From dbfd9d423c4c319e87da5e689e782d70ac807f7a Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Wed, 29 Apr 2026 23:05:02 -0600 Subject: [PATCH 01/14] fix: pin setuptools version for impacket and update nimbus_range source repo **Changed:** - Pin setuptools to version <81 in the noPac venv to ensure pkg_resources is available for impacket compatibility, preventing import errors in privesc_tools Ansible role - Update nimbus_range source in warpgate template to point to the new ares repository and checkout the feat/more-attack-cov branch for improved attack coverage - Adjust file copy command in warpgate provisioner to correctly copy the ansible directory contents from the new repository layout --- warpgate-templates/templates/ares-golden-image/warpgate.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-image/warpgate.yaml b/warpgate-templates/templates/ares-golden-image/warpgate.yaml index bd18b1bd..73dfdb59 100644 --- a/warpgate-templates/templates/ares-golden-image/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-image/warpgate.yaml @@ -36,7 +36,8 @@ base: sources: - name: nimbus_range git: - repository: https://github.com/dreadnode/ansible-collection-nimbus_range.git + repository: https://github.com/dreadnode/ares.git + ref: feat/more-attack-cov depth: 1 auth: token: ${GITHUB_TOKEN} @@ -60,7 +61,7 @@ provisioners: - type: shell inline: - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range - - cp -r /tmp/nimbus_range/* /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ + - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ - rm -rf /tmp/nimbus_range # Install NVIDIA drivers for GPU-accelerated hashcat on g4dn (T4 GPU) From 4c7f325f73f8f2e9eeac3fe1d956f02615633a0d Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Wed, 29 Apr 2026 17:26:17 -0600 Subject: [PATCH 02/14] feat: add Azure golden image template --- .../templates/ares-golden-azure/README.md | 29 ++++++++++ .../ares-golden-azure/playbooks/smoke.yml | 24 ++++++++ .../templates/ares-golden-azure/warpgate.yaml | 58 +++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 warpgate-templates/templates/ares-golden-azure/README.md create mode 100644 warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml create mode 100644 warpgate-templates/templates/ares-golden-azure/warpgate.yaml diff --git a/warpgate-templates/templates/ares-golden-azure/README.md b/warpgate-templates/templates/ares-golden-azure/README.md new file mode 100644 index 00000000..8094df9a --- /dev/null +++ b/warpgate-templates/templates/ares-golden-azure/README.md @@ -0,0 +1,29 @@ +# ares-golden-azure + +Azure variant of the Ares golden image. Builds an Ubuntu 22.04 LTS image via Azure +VM Image Builder and publishes a version into the `warpgateTestGallery` Compute +Gallery. + +This template is intentionally lighter than `ares-golden-image` (the AMI variant) — +its purpose is to prove the warpgate Azure pipeline works end-to-end. It exercises: + +- shell customizer +- ansible customizer (with auto-bootstrap of ansible-core) +- gallery image version publish + +## Prerequisites + +Provisioned manually (one-time): + +- Resource group `warpgate-test-rg` in `eastus` +- Compute Gallery `warpgateTestGallery` +- Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, + publisher=`dreadnode`, offer=`ares`, sku=`golden`) +- User-assigned managed identity `warpgate-aib-uami` + with Contributor on `warpgate-test-rg` + +## Build + +```bash +warpgate build path/to/ares-golden-azure --target azure +``` diff --git a/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml b/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml new file mode 100644 index 00000000..388e33a7 --- /dev/null +++ b/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml @@ -0,0 +1,24 @@ +--- +- hosts: localhost + connection: local + gather_facts: true + become: true + tasks: + - name: Confirm ansible bootstrap reached the target + ansible.builtin.copy: + dest: /etc/ares-ansible-stamp + mode: '0644' + content: | + ansible_bootstrap_ok=true + host={{ ansible_hostname }} + os_family={{ ansible_os_family }} + distribution={{ ansible_distribution }} {{ ansible_distribution_version }} + + - name: Install a representative red-team CLI tool (nmap) + ansible.builtin.apt: + name: + - nmap + - tcpdump + - net-tools + state: present + update_cache: true diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml new file mode 100644 index 00000000..76395d57 --- /dev/null +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -0,0 +1,58 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/cowdogmoo/warpgate/main/schema/warpgate-template.json +metadata: + name: ares-golden-azure + version: 0.1.0 + description: Azure variant of the Ares golden image. Proves the Azure VM Image Builder + Compute Gallery pipeline end-to-end. + author: Dreadnode + license: MIT + tags: + - ares + - golden-image + - azure + - smoke-test + requires: + warpgate: '>=1.0.0' + +name: ares-golden-azure +version: latest + +base: + image: Canonical/0001-com-ubuntu-server-jammy/22_04-lts-gen2:latest + +provisioners: + - type: shell + inline: + - apt-get update + - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates curl jq python3 python3-pip python3-venv pipx + - pipx ensurepath + - echo "ares-golden-azure base packages installed at $(date -u)" | tee /etc/ares-build-stamp + + - type: ansible + playbook_path: ./playbooks/smoke.yml + + - type: shell + inline: + - echo "ares-golden-azure provisioning complete" | tee -a /etc/ares-build-stamp + - apt-get clean + - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +targets: + - type: azure + subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 + resource_group: warpgate-test-rg + location: eastus + gallery: warpgateTestGallery + gallery_image_definition: ares-golden-azure + vm_size: Standard_D4s_v3 + os_type: Linux + identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami + source_image: + marketplace: + publisher: Canonical + offer: 0001-com-ubuntu-server-jammy + sku: 22_04-lts-gen2 + version: latest + image_tags: + Project: ares + ManagedBy: warpgate + Variant: azure-smoke-test From acdecb4e22d5205cf9680c50528c658f6b8d8770 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Wed, 29 Apr 2026 23:07:36 -0600 Subject: [PATCH 03/14] fix: update azure vm_size and remove unused target properties in template **Changed:** - Updated Azure VM size from Standard_D4s_v3 to Standard_D2as_v7 to optimize resource usage in the warpgate template - Removed unused or redundant Azure target properties: resource_group, location, gallery, gallery_image_definition, os_type, and identity_id to streamline the template configuration --- .../templates/ares-golden-azure/warpgate.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 76395d57..206046f4 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -39,13 +39,7 @@ provisioners: targets: - type: azure subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 - resource_group: warpgate-test-rg - location: eastus - gallery: warpgateTestGallery - gallery_image_definition: ares-golden-azure - vm_size: Standard_D4s_v3 - os_type: Linux - identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami + vm_size: Standard_D2as_v7 source_image: marketplace: publisher: Canonical From 86968e0cc9b7332181a51c2d904bfe7e9160db64 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 11:20:06 -0600 Subject: [PATCH 04/14] fix: update azure vm_size in warpgate template --- .../templates/ares-golden-azure/warpgate.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 206046f4..e6307ea6 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -22,6 +22,8 @@ base: provisioners: - type: shell inline: + - cloud-init status --wait || true + - rm -rf /var/lib/apt/lists/* - apt-get update - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates curl jq python3 python3-pip python3-venv pipx - pipx ensurepath @@ -39,7 +41,12 @@ provisioners: targets: - type: azure subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 - vm_size: Standard_D2as_v7 + location: centralus + resource_group: WARPGATE-TEST-RG + gallery: warpgateTestGallery + gallery_image_definition: ares-golden-azure + identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami + vm_size: Standard_L2aos_v4 source_image: marketplace: publisher: Canonical From 535946bf7d28d3a193f1e2dfaa3ce540b717287f Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 12:26:04 -0600 Subject: [PATCH 05/14] feat: upgrade ares-golden-azure to kali with full red team toolchain and gpu support **Added:** - Clone and install nimbus_range red team Ansible collection from GitHub for attack tooling - Install NVIDIA driver and CUDA toolkit to enable GPU-accelerated hashcat and tools - Add shell provisioner to install all red team tools and Alloy telemetry agent via Ansible playbook - Document required Azure quota and Kali marketplace terms for GPU and image provisioning in README **Changed:** - Switch base image from Ubuntu 22.04 LTS to kali-linux/kali/kali-last for red team parity - Update warpgate.yaml metadata: bump version to 1.0.0, expand description, and add red team tags - Refactor provisioners to use shell for Ansible playbook install due to Azure customizer length limits - Update Azure target configuration to use GPU VM size (Standard_NC4as_T4_v3) and relevant tags - README now describes feature parity with AWS AMI and lists included red team capabilities **Removed:** - Remove smoke.yml Ansible playbook and related minimal provisioning steps - Drop prior Ubuntu-specific and smoke-test tags and metadata from warpgate.yaml - Remove basic red team tool install from initial provisioner in favor of full toolchain setup --- .../templates/ares-golden-azure/README.md | 19 +++-- .../ares-golden-azure/playbooks/smoke.yml | 24 ------ .../templates/ares-golden-azure/warpgate.yaml | 82 +++++++++++++++---- 3 files changed, 78 insertions(+), 47 deletions(-) delete mode 100644 warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml diff --git a/warpgate-templates/templates/ares-golden-azure/README.md b/warpgate-templates/templates/ares-golden-azure/README.md index 8094df9a..76daf53c 100644 --- a/warpgate-templates/templates/ares-golden-azure/README.md +++ b/warpgate-templates/templates/ares-golden-azure/README.md @@ -1,15 +1,17 @@ # ares-golden-azure -Azure variant of the Ares golden image. Builds an Ubuntu 22.04 LTS image via Azure +Azure variant of the Ares golden image. Builds a Kali Linux image via Azure VM Image Builder and publishes a version into the `warpgateTestGallery` Compute -Gallery. +Gallery, with feature parity against the AWS `ares-golden-image` AMI. -This template is intentionally lighter than `ares-golden-image` (the AMI variant) — -its purpose is to prove the warpgate Azure pipeline works end-to-end. It exercises: +Ships the same red-team toolchain installed by +`ansible/playbooks/ares/goad_attack_box.yml`: -- shell customizer -- ansible customizer (with auto-bootstrap of ansible-core) -- gallery image version publish +- recon, credential access, privilege escalation +- password cracking (hashcat from source, GPU-accelerated) +- lateral movement, ACL abuse, coercion +- Alloy telemetry agent +- NVIDIA driver + CUDA toolkit for T4 GPU acceleration ## Prerequisites @@ -21,6 +23,9 @@ Provisioned manually (one-time): publisher=`dreadnode`, offer=`ares`, sku=`golden`) - User-assigned managed identity `warpgate-aib-uami` with Contributor on `warpgate-test-rg` +- Quota for `Standard_NC4as_T4_v3` in `centralus` (T4 GPU family) +- Kali Marketplace terms accepted on the subscription: + `az vm image terms accept --publisher kali-linux --offer kali --plan kali-last` ## Build diff --git a/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml b/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml deleted file mode 100644 index 388e33a7..00000000 --- a/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- hosts: localhost - connection: local - gather_facts: true - become: true - tasks: - - name: Confirm ansible bootstrap reached the target - ansible.builtin.copy: - dest: /etc/ares-ansible-stamp - mode: '0644' - content: | - ansible_bootstrap_ok=true - host={{ ansible_hostname }} - os_family={{ ansible_os_family }} - distribution={{ ansible_distribution }} {{ ansible_distribution_version }} - - - name: Install a representative red-team CLI tool (nmap) - ansible.builtin.apt: - name: - - nmap - - tcpdump - - net-tools - state: present - update_cache: true diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index e6307ea6..18960ff1 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -1,15 +1,22 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/cowdogmoo/warpgate/main/schema/warpgate-template.json metadata: name: ares-golden-azure - version: 0.1.0 - description: Azure variant of the Ares golden image. Proves the Azure VM Image Builder + Compute Gallery pipeline end-to-end. + version: 1.0.0 + description: Azure variant of the Ares golden image with all red team tools - recon, credential access, privesc, cracking, lateral movement, ACL abuse, and coercion author: Dreadnode license: MIT tags: - ares - golden-image - azure - - smoke-test + - red-team + - reconnaissance + - credential-access + - privilege-escalation + - password-cracking + - lateral-movement + - acl + - coercion requires: warpgate: '>=1.0.0' @@ -17,26 +24,68 @@ name: ares-golden-azure version: latest base: - image: Canonical/0001-com-ubuntu-server-jammy/22_04-lts-gen2:latest + image: kali-linux/kali/kali-last:latest + +sources: + - name: nimbus_range + git: + repository: https://github.com/dreadnode/ares.git + ref: feat/more-attack-cov + depth: 1 + auth: + token: ${GITHUB_TOKEN} provisioners: + # Install pipx and Ansible - type: shell inline: - - cloud-init status --wait || true - - rm -rf /var/lib/apt/lists/* - apt-get update - - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates curl jq python3 python3-pip python3-venv pipx + - apt-get install -y --no-install-recommends ca-certificates git procps sudo python3-apt python3-pip python3-venv pipx + - 'sed -i ''s|^PATH="|PATH="/root/.local/bin:/root/.cargo/bin:|'' /etc/environment || echo ''PATH="/root/.local/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'' > /etc/environment' + - pipx install --force uv + - pipx install --force ansible-core - pipx ensurepath - - echo "ares-golden-azure base packages installed at $(date -u)" | tee /etc/ares-build-stamp - - type: ansible - playbook_path: ./playbooks/smoke.yml + # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands) + - type: file + source: ${sources.nimbus_range} + destination: /tmp/nimbus_range + + - type: shell + inline: + - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range + - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ + - rm -rf /tmp/nimbus_range + + # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU) + - type: shell + inline: + - apt-get update + - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree + - nvidia-smi || echo "nvidia-smi not available during image build (expected if no GPU attached)" + + # Attack Box - all red team tools + Alloy telemetry + # NOTE: Using shell instead of ansible provisioner because the playbook + # exceeds Azure VM Image Builder's customizer length limit when inlined. + - type: