Merge branch 'dev': document template system in README and docs site

franckferman · claude · franckferman · commit f828113efbf4 · 2026-03-22T02:11:49.000+01:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@
   - [VPC](#vpc)
   - [Campaign](#campaign)
   - [Audit](#audit)
+  - [Templates](#templates)
   - [JSON Output](#json-output)
   - [Shell Completion](#shell-completion)
 - [Library Usage](#library-usage)
@@ -98,6 +99,7 @@ Three tools are commonly used to manage DO infrastructure from a Red Team perspe
 | **VPC** | list, get, create, delete, members |
 | **Campaign** | deploy (multi-role), status, destroy, rotate-ips |
 | **Audit** | security scan with CRITICAL/HIGH/MEDIUM/INFO findings, CI-friendly exit codes |
+| **Templates** | list, show, dump + `--template` on droplet/campaign + `text/template` variable substitution |
 
 Additional:
 - `-o json` on every command for scripting and pipelines
@@ -130,7 +132,8 @@ do-manager/
 │   ├── snapshot.go
 │   ├── vpc.go
 │   ├── campaign.go           # campaign deploy/status/destroy/rotate-ips
-│   └── audit.go
+│   ├── audit.go
+│   └── template.go           # template list/show/dump
 │
 ├── internal/
 │   └── config/
@@ -145,7 +148,8 @@ do-manager/
     ├── firewall/             # Firewalls + RuleSpec parser
     ├── reservedip/
     ├── snapshot/
-    └── vpc/
+    ├── vpc/
+    └── tmpl/                 # embedded cloud-init templates + renderer
 ```
 
 `pkg/` is stable API surface. `cmd/` is CLI-only and not meant to be imported.
@@ -532,6 +536,62 @@ do-manager audit -o json | jq '.findings[] | select(.severity=="CRITICAL")'
 
 ---
 
+### Templates
+
+Built-in cloud-init bash scripts embedded in the binary. Variable substitution via Go's `text/template` (`{{.VarName}}` syntax). Unset variables fall back to declared defaults.
+
+```bash
+# List all templates with their variables and defaults
+do-manager template list
+
+# Inspect a template before deploying
+do-manager template show redirector-nginx
+
+# Render a template with variable overrides and print to stdout (preview before deploy)
+do-manager template dump c2-havoc \
+  --template-var C2Host=1.2.3.4 \
+  --template-var TeamserverPassword=s3cr3t
+
+# Use directly on droplet create
+do-manager droplet create --name c2-01 --region fra1 --image ubuntu-22-04-x64 \
+  --template c2-havoc \
+  --template-var C2Host=1.2.3.4 \
+  --template-var TeamserverPassword=s3cr3t \
+  --wait
+
+# Use in multi-role campaign (template= token in role spec)
+do-manager campaign deploy \
+  --name op-phantom --region fra1 --operator-ip 203.0.113.5 --vpc-auto \
+  --role "c2:count=1:preset=c2:template=c2-havoc" \
+  --role "redirector:count=3:preset=redirector:reserve-ips:template=redirector-nginx" \
+  --template-var C2BackendHost=10.10.0.2 \
+  --template-var Domain=cdn.example.com
+```
+
+| Template | Description | Key variables |
+|---|---|---|
+| `c2-havoc` | Havoc C2 - build from source, teamserver as systemd service | `C2Port`, `C2Host`, `TeamserverPassword` |
+| `c2-sliver` | Sliver C2 - latest release, operator config, systemd service | `C2Port`, `OperatorName` |
+| `redirector-nginx` | nginx HTTPS reverse proxy, URI path filtering, certbot/self-signed TLS | `C2BackendHost`, `C2BackendPort`, `Domain`, `C2URIPath` |
+| `redirector-apache` | Apache2 mod_rewrite, User-Agent + URI filtering for C2 profiles | `C2BackendHost`, `C2UserAgent`, `C2URIPath` |
+| `wireguard-server` | WireGuard server - generates keys, configures wg0, enables IP forwarding | `WGListenPort`, `WGServerNet` |
