enowars · ldruschk · Jul 21, 2024 · Nov 15, 2023 · Nov 16, 2023 · Nov 16, 2023
diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml
@@ -0,0 +1,33 @@
+name: Docker Publish Latest
+
+on:
+  push:
+    # Publish `master` as Docker `latest` image.
+    branches:
+      - main
+      - master
+
+env:
+  IMAGE_NAME: bambictf
+
+jobs:
+  # Push image to GitHub Packages.
+  push:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Log into GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push image to GitHub Container Registry
+        run: |
+          IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME:latest
+
+          # Change all uppercase to lowercase
+          IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
+
+          docker image build -t $IMAGE_ID .
+          docker image push $IMAGE_ID
diff --git a/.github/workflows/packer.yaml b/.github/workflows/packer.yaml
@@ -11,8 +11,6 @@ on:
     branches:
       - main
   workflow_dispatch:
-  schedule:
-    - cron: "0 1 * * 4"
 
 jobs:
   docker-build:
@@ -24,37 +22,160 @@ jobs:
         run: |
           docker build -t ghcr.io/enowars/bambictf:latest .
           docker save --output /tmp/bambictf.tar ghcr.io/enowars/bambictf:latest
-      - name: Upload artifact
+      - name: Upload docker image artifact
         uses: actions/upload-artifact@v4
         with:
           name: bambictf
           path: /tmp/bambictf.tar
 
+  ansible-lint:
+    runs-on: ubuntu-latest
+    needs: docker-build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: bambictf
+          path: /tmp
+      - name: Load Docker image
+        run: docker load --input /tmp/bambictf.tar
+      - name: start docker compose setup
+        run: docker compose up -d
+      - name: run ansible-lint
+        run: docker compose exec -T bambictf sh -c 'cd ansible && ansible-lint'
+
+  configgen:
+    runs-on: ubuntu-latest
+    needs: docker-build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: bambictf
+          path: /tmp
+      - name: Load Docker image
+        run: docker load --input /tmp/bambictf.tar
+      - name: start docker compose setup
+        env:
+          HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
+        run: docker compose up -d
+      - name: prepare ansible config
+        run: docker compose exec -T bambictf sh -c 'cp ansible/config_bambi.yml.sample ansible/config_bambi.yml'
+      - name: generate config files
+        run: docker compose exec -T bambictf sh -c 'cd configgen; poetry install; poetry run configgen --teams 4 --routers 2 --dns ci-${{ github.sha }}.bambi.ovh'
+      - name: tar config files
+        run: sudo tar cf /tmp/config.tar config
+      - name: Upload config artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: config
+          path: /tmp/config.tar
+
   packer-build:
     strategy:
       # fail-fast needs to be disabled, otherwise packer processes may be ungracefully killed and leave stale builder VMs
       fail-fast: false
       matrix:
-        image: ["bambichecker", "bambielk", "bambiengine", "bambirouter", "bambivulnbox"]
+        image:
+          [
+            "bambichecker",
+            "bambielk",
+            "bambiengine",
+            "bambirouter",
+            "bambivulnbox",
+          ]
     runs-on: ubuntu-latest
-    needs: docker-build
+    needs: configgen
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Download artifact
+      - name: Download docker image artifact
         uses: actions/download-artifact@v4
         with:
           name: bambictf
           path: /tmp
       - name: Load Docker image
         run: docker load --input /tmp/bambictf.tar
+      - name: Download config artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: config
+          path: /tmp
+      - name: untar config files
+        run: tar xf /tmp/config.tar
       - name: start docker compose setup
         env:
           HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
         run: docker compose up -d
       - name: prepare ansible config
         run: docker compose exec -T bambictf sh -c 'cp ansible/config_bambi.yml.sample ansible/config_bambi.yml'
-      - name: generate config files
-        run: docker compose exec -T bambictf sh -c 'cd config; TEAM_COUNT=4 GATEWAY_COUNT=2 CHECKER_COUNT=2 ./gen_config.sh'
       - name: build packer image
         run: docker compose exec -T bambictf sh -c 'cd packer; packer build ${{ matrix.image }}.json'
+
+  terraform-apply:
+    runs-on: ubuntu-latest
+    needs: packer-build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: bambictf
+          path: /tmp
+      - name: Load Docker image
+        run: docker load --input /tmp/bambictf.tar
+      - name: Download config artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: config
+          path: /tmp
+      - name: untar config files
+        run: tar xf /tmp/config.tar
+      - name: copy terraform sample config
+        run: cp terraform/terraform.tfvars.sample terraform/terraform.tfvars
+      - name: prepare terraform config
+        run: sed -i s/prod/ci-${{ github.sha }}/ terraform/terraform.tfvars
+      - name: setup hcloud
+        run: |
+          curl -o hcloud-linux-amd64.tar.gz -L https://github.com/hetznercloud/cli/releases/download/v1.34.0/hcloud-linux-amd64.tar.gz
+          sudo tar xf hcloud-linux-amd64.tar.gz -C /usr/bin hcloud
+          sudo chmod +x /usr/bin/hcloud
+      - name: generate admin SSH key
+        run: ssh-keygen -t ed25519 -N "" -f adminkey
+      - name: add hcloud ssh key
+        env:
+          HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
+        run: hcloud ssh-key create --name adminkey-${{ github.sha }} --label type=admin --public-key-from-file adminkey.pub
+      - name: start docker compose setup
+        env:
+          HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
+          HETZNERDNS_TOKEN: ${{ secrets.HETZNERDNS_TOKEN }}
+        run: docker compose up -d
+      - name: perform terraform init
+        run: docker compose exec -T bambictf sh -c 'cd terraform ; terraform init'
+      - name: perform terraform apply
+        run: docker compose exec -T bambictf sh -c 'cd terraform ; terraform plan'
+
+  publish-docker-image:
+    runs-on: ubuntu-latest
+    needs: terraform-apply
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: bambictf
+          path: /tmp
+      - name: Load Docker image
+        run: docker load --input /tmp/bambictf.tar
+      - name: Log into GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Push image to GitHub Container Registry
+        run: docker image push ghcr.io/enowars/bambictf:latest
diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,7 @@ config*.yml
 *.tfvars
 .terraform
 *.tfstate
+*.tfstate.lock.info
 *.backup
 .vagrant
 .retry
@@ -15,4 +16,7 @@ config*.yml
 .env
 id_ed25519
 .secrets
-ctf*json
+ctf*json
+*.pyc
+/docker-compose.override.yml
+.vscode/
diff --git a/Dockerfile b/Dockerfile
@@ -1,24 +1,19 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 
 # Core deps
 RUN apt-get update
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata
-RUN apt-get install -y --no-install-recommends rsync git less tmux python3 curl wireguard python3-pip unzip file nano dnsutils jq \
-    software-properties-common gpg-agent # for ansible and packer install
+RUN apt-get install -y --no-install-recommends openssh-client rsync git less tmux python3 curl wireguard unzip file nano dnsutils jq \
+    software-properties-common gpg-agent pipx # for ansible and packer install
 
