2025年12月17日v4hero

AnsibleでAnsibleの後始末

突然だけど、AnsibleでAnsibleのConfigureRemotingForAnsible.ps1の設定を元に戻すPlaybookを載せておく。

まずは、ConfigureRemotingForAnsible.ps1で入れた設定を元に戻すPowershell。
Undo-ConfigureRemotingForAnsible.ps1

#Requires -RunAsAdministrator
# Reverse settings applied by ConfigureRemotingForAnsible.ps1
# -----------------------------------------------------------

Write-Output "Reverting Ansible WinRM configuration..."

# 1. Stop and disable WinRM service
Write-Output "Stopping WinRM service..."
Stop-Service -Name WinRM -Force -ErrorAction SilentlyContinue
Set-Service -Name WinRM -StartupType Disabled

# 2. Disable PS Remoting (remove session configs/listeners)
Write-Output "Disabling PS Remoting..."
Disable-PSRemoting -Force -ErrorAction SilentlyContinue

# 3. Remove HTTPS WinRM listener
Write-Output "Removing HTTPS WinRM listener..."
$selector = @{Address="*";Transport="HTTPS"}
Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selector -ErrorAction SilentlyContinue

# 4. Disable Basic authentication
Write-Output "Disabling Basic authentication..."
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false -ErrorAction SilentlyContinue

# 5. Disable CredSSP authentication (if enabled)
Write-Output "Disabling CredSSP authentication..."
Disable-WSManCredSSP -Role server -Force -ErrorAction SilentlyContinue

# 6. Remove firewall rule for WinRM HTTPS
Write-Output "Removing firewall rule for WinRM HTTPS..."
netsh advfirewall firewall delete rule name="Allow WinRM HTTPS" | Out-Null

# 7. Remove self-signed certificate created for WinRM
Write-Output "Removing self-signed WinRM certificate..."
$certs = Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.Subject -like "CN=$env:COMPUTERNAME"
}
foreach ($c in $certs) {
    Write-Output "Deleting certificate with Thumbprint $($c.Thumbprint)"
    Remove-Item -Path "Cert:\LocalMachine\My\$($c.Thumbprint)" -Force
}

Write-Output "Revert completed. WinRM and related settings have been disabled."

次にこのUndo-ConfigureRemotingForAnsible.ps1をターゲットノードに飛ばして実行するPlaybook。Playbookの中から遅延で別プロセスをForkして送ったUndo-ConfigureRemotingForAnsible.ps1を削除するので残骸が残らない。

- name: close WinRM
  hosts: target
  gather_facts: no

  tasks:
    - name: Ensure target directory exists on guest
      win_file:
        path: C:\\ansibleTemp
        state: directory

    - name: Copy script from WSL to guest
      win_copy:
        src: /home/v4hero/ansiblework/Undo-ConfigureRemotingForAnsible.ps1
        dest: C:\\ansibletemp\\

    - name: Execute undo.ps1 script and cleanup
      win_shell: |
        # スクリプトを非同期プロセスとして実行
        Start-Process powershell.exe -ArgumentList "-ExecutionPolicy Bypass -File C:\\ansibletemp\\Undo-ConfigureRemotingForAnsible.ps1" -WindowStyle Hidden
        
        # 数秒後に自分自身(一時ディレクトリ)を削除するバックグラウンドプロセスを起動
        Start-Process powershell.exe -ArgumentList "-Command & {Start-Sleep -Seconds 10; Remove-Item 'C:\\ansibletemp\\' -Recurse -Force}" -WindowStyle Hidden
      async: 10
      poll: 0

    - name: Wait for connection to be lost (Expected)
      wait_for_connection:
        timeout: 20
      ignore_errors: yes

自分のための備忘録だ。

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です