From 0a1d582d9eb08342700709a29ab75c2fdd312ece Mon Sep 17 00:00:00 2001 From: "xanhacks@protonmail.com" Date: Sat, 12 Oct 2024 16:00:07 +0200 Subject: [PATCH] add deploy dynamic config --- ansible/challenges.yml | 4 +- ansible/inventories/dev | 7 +++- ansible/inventories/prod | 20 +++++----- .../roles/challenges/files/docker_daemon.json | 16 ++++++++ .../tasks/dynamic_docker_config.yml | 40 +++++++++++++++++++ .../roles/challenges/tasks/git_repository.yml | 33 +++++++++++++++ ansible/roles/challenges/tasks/main.yml | 37 ++++------------- .../challenges/vars/main.yml} | 0 8 files changed, 114 insertions(+), 43 deletions(-) create mode 100644 ansible/roles/challenges/files/docker_daemon.json create mode 100644 ansible/roles/challenges/tasks/dynamic_docker_config.yml create mode 100644 ansible/roles/challenges/tasks/git_repository.yml rename ansible/{group_vars/challenges.yml => roles/challenges/vars/main.yml} (100%) diff --git a/ansible/challenges.yml b/ansible/challenges.yml index c733ec3..fcb7f5d 100644 --- a/ansible/challenges.yml +++ b/ansible/challenges.yml @@ -1,7 +1,7 @@ --- -- name: Setup the challenges hosts - hosts: challenges +- name: Setup the static & dynamic challenges hosts + hosts: static-challenges:dynamic-challenges gather_facts: true roles: - prerequisites diff --git a/ansible/inventories/dev b/ansible/inventories/dev index 53931ff..6d25a76 100644 --- a/ansible/inventories/dev +++ b/ansible/inventories/dev @@ -1,5 +1,8 @@ [ctfd] heroctf-ctfd ansible_connection=ssh ansible_user=root -[challenges] -heroctf-challenge-1 ansible_connection=ssh ansible_user=root \ No newline at end of file +[static-challenges] +heroctf-static-1 ansible_connection=ssh ansible_user=root + +[dynamic-challenges] +heroctf-dynamic-1 ansible_connection=ssh ansible_user=root diff --git a/ansible/inventories/prod b/ansible/inventories/prod index 8ef0375..5d80412 100644 --- a/ansible/inventories/prod +++ b/ansible/inventories/prod @@ -1,12 +1,14 @@ [ctfd] heroctf-ctfd ansible_connection=ssh ansible_user=root -[challenges] -heroctf-challenge-1 ansible_connection=ssh ansible_user=root -heroctf-challenge-2 ansible_connection=ssh ansible_user=root -heroctf-challenge-3 ansible_connection=ssh ansible_user=root -heroctf-challenge-4 ansible_connection=ssh ansible_user=root -heroctf-challenge-5 ansible_connection=ssh ansible_user=root -heroctf-challenge-6 ansible_connection=ssh ansible_user=root -heroctf-challenge-7 ansible_connection=ssh ansible_user=root -heroctf-challenge-8 ansible_connection=ssh ansible_user=root \ No newline at end of file +[static-challenges] +heroctf-static-1 ansible_connection=ssh ansible_user=root +heroctf-static-2 ansible_connection=ssh ansible_user=root + +[dynamic-challenges] +heroctf-dynamic-1 ansible_connection=ssh ansible_user=root +heroctf-dynamic-2 ansible_connection=ssh ansible_user=root +heroctf-dynamic-3 ansible_connection=ssh ansible_user=root +heroctf-dynamic-4 ansible_connection=ssh ansible_user=root +heroctf-dynamic-5 ansible_connection=ssh ansible_user=root +heroctf-dynamic-6 ansible_connection=ssh ansible_user=root diff --git a/ansible/roles/challenges/files/docker_daemon.json b/ansible/roles/challenges/files/docker_daemon.json new file mode 100644 index 0000000..0952c4d --- /dev/null +++ b/ansible/roles/challenges/files/docker_daemon.json @@ -0,0 +1,16 @@ +{ + "default-address-pools": [ + { + "base": "172.17.0.0/12", + "size": 16 + }, + { + "base": "192.168.0.0/16", + "size": 20 + }, + { + "base": "10.99.0.0/16", + "size": 24 + } + ] +} \ No newline at end of file diff --git a/ansible/roles/challenges/tasks/dynamic_docker_config.yml b/ansible/roles/challenges/tasks/dynamic_docker_config.yml new file mode 100644 index 0000000..bebba76 --- /dev/null +++ b/ansible/roles/challenges/tasks/dynamic_docker_config.yml @@ -0,0 +1,40 @@ +--- + +- name: Upload Docker daemon configuration + ansible.builtin.copy: + src: docker_daemon.json + dest: /etc/docker/daemon.json + owner: root + group: root + mode: "0644" + become: true + +- name: Restrict port 2375 (Docker socket) from container instances + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: 2375 + source: "{{ item }}" + jump: REJECT + loop: + - 192.168.0.0/16 + - 172.17.0.0/12 + - 10.99.0.0/16 + become: true + +- name: Open Docker ports + ansible.builtin.lineinfile: + path: /lib/systemd/system/docker.service + regexp: '^ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock' + line: 'ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 --containerd=/run/containerd/containerd.sock' + owner: root + group: root + mode: "0644" + become: true + +- name: Restart Docker systemd service + ansible.builtin.systemd_service: + daemon_reload: yes + name: docker + state: restarted + become: yes diff --git a/ansible/roles/challenges/tasks/git_repository.yml b/ansible/roles/challenges/tasks/git_repository.yml new file mode 100644 index 0000000..f451372 --- /dev/null +++ b/ansible/roles/challenges/tasks/git_repository.yml @@ -0,0 +1,33 @@ +--- + +- name: "Upload 'github.key' to '/home/{{ ctf_user }}/.ssh/github.key'" + ansible.builtin.copy: + src: "files/github.key" + dest: "/home/{{ ctf_user }}/.ssh/github.key" + owner: "{{ ctf_user }}" + group: "{{ ctf_user }}" + mode: "0600" + become: true + become_user: "{{ ctf_user }}" + +- name: "Copy SSH config file to '/home/{{ ctf_user }}/.ssh/config'" + ansible.builtin.template: + src: ssh_config.j2 + dest: "/home/{{ ctf_user }}/.ssh/config" + owner: "{{ ctf_user }}" + group: "{{ ctf_user }}" + mode: "0644" + become: true + become_user: "{{ ctf_user }}" + +- name: "Clone HeroCTF challenges' repository to '/home/{{ ctf_user }}/challenges'" + ansible.builtin.git: + repo: "{{ challenges_git_url }}" + version: "main" + dest: "/home/{{ ctf_user }}/challenges" + accept_hostkey: true + force: true + become: true + become_user: "{{ ctf_user }}" + register: git_challenge_output + changed_when: git_challenge_output.changed diff --git a/ansible/roles/challenges/tasks/main.yml b/ansible/roles/challenges/tasks/main.yml index f451372..957f7f8 100644 --- a/ansible/roles/challenges/tasks/main.yml +++ b/ansible/roles/challenges/tasks/main.yml @@ -1,33 +1,10 @@ --- -- name: "Upload 'github.key' to '/home/{{ ctf_user }}/.ssh/github.key'" - ansible.builtin.copy: - src: "files/github.key" - dest: "/home/{{ ctf_user }}/.ssh/github.key" - owner: "{{ ctf_user }}" - group: "{{ ctf_user }}" - mode: "0600" - become: true - become_user: "{{ ctf_user }}" +- name: Setup Git repository of challenges + ansible.builtin.import_tasks: + file: git_repository.yml -- name: "Copy SSH config file to '/home/{{ ctf_user }}/.ssh/config'" - ansible.builtin.template: - src: ssh_config.j2 - dest: "/home/{{ ctf_user }}/.ssh/config" - owner: "{{ ctf_user }}" - group: "{{ ctf_user }}" - mode: "0644" - become: true - become_user: "{{ ctf_user }}" - -- name: "Clone HeroCTF challenges' repository to '/home/{{ ctf_user }}/challenges'" - ansible.builtin.git: - repo: "{{ challenges_git_url }}" - version: "main" - dest: "/home/{{ ctf_user }}/challenges" - accept_hostkey: true - force: true - become: true - become_user: "{{ ctf_user }}" - register: git_challenge_output - changed_when: git_challenge_output.changed +- name: Setup docker configuration for dynamic challenges + ansible.builtin.import_tasks: + file: dynamic_docker_config.yml + when: inventory_hostname in groups['dynamic-challenges'] diff --git a/ansible/group_vars/challenges.yml b/ansible/roles/challenges/vars/main.yml similarity index 100% rename from ansible/group_vars/challenges.yml rename to ansible/roles/challenges/vars/main.yml