Gophish Ansible playbook (#704)

* Added Ansible files

* Removed old README

* Changed admin_server's use_tls to true in config.json

ansible-playbook/README

@@ -0,0 +1,20 @@
+Tested on Ubuntu 16.04.2.
+
+Installs Postfix (to listen on localhost only) and the latest Linux gophish binary.  setcap is used to allow the gophish binary to listen on privileged ports without running as root.
+
+1) Edit hosts file with the Gophish server IP.
+
+2) Edit vars/main.yml with any changes:
+
+3) Modify files/config.json with any changes.
+
+4) Execute
+
+# Log in as root with SSH key
+ansible-playbook site.yml -i hosts -u root --private-key=private.key
+
+# Log in as root with password
+ansible-playbook site.yml -i hosts -u root --ask-pass
+
+# Log in as non-root user with SSH key (if root login has been disabled)
+ansible-playbook site.yml -i hosts --private-key=private.key -u user --become --ask-sudo-pass

ansible-playbook/hosts

@@ -0,0 +1 @@
+127.0.0.1

ansible-playbook/roles/gophish/files/config.json

@@ -0,0 +1,17 @@
+{
+    "admin_server" : {
+        "listen_url" : "127.0.0.1:3333",
+        "use_tls" : true,
+        "cert_path" : "gophish_admin.crt",
+        "key_path" : "gophish_admin.key"
+    },
+    "phish_server" : {
+        "listen_url" : "0.0.0.0:80",
+        "use_tls" : false,
+        "cert_path" : "example.crt",
+        "key_path": "example.key"
+    },
+    "db_name" : "sqlite3",
+    "db_path" : "gophish.db",
+    "migrations_prefix" : "db/db_"
+}

ansible-playbook/roles/gophish/tasks/main.yml

@@ -0,0 +1,88 @@
+- name: Change /etc/hostname
+  hostname:
+    name: "{{ hostname }}"
+
+- name: Allow TCP 80 for Gophish
+  ufw: rule=allow port=80 proto=tcp
+
+- name: Allow TCP 443 for Gophish
+  ufw: rule=allow port=443 proto=tcp
+
+- name: Enable ufw
+  ufw: state=enabled policy=deny
+  when: enable_ufw_firewall
+
+- name: Update APT package cache
+  apt: update_cache=yes
+
+- name: Upgrade APT to the latest packages
+  apt: upgrade=safe
+
+- name: Ensure postfix is installed (Debian).
+  apt: name=postfix state=installed
+
+- name: Update postfix main.cf configuration file
+  template:
+    src: main.cf.j2
+    dest: /etc/postfix/main.cf
+    backup: yes
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Restart postfix
+  service: name=postfix state=restarted
+
+- name: Ensure postfix is started and enabled at boot.
+  service: name=postfix state=started enabled=yes
+
+- name: Download latest Gophish .zip file
+  get_url:
+    validate_certs: False
+    url: https://getgophish.com/releases/latest/linux/64
+    dest: /home/{{ gophish_user }}/gophish.zip
+    mode: 0755
+    owner: "{{ gophish_user }}"
+    group: "{{ gophish_user }}"
+
+- name: Unzip gophish file
+  unarchive:
+    src: /home/{{ gophish_user }}/gophish.zip
+    dest: /home/{{ gophish_user }}
+    remote_src: True  # File is on target server and not locally.
+    owner: "{{ gophish_user }}"
+    group: "{{ gophish_user }}"
+
+- shell: ls -d /home/{{ gophish_user }}/gophish-*
+  register: gophish_dir
+
+- name: Rename gophish folder
+  command: mv {{ item }} /home/{{ gophish_user }}/gophish
+  with_items: "{{ gophish_dir.stdout }}"
+
+- name: Change ownership of Gophish folder
+  file:
+    path: /home/{{ gophish_user }}/gophish
+    owner: "{{ gophish_user }}"
+    group: "{{ gophish_user }}"
+    recurse: True
+
+- name: Add execution privileges to the gophish binary
+  file:
+    path: /home/{{ gophish_user }}/gophish/gophish
+    mode: 0755
+
+- name: Allow gophish binary to bind to privileged ports using setcap
+  shell: setcap CAP_NET_BIND_SERVICE=+eip /home/{{ gophish_user }}/gophish/gophish
+
+- name: Copy config.json file
+  copy:
+    src: files/config.json
+    dest: /home/{{ gophish_user }}/gophish/config.json
+    owner: "{{ gophish_user }}"
+    group: "{{ gophish_user }}"
+    mode: 0644
+
+- name: Reboot the box in 1 minute
+  command: shutdown -r 1
+  when: reboot_box

ansible-playbook/roles/gophish/templates/main.cf.j2

@@ -0,0 +1,40 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ postfix_hostname }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = {{ postfix_hostname }}, localhost.localdomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = {{ postfix_inet_interfaces }}
+inet_protocols = all

ansible-playbook/roles/gophish/vars/main.yml

@@ -0,0 +1,9 @@
+enable_ufw_firewall: true
+
+hostname: gophish
+gophish_user: gpuser
+postfix_hostname: gophish
+postfix_inet_interfaces: 127.0.0.1
+
+# Required if changing /etc/hostname to something different.
+reboot_box: true

ansible-playbook/site.yml

@@ -0,0 +1,4 @@
+- hosts: all
+
+  roles:
+    - gophish