-# Ansible
-RUN add-apt-repository --yes --update ppa:ansible/ansible && apt-get install -y ansible
+# Poetry and Ansible
+RUN pipx install poetry && pipx install --include-deps ansible && pipx inject ansible ansible-lint --include-apps --include-deps
+ENV PATH="/root/.local/bin:${PATH}"
 
-# Terrorform
-RUN ls -alh /usr/local/bin
-RUN curl https://releases.hashicorp.com/terraform/1.0.11/terraform_1.0.11_linux_amd64.zip > terraform.zip && \
-    unzip terraform.zip && \
-    mv terraform /usr/local/bin/
-
-# Packer
+# Packer and Terraform
 RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - && \
     apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" && \
-    apt-get update && apt-get install packer && \
+    apt-get update && apt-get install packer terraform && \
     packer plugins install github.com/hashicorp/hcloud && \
     packer plugins install github.com/hashicorp/ansible
 
@@ -30,7 +25,7 @@ ENV PATH="/usr/share/easy-rsa:${PATH}"
 RUN echo "set -g mouse on" > /root/.tmux.conf
 
 # fix SSH host key checking
-RUN mkdir /root/.ssh && echo "Host 127.0.0.1\n  HostKeyAlgorithms=+ssh-rsa\n  PubkeyAcceptedKeyTypes=+ssh-rsa" > /root/.ssh/config
+# RUN mkdir /root/.ssh && echo "Host 127.0.0.1\n  HostKeyAlgorithms=+ssh-rsa\n  PubkeyAcceptedKeyTypes=+ssh-rsa" > /root/.ssh/config
 
 WORKDIR /bambictf
 

diff --git a/README.md b/README.md
@@ -16,9 +16,16 @@ This setup combines a lot of other services/repositories.
 - Moloch (Traffic Analysis): [EnoMoloch](https://github.com/enoflag/EnoMoloch)
 - ELK (Log Analysis): [EnoELK](https://github.com/enowars/EnoELK)
 
-## Usage
+## Notable Limits
+Due to implementation details, currently you have to be aware of the following limits:
+- number of teams: 250
+- number of routers: 255
+- ...
 
