ait-testbed
diff --git a/‎README.md‎
Lines changed: 74 additions & 21 deletions b/‎README.md‎
Lines changed: 74 additions & 21 deletions
diff --git a/‎defaults/main.yml‎
Lines changed: 19 additions & 1 deletion b/‎defaults/main.yml‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎handlers/main.yml‎
Lines changed: 6 additions & 0 deletions b/‎handlers/main.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎molecule/default/molecule.yml‎
Lines changed: 0 additions & 8 deletions b/‎molecule/default/molecule.yml‎
Lines changed: 0 additions & 8 deletions
diff --git a/‎tasks/api_server.yml‎
Lines changed: 189 additions & 0 deletions b/‎tasks/api_server.yml‎
Lines changed: 189 additions & 0 deletions
diff --git a/‎tasks/main.yml‎
Lines changed: 9 additions & 0 deletions b/‎tasks/main.yml‎
Lines changed: 9 additions & 0 deletions
@@ -6,34 +6,63 @@ It is further possible to roll out playbooks.
 
 ## Requirements
 
-- Debian or Ubuntu
+- Debian 13 
+
+- Ubuntu 24.04 
+
+- Kali Linux (Rolling)
+
+
+Note on gRPC: To ensure high performance and fast deployment, pre-compiled Python wheels (.whl) for grpc are automatically fetched by the role from our internal image server for the distributions listed above. For other operating systems, the role will fallback to compiling gRPC locally, which may significantly increase the initial setup time.
 
 (Currently there are no packages defined for RedHat distributions)
 
