Add BI App file server and configuration management for hosts

configuration/ansible_fs/ansible.cfg

@@ -0,0 +1,20 @@
+[defaults]
+
+inventory = inventories/production/hosts.yml
+
+roles_path = roles
+
+host_key_checking = False
+
+remote_user = Administrator
+
+timeout = 30
+interpreter_python = auto_silent
+forks = 20
+pipelining = True
+bin_ansible_callbacks = True
+retry_files_enabled = False
+
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
+transfer_method = scp

configuration/ansible_fs/inventories/production/group_vars/all/all.yml

@@ -0,0 +1 @@
+---

configuration/ansible_fs/inventories/production/group_vars/all/vault.yml.example

@@ -0,0 +1,7 @@
+---
+fs_server_password: ""
+
+domain_name: ""
+domain_join_user: ""
+domain_join_password: ""
+domain_ou_path: ""

configuration/ansible_fs/inventories/production/hosts.yml

@@ -0,0 +1,10 @@
+all:
+  children:
+    fs_servers:
+      hosts:
+        SK3SFS1P.ad.cwx.hr:
+          ansible_host: 10.10.2.101
+          ansible_connection: ssh
+          ansible_shell_type: powershell
+          ansible_user: Administrator
+          ansible_password: "{{ fs_server_password }}"

configuration/ansible_fs/playbooks/setup-fs.yml

@@ -0,0 +1,6 @@
+---
+- name: Configure file servers
+  hosts: fs_servers
+  roles:
+    - common
+    - smb_share

configuration/ansible_fs/roles/common/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+domain_name: "example.local"
+domain_join_user: "{{ domain_join_user }}"
+domain_join_password: "{{ domain_join_password }}"
+domain_ou_path: ""
+
+data_disk_number: 1

configuration/ansible_fs/roles/common/tasks/main.yml

@@ -0,0 +1,71 @@
+---
+- name: Wait for system to be fully booted
+  ansible.builtin.wait_for_connection:
+    timeout: 300
+    sleep: 10
+
+- name: Ensure Windows Update service is running
+  ansible.windows.win_service:
+    name: wuauserv
+    state: started
+    start_mode: auto
+
+- name: Ensure BITS service is running
+  ansible.windows.win_service:
+    name: BITS
+    state: started
+    start_mode: auto
+
+- name: Install Windows updates (loop until no more pending)
+  ansible.windows.win_updates:
+    category_names:
+      - SecurityUpdates
+      - CriticalUpdates
+      - UpdateRollups
+      - Updates
+    state: installed
+    reboot: true
+    reboot_timeout: 3600
+    server_selection: windows_update
+  register: win_updates_result
+  until: win_updates_result.installed_update_count == 0
+  retries: 5
+  delay: 30
+
+- name: Report Windows Update result
+  ansible.builtin.debug:
+    msg: >-
+      Windows Update complete.
+      Last pass installed {{ win_updates_result.installed_update_count }} update(s).
+      Reboot required: {{ win_updates_result.reboot_required }}.
+
+- name: Join Active Directory domain
+  microsoft.ad.membership:
+    dns_domain_name: "{{ domain_name }}"
+    hostname: "{{ inventory_hostname_short }}"
+    domain_admin_user: "{{ domain_join_user }}"
+    domain_admin_password: "{{ domain_join_password }}"
+    domain_ou_path: "{{ domain_ou_path | default(omit) }}"
+    state: domain
+    reboot: true
+    reboot_timeout: 1800
+
+- name: Initialize data disk as GPT
+  community.windows.win_initialize_disk:
+    disk_number: "{{ data_disk_number }}"
+    style: gpt
+    online: true
+
+- name: Create shares partition (F:)
+  community.windows.win_partition:
+    disk_number: "{{ data_disk_number }}"
+    partition_size: -1
+    drive_letter: F
+    state: present
+
+- name: Format shares partition (F:)
+  community.windows.win_format:
+    drive_letter: F
+    file_system: NTFS
+    new_label: FileShares
+    allocation_unit_size: 65536

configuration/ansible_fs/roles/smb_share/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+smb_shares:
+  - name: k8s
+    path: 'F:\Shares\k8s'
+    description: "Kubernetes CSI SMB persistent volume share"
+    full_access:
+      - "CWX\\k8s-svc-user"
+    change_access: []

configuration/ansible_fs/roles/smb_share/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+- name: Install File Server role
+  ansible.windows.win_feature:
+    name: FS-FileServer
+    state: present
+    include_management_tools: true
+  register: fs_role
+
+- name: Reboot if File Server role install requires it
+  ansible.windows.win_reboot:
+  when: fs_role.reboot_required
+
+- name: Create share directories
+  ansible.windows.win_file:
+    path: "{{ item.path }}"
+    state: directory
+  loop: "{{ smb_shares }}"
+
+- name: Create SMB shares
+  ansible.windows.win_share:
+    name: "{{ item.name }}"
+    path: "{{ item.path }}"
+    description: "{{ item.description | default('') }}"
+    full: "{{ item.full_access | default([]) | join(',') or omit }}"
+    change: "{{ item.change_access | default([]) | join(',') or omit }}"
+    state: present
+  loop: "{{ smb_shares }}"
+
+- name: Disable SMB1 protocol
+  ansible.windows.win_powershell:
+    script: |
+      Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
+
+- name: Open SMB firewall port
+  community.windows.win_firewall_rule:
+    name: "File and Printer Sharing (SMB-In)"
+    localport: 445
+    action: allow
+    direction: in
+    protocol: tcp
+    state: present
+    enabled: true