-1. Create `./ansible/config_bambi.yml`:
+## Usage (Docker)
+- Have at least one ssh key with the label `type=admin` in your project **(HETZNER's WEBSITE)**
+- Set `HCLOUD_TOKEN` and `HETZNERDNS_TOKEN`
+- Create `./ansible/config_bambi.yml`
 ```yaml
 vulnerable_services:
     WASP: [email protected]:enowars/service-wasp.git
@@ -31,61 +38,22 @@ github_ssh_keys:
     - ldruschk
     - MMunier
 ```
-2. Create `./terraform/terraform.tfvars`:
-```
-hcloud_token = "..."
-ovh_dyndns_password = "..."
-```
-3. Initialize terraform:
-```
-(cd terraform; terraform init)
-```
-4. Generate wireguard configs for the internal network
-```sh
-(cd ./config/internal_router; ./gen_keys.sh $CHECKERS_COUNT)
-```
-5. Generate wireguard configs for the game network
-```sh
-(cd ./config/wireguard_router; ./gen_keys.sh $TEAMS_COUNT)
-```
-6. Generate passwords for the vulnboxes:
-```sh
-(cd ./config/passwords; ./gen_passwords.sh $TEAMS_COUNT)
-```
-7. Create SSH keys for router -> moloch
-```sh
-(ssh-keygen -t ed25519 -f ./config/moloch_keys/moloch_key -C "tcpdump@router")
-```
-8. Build images
-```sh
-export HCLOUD_TOKEN="..."
-(cd packer; packer build bambichecker.json)
-(cd packer; packer build bambiengine.json)
-(cd packer; packer build bambirouter.json)
-(cd packer; packer build bambivulnbox.json)
-(cd packer; packer build bambielk.json)
-```
-
-## Docker
-- Have at least one ssh key with the label `type=admin` in your project **(HETZNER's WEBSITE)**
-- Set `HCLOUD_TOKEN` and `HETZNERDNS_TOKEN`
-- Create `./ansible/config_bambi.yml`
 - Obtain a private ssh ed25519 key that can clone your repositories (`cp ~/.ssh/id_ed25519 .`)
 - Run the container (`docker compose up -d`)
 - Invoke a bash in the container (`docker compose exec bambictf bash`)
+- If you use Windows: Fix the private key permissions with `chmod 400 ./id_ed25519`
 - Build configs
-    - `cd /bambictf/config`
-    - `./gen_config.sh`
+    - `cd /bambictf/configgen`
+    - `poetry install` (once)
+    - `poetry run configgen --teams 4 --routers 2 --dns test.bambi.ovh`
 - Ship everything to the EnoCTFPortal:
-    - `cp -r ./export/ /services/EnoCTFPortal/data/teamdata` (or whereever it is)
+    - `cp -r ./export/portal /services/EnoCTFPortal/data/teamdata` (or whereever it is)
 - Builds VMs
     - `cd /bambictf/packer`
     - `packer build bambichecker.json`
     - ...
 - Note down vulnbox snapshot id, pass to EnoCTFPortal (`curl -H "Authorization: Bearer $HCLOUD_TOKEN" 'https://api.hetzner.cloud/v1/images?type=snapshot'`)
-- Create `./terraform/terraform.tfvars`
-    - set `vpn_floating_ip_only = false`
-    - set `internal_floating_ip_only = false`
+- Create `./terraform/terraform.tfvars` (see `./terraform/terraform.tfvars.sample` for reference)
 - `cd /bambictf/terraform`
 - `terraform init`
 - `terraform apply`

diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint
@@ -0,0 +1,2 @@
+---
+profile: safety
diff --git a/ansible/.ansible-lint-ignore b/ansible/.ansible-lint-ignore
@@ -0,0 +1,4 @@
+roles/router_iptables/tasks/main.yml yaml[line-length]
+roles/router_iptables/tasks/main.yml command-instead-of-shell
+roles/router_arkime/tasks/main.yml name[missing]
+roles/docker/tasks/main.yml command-instead-of-module