diff --git a/ansible-playbook/roles/gophish/files/config.json b/ansible-playbook/roles/gophish/files/config.json index a3bf2a10..efdd72be 100644 --- a/ansible-playbook/roles/gophish/files/config.json +++ b/ansible-playbook/roles/gophish/files/config.json @@ -1,17 +1,22 @@ { - "admin_server" : { - "listen_url" : "127.0.0.1:3333", - "use_tls" : true, - "cert_path" : "gophish_admin.crt", - "key_path" : "gophish_admin.key" - }, - "phish_server" : { - "listen_url" : "0.0.0.0:80", - "use_tls" : false, - "cert_path" : "example.crt", - "key_path": "example.key" - }, - "db_name" : "sqlite3", - "db_path" : "gophish.db", - "migrations_prefix" : "db/db_" -} + "admin_server": { + "listen_url": "127.0.0.1:3333", + "use_tls": true, + "cert_path": "/etc/ssl/crt/gophish.crt", + "key_path": "/etc/ssl/private/gophish.pem" + }, + "phish_server": { + "listen_url": "127.0.0.1:8080", + "use_tls": true, + "cert_path": "/etc/ssl/crt/gophish.crt", + "key_path": "/etc/ssl/private/gophish.pem" + }, + "db_name": "sqlite3", + "db_path": "gophish.db", + "migrations_prefix": "db/db_", + "contact_address": "", + "logging": { + "filename": "", + "level": "" + } +} \ No newline at end of file diff --git a/ansible-playbook/roles/gophish/tasks/main.yml b/ansible-playbook/roles/gophish/tasks/main.yml index bd503464..8608e365 100644 --- a/ansible-playbook/roles/gophish/tasks/main.yml +++ b/ansible-playbook/roles/gophish/tasks/main.yml @@ -2,22 +2,27 @@ hostname: name: "{{ hostname }}" +- name: Ensure ufw is installed on the machine + package: + name: ufw + state: present + - name: Allow TCP 22 for SSH. ufw: rule: allow - port: 22 + port: '22' proto: tcp - name: Allow TCP 80 for Gophish. ufw: rule: allow - port: 80 + port: '80' proto: tcp - name: Allow TCP 443 for Gophish. ufw: rule: allow - port: 443 + port: '443' proto: tcp - name: Enable ufw. @@ -34,11 +39,55 @@ apt: upgrade: safe +- name: Ensure /etc/ssl/csr folder exists + file: + path: /etc/ssl/csr + state: directory + mode: '0755' + +- name: Ensure /etc/ssl/private folder exists + file: + path: /etc/ssl/private + state: directory + mode: '0755' + +- name: Ensure /etc/ssl/crt folder exists + file: + path: /etc/ssl/crt + state: directory + mode: '0755' + - name: Install specified packages. apt: - pkg: "{{ item }}" + pkg: "{{ install_packages }}" state: latest - with_items: "{{ install_packages }}" + +- name: adding existing user '{{ gophish_user }}' to group ssl-cert + user: + name: '{{ gophish_user }}' + groups: ssl-cert + append: yes + +- name: Ensure the cryptography Python package is installed + pip: + name: cryptography + +- name: Generate an OpenSSL private key with the default values (4096 bits, RSA) + openssl_privatekey: + path: "{{ gophish_ssl_cert_path }}" + +- name: Generate an OpenSSL Certificate Signing Request + openssl_csr: + path: "{{ gophish_csr_path }}" + privatekey_path: "{{ gophish_ssl_cert_path }}" + common_name: "{{ gophish_domain }}" + +- name: Generate a Self Signed OpenSSL certificate + openssl_certificate: + path: "{{ gophish_crt_path }}" + privatekey_path: "{{ gophish_ssl_cert_path }}" + csr_path: "{{ gophish_csr_path }}" + provider: selfsigned - name: Update postfix main.cf configuration file. template: @@ -69,9 +118,23 @@ owner: "{{ gophish_user }}" group: "{{ gophish_user }}" +- name: Ensure gophish user has permission for CRT file. + file: + path: "{{ gophish_crt_path }}" + mode: 0755 + owner: "{{ gophish_user }}" + group: "{{ gophish_user }}" + +- name: Ensure gophish user has permission for SSL certificate. + file: + path: "{{ gophish_ssl_cert_path }}" + mode: 0755 + owner: "{{ gophish_user }}" + group: "{{ gophish_user }}" + - name: Create directory for gophish. file: - path: "/home/{{ gophish_user }}/gophish" + path: "/home/{{ gophish_user }}/gophish_deploy" state: directory mode: 0755 owner: "{{ gophish_user }}" @@ -80,29 +143,65 @@ - name: Unzip gophish