nsec · MOBergeron · May 6, 2025 · May 6, 2025
diff --git a/.deploy/cleanup.yaml b/.deploy/cleanup.yaml
@@ -0,0 +1,135 @@
+- name: Pre-deployment system cleanup
+  hosts: all
+  order: shuffle
+  gather_facts: false
+  any_errors_fatal: true
+
+  tasks:
+    - name: Make network configuration static
+      ansible.builtin.shell: |
+        [ ! -e /run/systemd/resolve/resolv.conf ] && exit 0
+        rm -f /etc/resolv.conf || true
+        cat /run/systemd/resolve/resolv.conf > /etc/resolv.conf
+      when: 'nsec_production | default(False)'
+      changed_when: true
+
+    - name: Mask most systemd units
+      ansible.builtin.shell: |
+        for i in \
+            apt-daily-upgrade.service \
+            apt-daily-upgrade.timer \
+            apt-daily.service \
+            apt-daily.timer \
+            console-getty.service \
+            console-setup.service \
+            dmesg.service \
+            dpkg-db-backup.service \
+            dpkg-db-backup.timer \
+            e2scrub_all.service \
+            e2scrub_all.timer \
+            e2scrub_reap.service \
+            emergency.service \
+            fstrim.service \
+            fstrim.timer \
+            getty-static.service \
+            getty@tty1.service \
+            initrd-cleanup.service \
+            initrd-parse-etc.service \
+            initrd-switch-root.service \
+            initrd-udevadm-cleanup-db.service \
+            keyboard-setup.service \
+            kmod-static-nodes.service \
+            ldconfig.service \
+            logrotate.service \
+            logrotate.timer \
+            modprobe@configfs.service \
+            modprobe@dm_mod.service \
+            modprobe@drm.service \
+            modprobe@fuse.service \
+            modprobe@loop.service \
+            motd-news.service \
+            motd-news.timer \
+            netplan-ovs-cleanup.service \
+            rescue.service \
+            rsyslog.service \
+            setvtrgb.service \
+            syslog.socket \
+            systemd-ask-password-console.service \
+            systemd-ask-password-wall.service \
+            systemd-battery-check.service \
+            systemd-bsod.service \
+            systemd-confext.service \
+            systemd-fsck-root.service \
+            systemd-fsckd.service \
+            systemd-fsckd.socket \
+            systemd-hibernate-resume.service \
+            systemd-initctl.service \
+            systemd-initctl.socket \
+            systemd-journal-catalog-update.service \
+            systemd-journal-flush.service \
+            systemd-journald-dev-log.socket \
+            systemd-journald.service \
+            systemd-journald.socket \
+            systemd-pcrextend.socket \
+            systemd-pcrlock-file-system.service \
+            systemd-pcrlock-firmware-code.service \
+            systemd-pcrlock-firmware-config.service \
+            systemd-pcrlock-machine-id.service \
+            systemd-pcrlock-make-policy.service \
+            systemd-pcrlock-secureboot-authority.service \
+            systemd-pcrlock-secureboot-policy.service \
+            systemd-pcrmachine.service \
+            systemd-pcrphase-initrd.service \
+            systemd-pcrphase-sysinit.service \
+            systemd-pcrphase.service \
+            systemd-random-seed.service \
+            systemd-repart.service \
+            systemd-soft-reboot.service \
+            systemd-sysctl.service \
+            systemd-sysext.service \
+            systemd-sysext.socket \
+            systemd-sysupdate-reboot.service \
+            systemd-sysupdate-reboot.timer \
+            systemd-sysupdate.service \
+            systemd-sysupdate.timer \
+            systemd-sysusers.service \
+            systemd-timesyncd.service \
+            systemd-tpm2-setup-early.service \
+            systemd-tpm2-setup.service \
+            systemd-update-done.service \
+            systemd-update-utmp-runlevel.service \
+            systemd-update-utmp.service \
+            ua-reboot-cmds.service \
+            ua-timer.service \
+            ua-timer.timer \
+            ubuntu-advantage.service; do
+          ln -s /dev/null /etc/systemd/system/${i} || true
+        done
+      changed_when: true
+
+    - name: Mask network systemd units
+      ansible.builtin.shell: |
+        for i in \
+            networkd-dispatcher.service \
+            systemd-network-generator.service \
+            systemd-networkd-wait-online.service \
+            systemd-networkd.service \
+            systemd-networkd.socket \
+            systemd-resolved.service \
+            systemd-udev-settle.service \
+            systemd-udev-trigger.service \
+            systemd-udevd-control.socket \
+            systemd-udevd-kernel.socket \
+            systemd-udevd.service; do
+          ln -s /dev/null /etc/systemd/system/${i} || true
+        done
+      when: 'nsec_production | default(False)'
+      changed_when: true
+
+    - name: Remove all cron jobs
+      ansible.builtin.shell: |
+        rm -f /etc/cron.*/* || true
+      changed_when: true
+
+    - name: Reboot the instance
+      ansible.builtin.reboot:
diff --git a/.deploy/common.yaml b/.deploy/common.yaml
@@ -0,0 +1,14 @@
+- name: Pre-deployment Common
+  hosts: all
+  order: shuffle
+  gather_facts: false
+  any_errors_fatal: true
+
+  tasks:
+    - name: Distro update and Python3 install
+      ansible.builtin.raw: |
+        apt update && apt upgrade -y && apt install -y python3
+      changed_when: true
+
+- name: Importing cleanup.yaml Playbook
+  ansible.builtin.import_playbook: cleanup.yaml
diff --git a/.deploy/common/dns.tf b/.deploy/common/dns.tf
@@ -0,0 +1,6 @@