 ## Role Variables
 
 | Variable name                  | Type         | Default                                   | Description                                              |
 | ------------------------------ | ------------ | ----------------------------------------- | -------------------------------------------------------- |
-| attackmate_url                 | url          | https://github.com/ait-aecid/attackmate.git | Official attackmate repository |
-| attackmate_version             | version-str  | main | Version/Branch of the Git-Repository in attackmate_url |
-| attackmate_shared_dir          | path         | /usr/local/share | Installation path |
-| attackmate_dest                | path         | `{{ attackmate_shared_dir }}/attackmate` | Installation path of the attackmate repository |
-| attackmate_sliverfix           | bool         | True | [Install sliver-fix](https://aeciddocs.ait.ac.at/attackmate/development/installation/sliverfix.html#sliver-fix) |
-| attackmate_grpc_dest           | path | `{{ attackmate_shared_dir }}/grpc` | Temporary install grpc to this path if sliverfix is enabled |
-| attackmate_bindir              | path | /usr/local/bin | Installpath for the tmux-wrapper |
-| attackmate_tmux                | bool | True | Deploy tmux-wrapper |
-| attackmate_tmux_session        | str  | attackmate | Use this existing session-name for the tmux-wrapper |
-| attackmate_tmux_window         | str  | attackmate | The name of the tmux-window for attackmate |
-| attackmate_config_dir          | path | /etc/attackmate | Path to the config-directory |
-| attackmate_playbook_path       | path | `{{ attackmate_config_dir }}/playbooks` | Path to the playbooks-directory |
-| attackmate_playbooks           | list of playbook-templates(j2) | `[]` | List of playbooks to deploy |
-| attackmate_config_tpl          | str  | attackmate.yml.j2 | Name of the config-template(jinja) |
-| attackmate_sliver_config       | path | **None** | Path to the generated sliver-config. (only needed for sliver-commands) |
-| attackmate_msf_server          | hostname | **None** | Hostname of the Metasploit rpcd. (only needed for msf-commands) |
-| attackmate_msf_passwd          | password | **None** | Password for the Metasploit rpcd. (only needed for msf-commands) |
-| attackmate_playwright          | bool         | True | Whether to install Playwright and its dependencies |
-| command_delay                  | float | **None** | delay in seconds before commands for the CommandConfig |
-| attackmate_remote_config | dict | {} | Optional map of named remote AttackMate connections. Each entry requires url, username, password, and optionally cafile. If empty, no remote_config section is written to the config file. |
+| attackmate_url                 | url          | https://github.com/ait-aecid/attackmate.git | Official attackmate repository                         |
+| attackmate_version             | version-str  | main | Version/Branch of the Git-Repository in attackmate_url                                        |
+| attackmate_shared_dir          | path         | /usr/local/share                          | Installation path                                        |
+| attackmate_dest                | path         | `{{ attackmate_shared_dir }}/attackmate`  | Installation path of the attackmate repository           |
+| attackmate_sliverfix           | bool         | True                                      | [Install sliver-fix](https://aeciddocs.ait.ac.at/attackmate/development/installation/sliverfix.html#sliver-fix) |
+| attackmate_grpc_dest           | path         | `{{ attackmate_shared_dir }}/grpc`        | Temporary install grpc to this path if sliverfix is enabled |
+| attackmate_bindir              | path         | /usr/local/bin                            | Installpath for the tmux-wrapper                         |
+| attackmate_tmux                | bool         | True                                      | Deploy tmux-wrapper                                      |
+| attackmate_tmux_session        | str          | attackmate                                | Use this existing session-name for the tmux-wrapper      |
+| attackmate_tmux_window         | str          | attackmate                                | The name of the tmux-window for attackmate               |
+| attackmate_config_dir          | path         | /etc/attackmate                           | Path to the config-directory                             |
+| attackmate_playbook_path       | path         | `{{ attackmate_config_dir }}/playbooks`   | Path to the playbooks-directory                          |
+| attackmate_playbooks           | list of playbook-templates(j2) | `[]`                    | List of playbooks to deploy                              |
+| attackmate_config_tpl          | str          | attackmate.yml.j2 | Name of the config-template(jinja) |
+| attackmate_sliver_config       | path         | **None**                                  | Path to the generated sliver-config. (only needed for sliver-commands) |
+| attackmate_msf_server          | hostname     | **None**                                  | Hostname of the Metasploit rpcd. (only needed for msf-commands) |
+| attackmate_msf_passwd          | password     | **None**                                  | Password for the Metasploit rpcd. (only needed for msf-commands) |
+| attackmate_playwright          | bool         | True                                      | Whether to install Playwright and its dependencies |
+| command_delay                  | float        | **None**                                  | delay in seconds before commands for the CommandConfig |
+| attackmate_remote_config       | dict         | {} | Optional map of named remote AttackMate connections. Each entry requires url, username, password, and optionally cafile. If empty, no remote_config section is written to the config file.|
+
+## Additional role Variables for installation as Api server 
+| Variable name                  | Type         | Default                                   | Description                                              |
+| ------------------------------ | ------------ | ----------------------------------------- | -------------------------------------------------------- |
+| attackmate_api_server          | bool         | False                                     | Install the attackmate-api-server |
+| attackmate_api_server_url      | url          | https://github.com/ait-testbed/attackmate-api-server.git | Repository URL for the api server |
+| attackmate_api_server_version  | version-str  | main                                      | Version/Branch of the api server repository |
+| attackmate_api_server_dest     | path         | {{ attackmate_shared_dir }}/attackmate-api-server | Installation path of the api server |
+| attackmate_api_bin_path        | path         | /usr/local/bin/attackmate-api | Installation path for the attackmate-api executable |
+| attackmate_api_service_path    | path         | /etc/systemd/system/attackmate-api.service | Path for the systemd service unit file |
+| attackmate_api_log_dir         | path         | /var/log/attackmate-api | Directory for API server log files |
+| attackmate_api_logs_to_disk    | bool         | False | Whether to write playbook logs to disk |
+| attackmate_ssl_key_path        | path         | /etc/ssl/private/attackmate.key | Path for the generated RSA private key |
+| attackmate_ssl_cert_path       | path         | /etc/ssl/certs/attackmate.pem | Path for the generated self-signed certificate |
+| attackmate_api_plain_ users    | dict         | {} | Map of username to plaintext password used to generate argon2 hashes at deploy time. Format: {"username": "password", ...}. Leave empty to skip user generation. Never commit plaintext passwords! |
+
+
+> [!WARNING]
+> `attackmate_api_plain_users` contains plaintext passwords and must **never** be committed to version control.
+> Only define this variable locally on the machine you are running the playbook from, either by passing it via
+> `--extra-vars` at runtime or in a local vars file that is excluded from your repository via `.gitignore`.
+> The hashing and deployment happen in memory only — the plaintext passwords are never written to the target host.
 