+| `wireguard-client` | WireGuard peer - connects to a WireGuard server | `WGServerEndpoint`, `WGServerPublicKey`, `WGClientNet` |
+| `gophish` | GoPhish phishing framework - latest release, admin panel on localhost | `AdminListenPort`, `PhishListenPort` |
+| `evilginx2` | evilginx2 reverse proxy phishing - latest release, auto-detect public IP | `Domain`, `ExternalIP`, `RedirectURL` |
+| `hardening` | SSH hardening, fail2ban, non-root operator user | `SSHPort`, `OperatorUser`, `OperatorPubKey` |
+
+Templates are stored in `pkg/tmpl/scripts/` and embedded in the binary via `//go:embed`. To add a custom template, add a `.sh` file with the metadata header:
+
+```bash
+#!/bin/bash
+# @name: my-tool
+# @desc: One-line description shown in template list
+# @var: Port=443 - Listening port
+# @var: Password= - Admin password (required, no default)
+```
+
+---
+
 ### JSON Output
 
 Pass `-o json` to any command to get machine-readable output:
@@ -578,6 +638,7 @@ import (
     "github.com/franckferman/do-manager/pkg/firewall"
     "github.com/franckferman/do-manager/pkg/reservedip"
     "github.com/franckferman/do-manager/pkg/snapshot"
+    "github.com/franckferman/do-manager/pkg/tmpl"
 )
 
 func main() {
@@ -627,6 +688,14 @@ func main() {
     snaps, _ := snapSvc.List(ctx)
     snapSvc.CreateFromDroplet(ctx, d.ID, "my-snapshot", true) // true = wait
 
+    // Templates
+    metas, _ := tmpl.List()
+    script, _ := tmpl.Render("redirector-nginx", map[string]string{
+        "C2BackendHost": "10.20.0.2",
+        "Domain":        "cdn.example.com",
+    })
+    _ = metas; _ = script
+
     _ = list; _ = results; _ = action; _ = members; _ = fw; _ = snaps
 }
 ```
diff --git a/docs/index.html b/docs/index.html
@@ -775,6 +775,7 @@
     <a class="slink" href="#vpc" onclick="closeMobile()">VPC</a>
     <a class="slink" href="#campaign" onclick="closeMobile()">Campaign</a>
     <a class="slink" href="#fw-presets" onclick="closeMobile()">FW Presets</a>
+    <a class="slink" href="#templates" onclick="closeMobile()">Templates</a>
     <a class="slink" href="#audit" onclick="closeMobile()">Audit</a>
     <a class="slink" href="#output-json" onclick="closeMobile()">JSON Output</a>
     <a class="slink" href="#completion" onclick="closeMobile()">Completion</a>
@@ -875,6 +876,7 @@ <h1 class="hero-title">
       <div class="sidebar-heading">Red Team</div>
       <a class="slink" href="#campaign">Campaign</a>
       <a class="slink sub" href="#fw-presets">Firewall Presets</a>
+      <a class="slink" href="#templates">Templates</a>
       <a class="slink" href="#audit">Audit</a>
     </div>
     <div class="sidebar-section">
@@ -1958,6 +1960,147 @@ <h3>Rebuild a burned node</h3>
 
     <hr />
 
+    <!-- TEMPLATES -->
+    <section id="templates" class="reveal">
+      <h2>Templates</h2>
+      <p>
+        Built-in cloud-init bash scripts embedded directly in the binary.
+        Each script installs and configures a specific tool (C2, redirector, VPN, phishing)
+        and is ready to run at Droplet first boot via DigitalOcean's cloud-init mechanism.
+      </p>
+      <p style="margin-top:.75rem">
+        Variable substitution uses Go's <code>text/template</code> (<code>&#123;&#123;.VarName&#125;&#125;</code> syntax).
+        Every variable has a declared default in the script header — unset variables silently
+        fall back to their defaults. Use <code>--template-var KEY=VALUE</code> to override.
