c-goes
commented
4 years ago team number must be encoded in the ip addresses for #12 to work for openvpn we have 10.41.(team number).X/24 Can we use 42 for wireguard?
Open leoTlr opened 4 years ago
c-goes
commented
4 years ago team number must be encoded in the ip addresses for #12 to work for openvpn we have 10.41.(team number).X/24 Can we use 42 for wireguard?
antfeh
commented
4 years ago When using this setup on a productive server, does it spawn the two vms like in the development environment, or is everything installed directly on the machine hosting the ctf?
c-goes
commented
4 years ago @antfeh directly on the host like described in https://github.com/hsasctf/lxctf/blob/master/docs/local.md. the two VMs are just the development environment.
I will adapt the document after pushing the dynamic inventory.
c-goes
commented
4 years ago @antfeh Thanks for your work. A little feedback to your branch: "delegate_to: 127.0.0.1" is meant only for tasks should run on the system running Ansible. For the "local" installation, the remote and local system are the same. But it's not the case for development environment or other undocumented installation types. When you install wireguard and copy the configuration it should not run on 127.0.0.1.
Maybe in the wireguard case it would be easiest to run everything at remote (e.g. template to remote like here https://github.com/hsasctf/lxctf/compare/feature/wireguard#diff-d8238564479491178cd9312e2a4ec074R238) and then fetch or slurp the files to the paths in role (https://docs.ansible.com/ansible/latest/modules/fetch_module.html#fetch-module, https://docs.ansible.com/ansible/latest/modules/slurp_module.html).
c-goes
commented
4 years ago Instead of my suggested changes, we can also take out the controller VM from development environment, should work better then. And it's more like a production environment.
c-goes
commented
4 years ago @antfeh for idempotence you should use "creates" for the shell tasks that create files https://docs.ansible.com/ansible/2.8/modules/shell_module.html won't it overwrite the keys after each run or raise an error if the key exists?
antfeh
commented
4 years ago @c-goes wireguard automatically overwrites the existing keys, so there should be no problem.
c-goes
commented
4 years ago @antfeh In my opinion it's a problem if the keys change after every run. You cannot fix problem after the keys are handed out and the configuration is destroyed when Ansible is run by accident after the keys are given to users. Please confirm that the keys are not overwritten.
You could create a pull request and I'll show you what changes are needed
We plan to switch from openvpn to wireguard for performance reasons