 ## Example Playbook
 
@@ -66,6 +95,30 @@ This role installs to executables:
 * **/usr/local/bin/attackm8**: a wrapper for attackmate that uses the virtual environment
 * **/usr/local/bin/attackmate-tmux**: a wrapper that executes attackmate in a tmux-session
 
+## Installing as API Server
+
+AttackMate can optionally be installed together with the [AttackMate API Server](https://github.com/ait-testbed/attackmate-api-server),
+which exposes AttackMate's functionality via a REST API and allows remote instances to be controlled over the network.
+The API server is installed into the same virtual environment as AttackMate, since it depends on it.
+
+To enable the API server, set `attackmate_api_server: True` in your playbook:
+```yaml
+- name: Install attackmate with API server
+  become: true
+  hosts: localhost
+  roles:
+    - role: attackmate
+      vars:
+        attackmate_api_server: True
+        attackmate_api_plain_users:
+          admin: "securepassword"
+
+```
+
+ installs to executables:
+
+* **/usr/local/bin/attackmate-api-server**: symlink to the attackmate-api-server executable in the virtual environment
+
 ## Role testing with molecule
 
 ### Role testing locally
 
@@ -51,4 +51,22 @@ distribution_lower: "{{ ansible_distribution | lower }}"
 #     username: user
 #     password: anotherpassword
 #     cafile: "/path/to/another_cert.pem"
-attackmate_remote_config: {}
+
+# If no Remote AttackMate connections configured set to empty dict
+attackmate_remote_config: {}
+
+# Installation as api server
+attackmate_api_server: False
+attackmate_api_server_url: "https://github.com/ait-testbed/attackmate-api-server.git"
+attackmate_api_server_version: "main"
+attackmate_api_server_dest: "{{ attackmate_shared_dir }}/attackmate-api-server"
+
+attackmate_api_logs_to_disk: False
+attackmate_api_log_dir: "/var/log/attackmate-api"
+
+attackmate_api_bin_path: "/usr/local/bin/attackmate-api"
+attackmate_api_service_path: "/etc/systemd/system/attackmate-api.service"
+attackmate_ssl_key_path: "/etc/ssl/private/attackmate.key"
+attackmate_ssl_cert_path: "/etc/ssl/certs/attackmate.pem"
+attackmate_api_server_port: 8445
+attackmate_api_plain_users: {}
@@ -0,0 +1,6 @@
+- name: Restart attackmate-api
+  become: true
+  ansible.builtin.systemd:
+    name: attackmate-api
+    state: restarted
+    daemon_reload: yes
@@ -9,18 +9,10 @@ platforms:
     image: kalilinux/kali-rolling # Or a specific tagged version if preferred
     ansible_user: root
     pre_build_image: true          # Pulls image beforehand
-  - name: instance-ubuntu2204
-    image: ubuntu:22.04
-    ansible_user: root
-    pre_build_image: true
   - name: instance-ubuntu2404
     image: ubuntu:24.04
     ansible_user: root
     pre_build_image: true
-  - name: instance-debian12
-    image: debian:12
-    ansible_user: root
-    pre_build_image: true
   - name: instance-debian13
     image: debian:13
     ansible_user: root
 