+      </p>
+
+      <h3>Available templates</h3>
+      <div class="table-scroll">
+        <table class="flags-table">
+          <thead><tr><th>Name</th><th>Description</th><th>Key variables</th></tr></thead>
+          <tbody>
+            <tr>
+              <td><code>c2-havoc</code></td>
+              <td>Havoc C2 framework - build from source, teamserver as systemd service</td>
+              <td><code>C2Port</code> <code>C2Host</code> <code>TeamserverPassword</code></td>
+            </tr>
+            <tr>
+              <td><code>c2-sliver</code></td>
+              <td>Sliver C2 - download latest release, generate operator config, systemd</td>
+              <td><code>C2Port</code> <code>OperatorName</code></td>
+            </tr>
+            <tr>
+              <td><code>redirector-nginx</code></td>
+              <td>nginx HTTPS reverse proxy with URI path filtering. certbot or self-signed TLS.</td>
+              <td><code>C2BackendHost</code> <code>Domain</code> <code>C2URIPath</code></td>
+            </tr>
+            <tr>
+              <td><code>redirector-apache</code></td>
+              <td>Apache2 mod_rewrite with User-Agent + URI filtering for C2 profile matching</td>
+              <td><code>C2BackendHost</code> <code>C2UserAgent</code> <code>C2URIPath</code></td>
+            </tr>
+            <tr>
+              <td><code>wireguard-server</code></td>
+              <td>WireGuard VPN server — generates server keypair, configures wg0, enables IP forwarding</td>
+              <td><code>WGListenPort</code> <code>WGServerNet</code></td>
+            </tr>
+            <tr>
+              <td><code>wireguard-client</code></td>
+              <td>WireGuard peer — connects to a WireGuard server, prints client pubkey for server registration</td>
+              <td><code>WGServerEndpoint</code> <code>WGServerPublicKey</code> <code>WGClientNet</code></td>
+            </tr>
+            <tr>
+              <td><code>gophish</code></td>
+              <td>GoPhish phishing framework — latest release, admin panel bound to 127.0.0.1 only</td>
+              <td><code>AdminListenPort</code> <code>PhishListenPort</code></td>
+            </tr>
+            <tr>
+              <td><code>evilginx2</code></td>
+              <td>evilginx2 reverse proxy phishing — latest release, auto-detects public IP if not set</td>
+              <td><code>Domain</code> <code>ExternalIP</code> <code>RedirectURL</code></td>
+            </tr>
+            <tr>
+              <td><code>hardening</code></td>
+              <td>SSH hardening, fail2ban, non-root operator user creation with SSH key injection</td>
+              <td><code>SSHPort</code> <code>OperatorUser</code> <code>OperatorPubKey</code></td>
+            </tr>
+          </tbody>
+        </table>
+      </div>
+
+      <h3>Commands</h3>
+      <div class="terminal">
+        <div class="terminal-bar"><span class="tl tl-r"></span><span class="tl tl-y"></span><span class="tl tl-g"></span><span class="terminal-title">template list / show / dump</span><button class="copy-btn" onclick="copyTerminal(this)"><svg width="12" height="12" viewBox="0 0 16 16" fill="currentColor"><path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"/><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"/></svg>copy</button></div>
+        <div class="terminal-body">
+<span class="dm"># List all templates with variables and defaults</span>
+<span class="p">$ </span><span class="c">do-manager template list</span>
+<span class="hd">&gt;&gt;  9 template(s)</span>
+<span class="o">  NAME               | DESCRIPTION                              | VARIABLES (DEFAULT)</span>
+<span class="o">  c2-havoc           | Havoc C2 framework ...                   | C2Port=443  C2Host  TeamserverPassword=...</span>
+<span class="o">  redirector-nginx   | nginx HTTPS reverse proxy ...            | C2BackendHost=10.20.0.2  Domain  ...</span>
+<span class="o">  wireguard-server   | WireGuard VPN server ...                 | WGListenPort=51820  WGServerNet=...</span>
+<span class="o">  ...</span>
+<span class="dm"># Inspect raw script before deploying</span>
+<span class="p">$ </span><span class="c">do-manager template show redirector-nginx</span>
+<span class="dm"># Preview rendered output with your variable values</span>
+<span class="p">$ </span><span class="c">do-manager template dump c2-havoc \</span>
+<span class="o">    --template-var C2Host=1.2.3.4 \</span>
+<span class="o">    --template-var TeamserverPassword=s3cr3t</span>
+        </div>
+      </div>
+
+      <h3>Deploy a single node with a template</h3>
+      <div class="terminal">
+        <div class="terminal-bar"><span class="tl tl-r"></span><span class="tl tl-y"></span><span class="tl tl-g"></span><span class="terminal-title">droplet create --template</span><button class="copy-btn" onclick="copyTerminal(this)"><svg width="12" height="12" viewBox="0 0 16 16" fill="currentColor"><path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"/><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"/></svg>copy</button></div>
