Updated the Ansible Playbook (#2138)

* Update Ansible role
* lint Ansible role
* Update Ansible Playbook README
* use python3 packages instead python2
pull/1813/merge
Bilal Retiat 2021-12-23 19:13:43 +01:00 committed by GitHub
parent ceab0509eb
commit 0646f14c99
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 18 deletions

View File

@ -1,4 +1,4 @@
Tested on Ubuntu 16.04.4. Tested on Ubuntu 20.04 LTS.
Installs Postfix (to listen on localhost only) and the latest Linux gophish binary. setcap is used to allow the gophish binary to listen on privileged ports without running as root. Installs Postfix (to listen on localhost only) and the latest Linux gophish binary. setcap is used to allow the gophish binary to listen on privileged ports without running as root.
@ -17,7 +17,7 @@ ansible-playbook site.yml -i hosts -u root --private-key=private.key
ansible-playbook site.yml -i hosts -u root --ask-pass ansible-playbook site.yml -i hosts -u root --ask-pass
# Log in as non-root user with SSH key (if root login has been disabled) # Log in as non-root user with SSH key (if root login has been disabled)
ansible-playbook site.yml -i hosts --private-key=private.key -u user --become --ask-sudo-pass ansible-playbook site.yml -i hosts --private-key=private.key -u user --become --ask-become-pass
# Logging in as non-root user without SSH keys # Logging in as non-root user without SSH keys
ansible-playbook site.yml -i hosts -u ubuntu --ask-pass --become --ask-sudo-pass ansible-playbook site.yml -i hosts -u ubuntu --ask-pass --become --ask-become-pass

View File

@ -16,7 +16,7 @@
"migrations_prefix": "db/db_", "migrations_prefix": "db/db_",
"contact_address": "", "contact_address": "",
"logging": { "logging": {
"filename": "", "filename": "gophish.log",
"level": "" "level": ""
} }
} }

View File

@ -10,19 +10,19 @@
- name: Allow TCP 22 for SSH. - name: Allow TCP 22 for SSH.
ufw: ufw:
rule: allow rule: allow
port: '22' port: "22"
proto: tcp proto: tcp
- name: Allow TCP 80 for Gophish. - name: Allow TCP 80 for Gophish.
ufw: ufw:
rule: allow rule: allow
port: '80' port: "80"
proto: tcp proto: tcp
- name: Allow TCP 443 for Gophish. - name: Allow TCP 443 for Gophish.
ufw: ufw:
rule: allow rule: allow
port: '443' port: "443"
proto: tcp proto: tcp
- name: Enable ufw. - name: Enable ufw.
@ -43,19 +43,19 @@
file: file:
path: /etc/ssl/csr path: /etc/ssl/csr
state: directory state: directory
mode: '0755' mode: "0755"
- name: Ensure /etc/ssl/private folder exists - name: Ensure /etc/ssl/private folder exists
file: file:
path: /etc/ssl/private path: /etc/ssl/private
state: directory state: directory
mode: '0755' mode: "0755"
- name: Ensure /etc/ssl/crt folder exists - name: Ensure /etc/ssl/crt folder exists
file: file:
path: /etc/ssl/crt path: /etc/ssl/crt
state: directory state: directory
mode: '0755' mode: "0755"
- name: Install specified packages. - name: Install specified packages.
apt: apt:
@ -64,7 +64,7 @@
- name: adding existing user '{{ gophish_user }}' to group ssl-cert - name: adding existing user '{{ gophish_user }}' to group ssl-cert
user: user:
name: '{{ gophish_user }}' name: "{{ gophish_user }}"
groups: ssl-cert groups: ssl-cert
append: yes append: yes
@ -109,10 +109,16 @@
state: started state: started
enabled: yes enabled: yes
- name: get latest release info
uri:
url: "https://api.github.com/repos/gophish/gophish/releases/latest"
return_content: true
register: latest_json_reponse
- name: Download latest Gophish .zip file. - name: Download latest Gophish .zip file.
get_url: get_url:
validate_certs: True validate_certs: True
url: https://getgophish.com/releases/latest/linux/64 url: "https://github.com/gophish/gophish/releases/download/{{ latest_json_reponse.json.tag_name }}/gophish-{{ latest_json_reponse.json.tag_name }}-linux-64bit.zip"
dest: "/home/{{ gophish_user }}/gophish.zip" dest: "/home/{{ gophish_user }}/gophish.zip"
mode: 0755 mode: 0755
owner: "{{ gophish_user }}" owner: "{{ gophish_user }}"
@ -144,7 +150,7 @@
unarchive: unarchive:
src: "/home/{{ gophish_user }}/gophish.zip" src: "/home/{{ gophish_user }}/gophish.zip"
dest: "/home/{{ gophish_user }}/gophish_deploy" dest: "/home/{{ gophish_user }}/gophish_deploy"
remote_src: True # File is on target server and not locally. remote_src: True # File is on target server and not locally.
owner: "{{ gophish_user }}" owner: "{{ gophish_user }}"
group: "{{ gophish_user }}" group: "{{ gophish_user }}"
@ -155,6 +161,11 @@
group: "{{ gophish_user }}" group: "{{ gophish_user }}"
recurse: True recurse: True
- name: Ensure gophish binary is executable
file:
path: /home/{{ gophish_user }}/gophish_deploy/gophish
mode: 744
- name: Ensure gophish binary is allowed to bind to privileged ports using setcap - name: Ensure gophish binary is allowed to bind to privileged ports using setcap
capabilities: capabilities:
path: /home/{{ gophish_user }}/gophish_deploy/gophish path: /home/{{ gophish_user }}/gophish_deploy/gophish
@ -202,6 +213,14 @@
state: reloaded state: reloaded
enabled: yes enabled: yes
- name: get Gophish log file which contain initial password
command: cat /home/{{ gophish_user }}/gophish_deploy/gophish.log
register: gophish_log
- name: display log file
debug:
msg: "{{ gophish_log }}"
- name: Reboot the box in 1 minute. - name: Reboot the box in 1 minute.
command: shutdown -r 1 command: shutdown -r 1
when: reboot_box when: reboot_box

View File

@ -4,7 +4,8 @@ install_packages:
- postfix - postfix
- unzip - unzip
- libcap2-bin - libcap2-bin
- python-pip - python-is-python3
- python3-pip
hostname: gophish hostname: gophish
gophish_user: ubuntu gophish_user: ubuntu
@ -15,4 +16,4 @@ gophish_ssl_cert_path: /etc/ssl/private/gophish.pem
gophish_csr_path: /etc/ssl/csr/gophish.csr gophish_csr_path: /etc/ssl/csr/gophish.csr
gophish_crt_path: /etc/ssl/crt/gophish.crt gophish_crt_path: /etc/ssl/crt/gophish.crt
# Required if changing /etc/hostname to something different. # Required if changing /etc/hostname to something different.
reboot_box: true reboot_box: true