@@ -0,0 +1,189 @@
+- name: Create dedicated API service user
+  become: true
+  ansible.builtin.user:
+    name: attackmate-api
+    system: yes
+    shell: /usr/sbin/nologin
+    create_home: no
+
+# --- Git checkout ---
+
+- name: Git checkout attackmate-api-server
+  ansible.builtin.git:
+    repo: "{{ attackmate_api_server_url }}"
+    dest: "{{ attackmate_api_server_dest }}"
+    version: "{{ attackmate_api_server_version }}"
+  register: attackmate_api_git
+  tags:
+    - molecule-idempotence-notest
+
+# --- Installation ---
+
+- name: Install attackmate-api-server with uv
+  become: true
+  ansible.builtin.shell:
+    chdir: "{{ attackmate_api_server_dest }}"
+    cmd: "uv pip install --python {{ attackmate_dest }}/.venv/bin/python ."
+  when: attackmate_api_git.changed
+  changed_when: true
+  tags:
+    - molecule-idempotence-notest
+  notify: Restart attackmate-api
+
+- name: Create symlink for attackmate-api-server executable
+  become: true
+  ansible.builtin.file:
+    src: "{{ attackmate_dest }}/.venv/bin/attackmate-api"
+    dest: "{{ attackmate_api_bin_path }}"
+    state: link
+    force: true
+
+
+- name: Create API log directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ attackmate_api_log_dir }}"
+    state: directory
+    owner: attackmate-api
+    group: attackmate-api
+    mode: '0755'
+
+- name: Ensure SSL directories exist with correct permissions
+  become: true
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+    - { path: '/etc/ssl/private', mode: '0711' }
+    - { path: '/etc/ssl/certs', mode: '0755' }
+
+# --- SSL certificate generation ---
+
+- name: Ensure OpenSSL is installed
+  ansible.builtin.package:
+    name: openssl
+    state: present
+
+- name: Generate Private Key
+  community.crypto.openssl_privatekey:
+    path: "{{ attackmate_ssl_key_path }}"
+    type: RSA
+    size: 4096
+    owner: root
+    group: attackmate-api
+    mode: '0640'
+    # Only regenerate if the key is absent
+    regenerate: never
+  notify: Restart attackmate-api
+
+- name: Generate Certificate Signing Request (CSR)
+  community.crypto.openssl_csr:
+    path: "/etc/ssl/private/attackmate.csr"
+    privatekey_path: "{{ attackmate_ssl_key_path }}"
+    common_name: "{{ ansible_host }}"
+    subject_alt_name:
+      - "IP:{{ ansible_host }}"
+      - "DNS:localhost"
+    force: false
+
+- name: Generate Self-Signed Certificate
+  community.crypto.x509_certificate:
+    path: "{{ attackmate_ssl_cert_path }}"
+    privatekey_path: "{{ attackmate_ssl_key_path }}"
+    csr_path: "/etc/ssl/private/attackmate.csr"
+    provider: selfsigned
+    selfsigned_not_after: "+825d"
+    selfsigned_digest: sha256
+
+
+- name: Fix permissions on SSL keys for the service user
+  become: true
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: root
+    group: attackmate-api
+    mode: "{{ item.mode }}"
+  loop:
+    - { path: '/etc/ssl/private', mode: '0710' }
+    - { path: "{{ attackmate_ssl_key_path }}", mode: '0640' }
+    - { path: "{{ attackmate_ssl_cert_path }}", mode: '0644' }
+
+# --- User hashes for .env file (Optional) ---
+
+- name: Install argon2-cffi for hash generation
+  ansible.builtin.pip:
+    name: argon2-cffi
+    state: present
+  delegate_to: localhost
+  become: false
+  when: attackmate_api_plain_users | length > 0
+
+- name: Generate argon2 hashes for API users
+  ansible.builtin.shell:
+    cmd: "python3 -c \"from argon2 import PasswordHasher; ph = PasswordHasher(); print(ph.hash('{{ item.value }}'))\""
+  loop: "{{ attackmate_api_plain_users | dict2items }}"
+  register: argon2_hashes
+  changed_when: false
+  delegate_to: localhost
+  become: false
+  #no_log: true
+  when: attackmate_api_plain_users | length > 0
+
+- name: Build USERS json string
+  ansible.builtin.set_fact:
+    attackmate_api_users: >-
+      {{ dict(argon2_hashes.results | map(attribute='item.key') |
+      zip(argon2_hashes.results | map(attribute='stdout'))) | to_json }}
+  #no_log: true
+  when: attackmate_api_plain_users | length > 0
+
+# --- Env file ---
+
+- name: Create .env file in project root
+  become: true
+  ansible.builtin.template:
+    src: api-env.j2
+    dest: "{{ attackmate_api_server_dest }}/.env"
+    owner: attackmate-api
+    group: attackmate-api
+    mode: '0600'
+  notify: Restart attackmate-api
+
+# --- Systemd service ---
+
+- name: Install AttackMate API Systemd service
+  become: true
+  ansible.builtin.copy:
+    dest: "{{ attackmate_api_service_path }}"
+    content: |
+      [Unit]
+      Description=AttackMate API Server
+      After=network.target
+
+      [Service]
+      Type=simple
+      User=attackmate-api
+      Group=attackmate-api
+      WorkingDirectory={{ attackmate_api_server_dest }}
+      ExecStart={{ attackmate_api_bin_path }}
+      Restart=on-failure
+
+      NoNewPrivileges=yes
+      PrivateTmp=yes
+      ProtectSystem=full
+      ProtectHome=yes
+
+      [Install]
+      WantedBy=multi-user.target
+  notify: Restart attackmate-api
+
+- name: Start and enable AttackMate API
+  become: true
+  ansible.builtin.systemd:
+    name: attackmate-api
+    state: started
+    enabled: yes
+    daemon_reload: yes
@@ -156,3 +156,12 @@
       tags:
         - playwright
   when: attackmate_playwright
+
+- name: Include api_server setup
+  ansible.builtin.include_tasks:
+    file: "api_server.yml"
+    apply:
+      tags:
+        - api_server
+  when: attackmate_api_server
+