+        <div class="terminal-body">
+<span class="dm"># Spin up a GoPhish node in one command</span>
+<span class="p">$ </span><span class="c">do-manager droplet create \</span>
+<span class="o">    --name phish-01 --region fra1 --image ubuntu-22-04-x64 \</span>
+<span class="o">    --template gophish \</span>
+<span class="o">    --template-var AdminListenPort=3333 \</span>
+<span class="o">    --wait</span>
+<span class="ok">✓ phish-01  active  167.99.10.1</span>
+<span class="dm"># Access the admin panel via SSH tunnel (admin is bound to 127.0.0.1 only)</span>
+<span class="p">$ </span><span class="c">ssh -L 3333:127.0.0.1:3333 root@167.99.10.1</span>
+<span class="dm"># Then open https://127.0.0.1:3333 in your browser</span>
+        </div>
+      </div>
+
+      <h3>Full campaign with templates per role</h3>
+      <div class="terminal">
+        <div class="terminal-bar"><span class="tl tl-r"></span><span class="tl tl-y"></span><span class="tl tl-g"></span><span class="terminal-title">campaign deploy with template= in role spec</span><button class="copy-btn" onclick="copyTerminal(this)"><svg width="12" height="12" viewBox="0 0 16 16" fill="currentColor"><path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"/><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"/></svg>copy</button></div>
+        <div class="terminal-body">
+<span class="dm"># 1 Havoc C2 + 3 nginx redirectors, VPC isolated, fresh ubuntu images</span>
+<span class="p">$ </span><span class="c">do-manager campaign deploy \</span>
+<span class="o">    --name op-phantom \</span>
+<span class="o">    --region fra1 \</span>
+<span class="o">    --operator-ip 203.0.113.5 \</span>
+<span class="o">    --vpc-auto \</span>
+<span class="o">    --role "c2:count=1:image=ubuntu-22-04-x64:preset=c2:template=c2-havoc" \</span>
+<span class="o">    --role "redirector:count=3:image=ubuntu-22-04-x64:preset=redirector:reserve-ips:template=redirector-nginx" \</span>
+<span class="o">    --template-var C2BackendHost=10.10.0.2 \</span>
+<span class="o">    --template-var Domain=cdn.example.com \</span>
+<span class="o">    --template-var TeamserverPassword=s3cr3t</span>
+<span class="ok">✓ VPC created: op-phantom-vpc  10.10.0.0/20</span>
+<span class="ok">✓ Role c2: 1 Droplet(s) created  Havoc installing at first boot</span>
+<span class="ok">✓ Role redirector: 3 Droplet(s) created  nginx installing at first boot  ips=3</span>
+<span class="dm"># --template-var values are shared across all roles</span>
+<span class="dm"># C2BackendHost is used by redirector-nginx, TeamserverPassword by c2-havoc</span>
+        </div>
+      </div>
+
+      <div class="callout">
+        <strong>WireGuard workflow</strong><br><br>
+        WireGuard requires a two-step key exchange. Deploy the C2 with
+        <code>template=wireguard-server</code> first. The cloud-init script prints the server public key
+        in the boot logs (<code>journalctl -u cloud-init</code>). Then deploy the redirector with
+        <code>template=wireguard-client</code> and pass the server public key via
+        <code>--template-var WGServerPublicKey=&lt;key&gt;</code>.
+      </div>
+    </section>
+
+    <hr />
+
     <!-- AUDIT -->
     <section id="audit" class="reveal">
       <h2>Audit</h2>
@@ -2025,6 +2168,7 @@ <h2>Library Usage</h2>
 <span class="o">    </span><span class="ok">"github.com/franckferman/do-manager/pkg/snapshot"</span>
 <span class="o">    </span><span class="ok">"github.com/franckferman/do-manager/pkg/sshkey"</span>
 <span class="o">    </span><span class="ok">"github.com/franckferman/do-manager/pkg/region"</span>
+<span class="o">    </span><span class="ok">"github.com/franckferman/do-manager/pkg/tmpl"</span>
 <span class="o">)</span>
 <span class="dm"></span>
 <span class="fl">func</span><span class="o"> main() {</span>
@@ -2052,7 +2196,13 @@ <h2>Library Usage</h2>
 <span class="o">    sizes,   _ := reg.ListSizes(ctx)</span>
 <span class="o">    images,  _ := reg.ListImages(ctx, </span><span class="ok">"distribution"</span><span class="o">)</span>
 <span class="dm"></span>
-<span class="o">    _ = list; _ = d; _ = results; _ = keys; _ = regions; _ = sizes; _ = images</span>
+<span class="dm">    // Templates</span>
+<span class="o">    metas, _ := tmpl.List()</span>
+<span class="o">    script, _ := tmpl.Render(</span><span class="vl">"redirector-nginx"</span><span class="o">, map[string]string{</span>
+<span class="vl">        "C2BackendHost"</span><span class="o">: </span><span class="vl">"10.20.0.2"</span><span class="o">, </span><span class="vl">"Domain"</span><span class="o">: </span><span class="vl">"cdn.example.com"</span><span class="o">,</span>
+<span class="o">    })</span>
+<span class="dm"></span>
+<span class="o">    _ = list; _ = d; _ = results; _ = keys; _ = regions; _ = sizes; _ = images; _ = metas; _ = script</span>
 <span class="o">}</span>
         </div>
       </div>