file. unarchive: src: "/home/{{ gophish_user }}/gophish.zip" - dest: "/home/{{ gophish_user }}/gophish" + dest: "/home/{{ gophish_user }}/gophish_deploy" remote_src: True # File is on target server and not locally. owner: "{{ gophish_user }}" group: "{{ gophish_user }}" - name: Change ownership of Gophish folder and files. file: - path: /home/{{ gophish_user }}/gophish + path: /home/{{ gophish_user }}/gophish_deploy owner: "{{ gophish_user }}" group: "{{ gophish_user }}" recurse: True -- name: Allow gophish binary to bind to privileged ports using setcap. - shell: setcap CAP_NET_BIND_SERVICE=+eip /home/{{ gophish_user }}/gophish/gophish +- name: Ensure gophish binary is allowed to bind to privileged ports using setcap + capabilities: + path: /home/{{ gophish_user }}/gophish_deploy/gophish + capability: cap_net_bind_service+eip + state: present - name: Copy config.json file. copy: src: files/config.json - dest: "/home/{{ gophish_user }}/gophish/config.json" + dest: "/home/{{ gophish_user }}/gophish_deploy/config.json" owner: "{{ gophish_user }}" group: "{{ gophish_user }}" mode: 0644 +- name: Ensure gophish service file is properly set + template: + src: gophish.service.j2 + dest: /etc/systemd/system/gophish.service + mode: 644 + +- name: Ensure systemd to reread configs + systemd: + daemon_reload: yes + +- name: Ensure gophish is properly started + service: + name: gophish.service + state: started + enabled: yes + +- name: Ensure nginx is installed + package: + name: nginx + state: present + +- name: Ensure nginx service file is properly set + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + mode: 644 + +- name: Ensure nginx service is restarted + service: + name: nginx + state: reloaded + enabled: yes + - name: Reboot the box in 1 minute. command: shutdown -r 1 - when: reboot_box + when: reboot_box \ No newline at end of file diff --git a/ansible-playbook/roles/gophish/templates/gophish.service.j2 b/ansible-playbook/roles/gophish/templates/gophish.service.j2 new file mode 100644 index 00000000..9409bdc8 --- /dev/null +++ b/ansible-playbook/roles/gophish/templates/gophish.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=gophish +After=network.target +[Service] +Type=simple +WorkingDirectory=/home/{{ gophish_user }}/gophish_deploy/ +ExecStart="/home/{{ gophish_user }}/gophish_deploy/gophish" +User={{ gophish_user }} +PIDFile="/home/{{ gophish_user }}/gophish_deploy/gophish.pid" +[Install] +WantedBy=multi-user.target diff --git a/ansible-playbook/roles/gophish/templates/nginx.conf.j2 b/ansible-playbook/roles/gophish/templates/nginx.conf.j2 new file mode 100644 index 00000000..2d509098 --- /dev/null +++ b/ansible-playbook/roles/gophish/templates/nginx.conf.j2 @@ -0,0 +1,26 @@ +events { + worker_connections 4096; +} + +http { + server { + listen 80; + server_name {{gophish_domain}}; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl; + ssl_certificate {{ gophish_crt_path }}; + ssl_certificate_key {{ gophish_ssl_cert_path }}; + server_name {{gophish_domain}}; + location / { + proxy_pass https://127.0.0.1:8080; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } + } +} diff --git a/ansible-playbook/roles/gophish/vars/main.yml b/ansible-playbook/roles/gophish/vars/main.yml index 2b76d3ea..eaa42565 100644 --- a/ansible-playbook/roles/gophish/vars/main.yml +++ b/ansible-playbook/roles/gophish/vars/main.yml @@ -3,11 +3,16 @@ enable_ufw_firewall: true install_packages: - postfix - unzip + - libcap2-bin + - python-pip hostname: gophish gophish_user: ubuntu postfix_hostname: gophish postfix_inet_interfaces: 127.0.0.1 - +gophish_domain: gophish.local +gophish_ssl_cert_path: /etc/ssl/private/gophish.pem +gophish_csr_path: /etc/ssl/csr/gophish.csr +gophish_crt_path: /etc/ssl/crt/gophish.crt # Required if changing /etc/hostname to something different. -reboot_box: true +reboot_box: true \ No newline at end of file