+resource "incus_network_zone" "this" {
+  remote = var.incus_remote
+
+  name        = "ctf"
+  description = "DNS zone for the internal .ctf TLD"
+}
diff --git a/.deploy/common/variables.tf b/.deploy/common/variables.tf
@@ -0,0 +1,13 @@
+variable "incus_remote" {
+  default = "local"
+  type    = string
+}
+
+variable "deploy" {
+  default = "dev"
+  type    = string
+}
+
+locals {
+  track = yamldecode(file("${path.module}/../track.yaml"))
+}
diff --git a/.deploy/common/versions.tf b/.deploy/common/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">=1.5.7"
+  required_providers {
+    incus = {
+      source  = "lxc/incus"
+      version = ">=0.1.3"
+    }
+  }
+}
diff --git a/.deploy/track.yaml b/.deploy/track.yaml
@@ -0,0 +1 @@
+{}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -0,0 +1,163 @@
+name: Full deployment test
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    name: Full deployment test
+    if: github.repository == 'nsec/ctf-script'
+    timeout-minutes: 45
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Git LFS Pull for deployment
+        run: |
+          echo "Pulling all Git LFS"
+          git lfs pull -I **/challenges/**/ansible/**/*
+
+          echo "Pulled files:"
+          { git lfs ls-files | grep -E '[a-f0-9]{10}\s\*'; } || true
+
+      - name: Remove docker
+        run: |
+          sudo apt-get autopurge -y moby-containerd docker uidmap
+          sudo ip link delete docker0
+          sudo nft flush ruleset
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get install --no-install-recommends --yes zfsutils-linux
+
+      - name: Setup squid
+        run: |
+          sudo apt-get install --no-install-recommends --yes squid
+
+          (
+          cat << EOF
+          # No logging
+          cache_access_log /dev/null
+          cache_store_log none
+          cache_log /dev/null
+
+          # Caching
+          maximum_object_size 200 MB
+          cache_mem 1024 MB
+
+          # Port and mode configuration
+          acl local_subnet src 9000::/16
+          http_access allow local_subnet
+          http_access deny all
+          http_port [2602:fc62:ef:11::2]:3128
+
+          # Hide our traces
+          forwarded_for transparent
+          via off
+          reply_header_access X-Cache deny all
+          reply_header_access X-Cache-Lookup deny all
+
+          EOF
+          ) | sudo tee /etc/squid/conf.d/nsec.conf
+
+          echo "2602:fc62:ef:11::2 proxy.ctf-int.internal.nsec.io" | sudo tee /etc/hosts
+          sudo systemctl restart squid --no-block
+          sudo ip -6 a add dev lo 2602:fc62:ef:11::2/128
+
+      - name: Setup Incus
+        run: |
+          curl https://pkgs.zabbly.com/get/incus-stable | sudo sh
+          sudo chmod 666 /var/lib/incus/unix.socket
+
+          incus network create incusbr0
+          incus profile device add default eth0 nic network=incusbr0 name=eth0
+
+          incus storage create default zfs size=100GiB
+          incus profile device add default root disk pool=default path=/
+
+          sudo zfs set sync=disabled default
+
+          sudo ip6tables -I FORWARD -j REJECT
+
+      - name: Setup Ansible
+        run: |
+          pipx install --force --include-deps ansible
+          pipx inject ansible passlib
+
+      - name: Setup OpenTofu
+        run: |
+          curl -sL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh
+          chmod +x install-opentofu.sh
+          ./install-opentofu.sh --install-method deb
+          rm -f install-opentofu.sh
+
+      - name: Install python dependencies
+        run: |
+          pip install -e .
+
+      - name: Validate CTF structure
+        run: |
+          ctf validate
+
+      - name: Deployment check
+        run: |
+          ctf check
+
+      - name: File generation
+        run: |
+          ctf generate
+
+      - name: Test deployment looping through tracks
+        run: |
+          IFS=" " read -r -a tracks <<< "$(python3 -c 'from ctf.utils import get_all_available_tracks,validate_track_can_be_deployed;print(str([t for t in get_all_available_tracks() if validate_track_can_be_deployed(t)]).strip("[]\x27").replace("\x27, \x27"," "))')"
+
+          [ "${#tracks[@]}" -eq 0 ] && exit 1
+
+          for track in "${tracks[@]}"
+          do
+              ctf deploy --production --tracks "$track"
+              incus --project="$track" info "$track"
+          done
+
+          ctf destroy --force
+
+      - name: Test full deployment
+        run: |
+          ctf deploy --production
+          [ "$(incus list --all-projects -cn -fcsv | wc -l)" -eq 2 ] || exit 1
+          ctf destroy --force
+
+      - name: Test redeployment of Mock Track Apache PHP
+        run: |
+          ctf deploy --production
+          [ "$(incus list --all-projects -cn -fcsv | wc -l)" -eq 2 ] || exit 1
+          ctf redeploy --production --tracks mock-track-apache-php
+          [ "$(incus list --all-projects -cn -fcsv | wc -l)" -eq 2 ] || exit 1
+          ctf destroy --force
+
+      - name: Test deployment of a track not deployed without destroying the rest
+        run: |
+          ctf deploy --production --production --tracks mock-track-apache-php
+          [ "$(incus list --all-projects -cn -fcsv | wc -l)" -eq 1 ] || exit 1
+          ctf redeploy --production --tracks mock-track-python-service
+          [ "$(incus list --all-projects -cn -fcsv | wc -l)" -eq 2 ] || exit 1
+          ctf destroy --force
+
+      - name: Check deployment results
+        run: |
+          incus project list
+          incus network zone record list ctf
+          incus network list --all-projects
+          incus list --all-projects