powershell: - script: C:\scripts\setup-mssql-link.ps1 - parameters: - LinkServer: mssql02 + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-mssql-link.ps1 + -LinkServer "{{ main_adcs01_hostname }}" diff --git a/ansible/roles/websql01/tasks/setup_websql.yaml b/ansible/roles/websql01/tasks/setup_websql.yaml index 7e535d8..bb624b7 100644 --- a/ansible/roles/websql01/tasks/setup_websql.yaml +++ b/ansible/roles/websql01/tasks/setup_websql.yaml @@ -1,8 +1,8 @@ - name: setup websql - ansible.windows.win_powershell: - script: C:\scripts\setup-websql.ps1 - parameters: - DomainName: "{{ main_domain_name }}" - IISSvcUsername: svc_iis01 - SQLSvcUsername: svc_mssql01 - SvcPassword: "{{ default_win_svc_password }}" + ansible.windows.win_shell: > + powershell.exe -ExecutionPolicy Bypass + -File C:\scripts\setup-websql.ps1 + -DomainName "{{ main_domain_name }}" + -IISSvcUsername svc_iis01 + -SQLSvcUsername svc_mssql01 + -SvcPassword "{{ default_win_svc_password }}" diff --git a/ansible/scripts/setup-adcs-esc.ps1 b/ansible/scripts/setup-adcs-esc.ps1 index 44fc8d5..eafa8b6 100644 --- a/ansible/scripts/setup-adcs-esc.ps1 +++ b/ansible/scripts/setup-adcs-esc.ps1 @@ -2,7 +2,7 @@ param ( [string]$DomainName = "contoso.com" ) $scriptName = $MyInvocation.MyCommand.Name -$logFile = "C:\$scriptName_log.txt" +$logFile = "C:\Logs\${scriptName}_log.txt" Start-Transcript -Path $logFile -Append Import-Module ADCSTemplate @@ -15,6 +15,7 @@ Get-ChildItem -Path "C:\setup\templates" -Filter *.json | % { -JSON (Get-Content "C:\setup\templates\$_" -Raw) ` -Identity "$DomainName\Domain Users" ` -Publish + Write-Host "[inf] Created vulnerable ADCS template $_" } } -Stop-Transcript
\ No newline at end of file +Stop-Transcript diff --git a/ansible/scripts/setup-mssql-link.ps1 b/ansible/scripts/setup-mssql-link.ps1 index 46aab23..42e437d 100644 --- a/ansible/scripts/setup-mssql-link.ps1 +++ b/ansible/scripts/setup-mssql-link.ps1 @@ -1,6 +1,6 @@ param ( - [string]$LinkServer = "mssql02" + [string]$LinkServer = "adcs01" ) $scriptName = $MyInvocation.MyCommand.Name $logFile = "C:\Logs\${scriptName}_log.txt" diff --git a/ansible/scripts/setup-mssql.ps1 b/ansible/scripts/setup-mssql.ps1 index c37ee42..5b4c1a5 100644 --- a/ansible/scripts/setup-mssql.ps1 +++ b/ansible/scripts/setup-mssql.ps1 @@ -1,8 +1,9 @@ param ( - [string]$DomainName = "contoso.com", - [string]$SvcUsername = "svc_mssql02", - [string]$SvcPassword = "Svc1234!" + [string]$DomainName = "contoso.com", + [string]$SQLSvcUsername = "svc_mssql02", + [string]$IISSvcUsername = "svc_iis01", + [string]$SvcPassword = "Svc1234!" ) $scriptName = $MyInvocation.MyCommand.Name $logFile = "C:\Logs\${scriptName}_log.txt" @@ -73,18 +74,18 @@ Restart-Service -Name "MSSQL`$SQLEXPRESS" try { $env:Path += ";C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn" - SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SvcUsername] FROM WINDOWS" - SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SvcUsername', 'SYSADMIN'" + SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SQLSvcUsername] FROM WINDOWS" + SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SQLSvcUsername', 'SYSADMIN'" SqlCmd -E -Q "ALTER LOGIN sa ENABLE" SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF" - SqlCmd -E -Q "CREATE LOGIN [CONTOSO\svc_iis01] FROM WINDOWS;" - SqlCmd -E -Q "ALTER SERVER ROLE sysadmin ADD MEMBER [CONTOSO\svc_iis01];" - Write-Host "[inf] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$IISSvcUsername] FROM WINDOWS;" + SqlCmd -E -Q "ALTER SERVER ROLE sysadmin ADD MEMBER [$NetBiosName\$IISSvcUsername];" + Write-Host "[inf] Added $NetBiosName\$SQLSvcUsername as MSSQL login and sysadmin" Write-Host "[inf] Enabled SA login" } catch { - Write-Host "[err] Failed to add $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[err] Failed to add $NetBiosName\$SQLSvcUsername as MSSQL login and sysadmin" Write-Host "[err] Failed to enable SA login" } |