-
Notifications
You must be signed in to change notification settings - Fork 39
Configuring the daemon
This page describes the process of configuring a host for running the Haaukins daemon, hknd.
The daemon has only been tested on a Linux host with systemd, but binaries for other operating systems can be build as well.
For the remainder of the Wiki, we assume a user hknd user exists with home directory /home/hknd.
The following is the default directory structure:
.
|-- config.yml
|-- events
| |-- test-10-04-19
| | |-- 005850db.log
| |-- test-10-04-19.yml
|-- exercises.yml
|-- frontends.yml
|-- hknd
`-- users.yml
The hknd file is the binary, and by default is uses config.yml in the working directory as its primary configuration file.
The following YAML files must be created manually and serve as configuration files for hknd:
| Configuration file | Purpose |
|---|---|
config.yml |
The main configuration file |
exercises.yml |
The specification of the exercises |
frontends.yml |
The specification of the existing frontends |
The users.yml acts as a database that stores the information of CLI users.
The event directory serves as a database for events, such as the registered teams, the progress of teams and the monitored mouse clicks and key strokes.
Example
host:
http: <main-domain-address>
grpc: <grpc-domain-address>
port:
insecure: <http-port>
secure: <https-port>
tls:
enabled: true
certfile: "<fullpath-to-certfile>"
certkey: "<fullpath-to-privkey>"
cafile: "<fullpath-to-ca-file>"
files:
ova-directory: "<fullpath>"
users-file: "<fullpath>"
exercises-file: "<fullpath>"
frontends-file: "<fullpath>"
events-directory: "<fullpath>"
log-directory: "<fullpath>"
# in normal cases prodmode should be true
# however for time being, it is set to false
# until challenges organized very well on gitlab
prodmode: false
db-config:
grpc: <haaukins-store-service-dns-record-or-ip>:<port>
auth-key: <auth-key-for-grpc-auth>
sign-key: <sign-key-for-grpc-auth>
tls:
enabled: true
certfile: "<fullpath-to-certfile>"
certkey: "<fullpath-to-privkey>"
cafile: "<fullpath-to-ca-file>"
vpn-service:
endpoint: <vpn-service-dns-record-or-ip>
port: <port>
auth-key: <auth-key-for-grpc-auth>
sign-key: <sign-key-for-grpc-auth>
client-conf-dir: /etc/wireguard/
tls:
enabled: true
certfile: "<fullpath-to-certfile>"
certkey: "<fullpath-to-privkey>"
cafile: "<fullpath-to-ca-file>"
exercise-service:
grpc: <exercises-service-dns-record-or-ip>:<port>
auth-key: <auth-key-for-grpc-auth>
sign-key: <sign-key-for-grpc-auth>
tls:
enabled: true
certfile: "<fullpath-to-certfile>"
certkey: "<fullpath-to-privkey>"
cafile: "<fullpath-to-ca-file>"
recaptcha-key: <google-recaptcha-key>
sign-key: <grpc-signing-key-for-ack>
docker-repositories:
- username: <registry-username>
password: <registry-user-password>
serveraddress: <registry-dns-record-or-ip>The daemon can listen on two different host names for the reverse proxy and the gRPC traffic. In case a HTTPS connection is preferred, the TLS configuration must be enabled, and both the secure (HTTP) and insecure (HTTPS) port must be configured.
If TLS is enabled, the acme field must be filled in, which ensures that hknd manages the TLS certificates.
- Note - as of now, only Cloudflare is supported as the ACME DNS provider.
The docker-repositories and ova-directory specify from which Docker repository and path on the filesystem hknd retrieves the images for the virtual instances.
For all (latest) configuration options, take a look at the Config struct in Golang source code.
Example
exercises:
- name: Cross-site Request Forgery
tags:
- csrf
docker:
- image: <image name>
dns:
- name: formalbank.com
type: A
memoryMB: 80
flag:
- tag: csrf-1
name: Cross-site Request Forgery
env: APP_FLAG
points: 12This file contains a list of all exercises that can be run on Haaukins.
For all (latest) configuration options, take a look at the Exercise struct in the Golang source code.
Example
frontends:
- image: kali
memoryMB: 4096
cpu: 2Contains a list of all frontends that Haaukins.
The value of image can be used as a tag when creating a new event from the CLI.
The daemon searches for the path <ova-directory>/<image name>.ova, where ova-directory is retrieved from the config.yml, and the image name is provided by the CLI user.