Updated the Ansible role (#1786)

ansible-playbook/roles/gophish/files/config.json

@@ -1,17 +1,22 @@
 {
-    "admin_server" : {
+	"admin_server": {
-        "listen_url" : "127.0.0.1:3333",
+		"listen_url": "127.0.0.1:3333",
-        "use_tls" : true,
+		"use_tls": true,
-        "cert_path" : "gophish_admin.crt",
+		"cert_path": "/etc/ssl/crt/gophish.crt",
-        "key_path" : "gophish_admin.key"
+		"key_path": "/etc/ssl/private/gophish.pem"
-    },
+	},
-    "phish_server" : {
+	"phish_server": {
-        "listen_url" : "0.0.0.0:80",
+		"listen_url": "127.0.0.1:8080",
-        "use_tls" : false,
+		"use_tls": true,
-        "cert_path" : "example.crt",
+		"cert_path": "/etc/ssl/crt/gophish.crt",
-        "key_path": "example.key"
+		"key_path": "/etc/ssl/private/gophish.pem"
-    },
+	},
-    "db_name" : "sqlite3",
+	"db_name": "sqlite3",
-    "db_path" : "gophish.db",
+	"db_path": "gophish.db",
-    "migrations_prefix" : "db/db_"
+	"migrations_prefix": "db/db_",
-}
+	"contact_address": "",
+	"logging": {
+		"filename": "",
+		"level": ""
+	}
+}

ansible-playbook/roles/gophish/tasks/main.yml

@@ -2,22 +2,27 @@
   hostname:
     name: "{{ hostname }}"
 
+- name: Ensure ufw is installed on the machine
+  package:
+    name: ufw
+    state: present
+
 - name: Allow TCP 22 for SSH.
   ufw:
     rule: allow
-    port: 22
+    port: '22'
     proto: tcp
 
 - name: Allow TCP 80 for Gophish.
   ufw:
     rule: allow
-    port: 80
+    port: '80'
     proto: tcp
 
 - name: Allow TCP 443 for Gophish.
   ufw:
     rule: allow
-    port: 443
+    port: '443'
     proto: tcp
 
 - name: Enable ufw.
@@ -34,11 +39,55 @@
   apt:
     upgrade: safe
 
+- name: Ensure /etc/ssl/csr folder exists
+  file:
+    path: /etc/ssl/csr
+    state: directory
+    mode: '0755'
+  
+- name: Ensure /etc/ssl/private folder exists
+  file:
+    path: /etc/ssl/private
+    state: directory
+    mode: '0755'
+
+- name: Ensure /etc/ssl/crt folder exists
+  file:
+    path: /etc/ssl/crt
+    state: directory
+    mode: '0755'
+
 - name: Install specified packages.
   apt:
-    pkg: "{{ item }}"
+    pkg: "{{ install_packages }}"
     state: latest
-  with_items: "{{ install_packages }}"
+
+- name: adding existing user '{{ gophish_user }}' to group ssl-cert
+  user:
+    name: '{{ gophish_user }}'
+    groups: ssl-cert
+    append: yes
+
+- name: Ensure the cryptography Python package is installed
+  pip:
+    name: cryptography
+
+- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
+  openssl_privatekey:
+    path: "{{ gophish_ssl_cert_path }}"
+
+- name: Generate an OpenSSL Certificate Signing Request
+  openssl_csr:
+    path: "{{ gophish_csr_path }}"
+    privatekey_path: "{{ gophish_ssl_cert_path }}"
+    common_name: "{{ gophish_domain }}"
+
+- name: Generate a Self Signed OpenSSL certificate
+  openssl_certificate:
+    path: "{{ gophish_crt_path }}"
+    privatekey_path: "{{ gophish_ssl_cert_path }}"
+    csr_path: "{{ gophish_csr_path }}"
+    provider: selfsigned
 
 - name: Update postfix main.cf configuration file.
   template:
@@ -69,9 +118,23 @@
     owner: "{{ gophish_user }}"
     group: "{{ gophish_user }}"
 
