forked from picoCTF/picoCTF
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinventory.yml
124 lines (105 loc) · 4.94 KB
/
inventory.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
---
# Configuration for use with a remote AWS production deployment.
#
# You WILL need to edit this file.
#
# The variable you are most likely to need to edit are marked UPDATE. Other are
# commented so that you can customize the deployment behavior.
all:
hosts:
shell:
hostname : "picoCTF-shell-PROD"
ansible_host : "shell.example.com" # UPDATE: with fully qualified domain name
web:
hostname : "picoCTF-web-PROD"
ansible_host : "ctf.example.com" # UPDATE: with fully qualified domain name
vars:
# UPDATE: this is the default key specified in terraform/variables.tf
# that was automatically added to the machines when launched
ansible_ssh_private_key_file : "~/.ssh/picoCTF_production_rsa"
# UPDATE: with an administrator's email
# Used in auto_add_web_admin and to get SSL/TLS certificates
admin_email : "[email protected]"
###
# *** Reasonable defaults ***
#
# The following variables are likely reasonable defaults, especially for
# your first test deployment. There is no requirement to make any changes
# beyond this point. However, we recommend you read through the settings
# to gain an appreciation for additional options.
###
# ubuntu is the default user for the AWS Ubuntu AMI
ansible_user : "ubuntu"
## Source Settings:
# This is how the picoCTF platform source code will be sent to the remote
# hosts. Since you already have a copy of the source code checked out
# this simply pushes your current copy to the remote host (preventing any
# complex interactions with private git repositories). See ansible/common/tasks
sync_mode : "source"
pico_src_dir : "{{ playbook_dir }}/../"
# SSH admin keys (Optional)
admin_keys : []
# Disable Unattended Upgrades
disable_unattended_upgrades : False
## Web automation and Features (Optional):
# These are currently setup to fully configure and start an event. This
# is appropriate for testing purposes but if you are planning on running
# a live event you will likely want to disable some of these.
auto_add_web_admin : True
auto_add_shell : True
auto_load_problems : True
auto_start_ctf : True
enable_docker : True
## HTTPS:
# You can automatically obtain free SSL/TLS certificates from Let's
# Encrypt by using certbot. In order for this functionality to work
# you must have a domain registered and pointing at your hosts. The
# `ansible_host` for both `web` and `shell` should be domain names.
enable_certbot : True
# NOTE: if you plan on creating/destroying your infrastructure many times
# you might want to consider running in staging mode to prevent hitting a
# rate limit. Switching from live/staging requires some manual
# administration. Also the web-shell will not work as the cert is
# invalid.
# https://letsencrypt.org/docs/rate-limits/
# https://letsencrypt.org/docs/staging-environment/
certbot_staging: False
# Set whether `ansible_host` is an IP address or a domain name (DNS) In a
# production environment we recommend DNS so that you can easily use SSL/TLS
host_type : "DNS" # valid options 'IP' or 'DNS'
## Database settings:
# Should not need to be changed.
on_aws : True
mongodb_web_user : "picoWeb"
env_db_users :
- {
name : "{{ mongodb_web_user }}",
password : "{{ picoWeb_db_password }}",
database : "{{ db_name }}",
roles : readWrite
}
###
# *** SECURE settings ***
#
# The following section captures security relevant settings that you
# should be aware of in a production environment (e.g. credentials).
#
# These sensitive variables are loaded from an ansible-vault encrypted file
# For more information: http://docs.ansible.com/ansible/playbooks_vault.html
#
# You should not need to edit this section simply run the gen_vault.py
# script to create an appropriate vault file.
# web
flask_app_secret_key : "{{ vault_flask_app_secret_key }}"
flask_app_rate_limit_bypass_key : "{{ vault_flask_app_rate_limit_bypass_key }}"
web_admin_pw : "{{ vault_web_admin_pw }}"
# shell
shell_manager_deploy_secret : "{{ vault_shell_manager_deploy_secret }}"
# db
mongodb_conf_auth : True
picoAdmin_db_password : "{{ vault_picoAdmin_db_password }}"
picoWeb_db_password : "{{ vault_picoWeb_db_password }}"
redis_conf_auth : True
redis_db_password : "{{ vault_redis_db_password }}"
# Additional non-credential settings
net_outbound_limit : "40mbit" # Prevent script kiddies from using as DOS box