+- name: Ensure gophish user has permission for CRT file.
+  file:
+    path: "{{ gophish_crt_path }}"
+    mode: 0755
+    owner: "{{ gophish_user }}"
+    group: "{{ gophish_user }}"
+
+- name: Ensure gophish user has permission for SSL certificate.
+  file:
+    path: "{{ gophish_ssl_cert_path }}"
+    mode: 0755
+    owner: "{{ gophish_user }}"
+    group: "{{ gophish_user }}"
+
 - name: Create directory for gophish.
   file:
-    path: "/home/{{ gophish_user }}/gophish"
+    path: "/home/{{ gophish_user }}/gophish_deploy"
     state: directory
     mode: 0755
     owner: "{{ gophish_user }}"
@@ -80,29 +143,65 @@
 - name: Unzip gophish file.
   unarchive:
     src: "/home/{{ gophish_user }}/gophish.zip"
-    dest: "/home/{{ gophish_user }}/gophish"
+    dest: "/home/{{ gophish_user }}/gophish_deploy"
     remote_src: True  # File is on target server and not locally.
     owner: "{{ gophish_user }}"
     group: "{{ gophish_user }}"
 
 - name: Change ownership of Gophish folder and files.
   file:
-    path: /home/{{ gophish_user }}/gophish
+    path: /home/{{ gophish_user }}/gophish_deploy
     owner: "{{ gophish_user }}"
     group: "{{ gophish_user }}"
     recurse: True
 
-- name: Allow gophish binary to bind to privileged ports using setcap.
+- name: Ensure gophish binary is allowed to bind to privileged ports using setcap
-  shell: setcap CAP_NET_BIND_SERVICE=+eip /home/{{ gophish_user }}/gophish/gophish
+  capabilities:
+    path: /home/{{ gophish_user }}/gophish_deploy/gophish
+    capability: cap_net_bind_service+eip
+    state: present
 
 - name: Copy config.json file.
   copy:
     src: files/config.json
-    dest: "/home/{{ gophish_user }}/gophish/config.json"
+    dest: "/home/{{ gophish_user }}/gophish_deploy/config.json"
     owner: "{{ gophish_user }}"
     group: "{{ gophish_user }}"
     mode: 0644
 
+- name: Ensure gophish service file is properly set
+  template:
+    src: gophish.service.j2
+    dest: /etc/systemd/system/gophish.service
+    mode: 644
+
+- name: Ensure systemd to reread configs
+  systemd:
+    daemon_reload: yes
+
+- name: Ensure gophish is properly started
+  service:
+    name: gophish.service
+    state: started
+    enabled: yes
+
+- name: Ensure nginx is installed
+  package:
+    name: nginx
+    state: present
+
+- name: Ensure nginx service file is properly set
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: 644
+
+- name: Ensure nginx service is restarted
+  service:
+    name: nginx
+    state: reloaded
+    enabled: yes
+
 - name: Reboot the box in 1 minute.
   command: shutdown -r 1
-  when: reboot_box
+  when: reboot_box

ansible-playbook/roles/gophish/templates/gophish.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=gophish
+After=network.target
+[Service]
+Type=simple
+WorkingDirectory=/home/{{ gophish_user }}/gophish_deploy/
+ExecStart="/home/{{ gophish_user }}/gophish_deploy/gophish"
+User={{ gophish_user }}
+PIDFile="/home/{{ gophish_user }}/gophish_deploy/gophish.pid"
+[Install]
+WantedBy=multi-user.target

ansible-playbook/roles/gophish/templates/nginx.conf.j2

@@ -0,0 +1,26 @@
+events {
+    worker_connections 4096;
+}
+
+http {
+    server {
+        listen 80;
+        server_name {{gophish_domain}};
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        ssl_certificate {{ gophish_crt_path }};
+        ssl_certificate_key {{ gophish_ssl_cert_path }};
+        server_name {{gophish_domain}};
+        location / {
+            proxy_pass         https://127.0.0.1:8080;
+            proxy_redirect     off;
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Host $server_name;
+        }
+    }
+}

ansible-playbook/roles/gophish/vars/main.yml

@@ -3,11 +3,16 @@ enable_ufw_firewall: true
 install_packages:
   - postfix
   - unzip
+  - libcap2-bin
+  - python-pip
 
 hostname: gophish
 gophish_user: ubuntu
 postfix_hostname: gophish
 postfix_inet_interfaces: 127.0.0.1
-
+gophish_domain: gophish.local
+gophish_ssl_cert_path: /etc/ssl/private/gophish.pem
+gophish_csr_path: /etc/ssl/csr/gophish.csr
+gophish_crt_path: /etc/ssl/crt/gophish.crt
 # Required if changing /etc/hostname to something different.
-reboot_box: true
+reboot_box: true