shell + inline: + - PATH=/root/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-galaxy collection install -r /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/requirements.yml --force + - HOME=/root ANSIBLE_REMOTE_TMP=/tmp/ansible-tmp-$USER PATH=/root/.local/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-playbook /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/playbooks/ares/goad_attack_box.yml -i localhost, -c local -e ansible_shell_executable=/bin/bash -e ansible_python_interpreter=/usr/bin/python3 -e cracking_tools_gpu_support=true -e cracking_tools_hashcat_from_source=true -e cracking_tools_nvidia_opencl_icd=true + + # NVIDIA GPU drivers + CUDA toolkit for hashcat GPU acceleration. + # Kernel headers + dkms are required so the nvidia module builds for the + # running kernel. The image then works on GPU instances (e.g. NCas T4 v3) + # without manual driver setup. + - type: shell + inline: + - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends linux-headers-$(uname -r) dkms nvidia-driver nvidia-cuda-toolkit + # Cleanup - type: shell inline: - - echo "ares-golden-azure provisioning complete" | tee -a /etc/ares-build-stamp - apt-get clean - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + - echo "Ares golden azure build completed successfully" targets: - type: azure @@ -46,14 +95,15 @@ targets: gallery: warpgateTestGallery gallery_image_definition: ares-golden-azure identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami - vm_size: Standard_L2aos_v4 + vm_size: Standard_NC4as_T4_v3 source_image: marketplace: - publisher: Canonical - offer: 0001-com-ubuntu-server-jammy - sku: 22_04-lts-gen2 + publisher: kali-linux + offer: kali + sku: kali-last version: latest image_tags: Project: ares + Role: RedTeamAttackBox ManagedBy: warpgate - Variant: azure-smoke-test + Tools: recon,credential-access,privesc,cracker,lateral-movement,acl-abuse,coercion From 3258b2f354cd8de18086146b8c6bd1c6b44fcb68 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 12:33:24 -0600 Subject: [PATCH 06/14] fix: update vm_size to Standard_D4s_v3 for ares-golden-azure template **Changed:** - Set default vm_size to Standard_D4s_v3 for improved compatibility and cost efficiency; added a commented GPU option for reference in warpgate.yaml --- warpgate-templates/templates/ares-golden-azure/warpgate.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 18960ff1..2ebb79f8 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -95,7 +95,9 @@ targets: gallery: warpgateTestGallery gallery_image_definition: ares-golden-azure identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami - vm_size: Standard_NC4as_T4_v3 + vm_size: Standard_D4s_v3 + # For GPU: + # vm_size: Standard_NC4as_T4_v3 source_image: marketplace: publisher: kali-linux From 1076e35e9a08f053af0d48a1b3d124cde608b4c5 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 12:45:00 -0600 Subject: [PATCH 07/14] fix: update kali marketplace plan and sku to kali-2026-1 for azure template **Changed:** - Updated Kali Marketplace plan in documentation to use `kali-2026-1` instead of `kali-last` for improved accuracy and consistency - README.md - Changed the Azure VM image sku in the template configuration from `kali-last` to `kali-2026-1` to match the current marketplace offering - warpgate.yaml --- warpgate-templates/templates/ares-golden-azure/README.md | 2 +- warpgate-templates/templates/ares-golden-azure/warpgate.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-azure/README.md b/warpgate-templates/templates/ares-golden-azure/README.md index 76daf53c..e47df0ae 100644 --- a/warpgate-templates/templates/ares-golden-azure/README.md +++ b/warpgate-templates/templates/ares-golden-azure/README.md @@ -25,7 +25,7 @@ Provisioned manually (one-time): with Contributor on `warpgate-test-rg` - Quota for `Standard_NC4as_T4_v3` in `centralus` (T4 GPU family) - Kali Marketplace terms accepted on the subscription: - `az vm image terms accept --publisher kali-linux --offer kali --plan kali-last` + `az vm image terms accept --publisher kali-linux --offer kali --plan kali-2026-1` ## Build diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 2ebb79f8..e80dd968 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -102,7 +102,7 @@ targets: marketplace: publisher: kali-linux offer: kali - sku: kali-last + sku: kali-2026-1 version: latest image_tags: Project: ares From 336b62e6135707ada18274bdf14501aeab82f084 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 13:03:34 -0600 Subject: [PATCH 08/14] fix: update warpgate template --- warpgate-templates/templates/ares-golden-azure/warpgate.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index e80dd968..6e162a23 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -104,6 +104,10 @@ targets: offer: kali sku: kali-2026-1 version: latest + plan: + name: kali-2026-1 + product: kali + publisher: kali-linux image_tags: Project: ares Role: RedTeamAttackBox From 5fc9aee76b9904b62180f16a353a155b5dbcd929 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 15:43:55 -0600 Subject: [PATCH 09/14] fix: streamline ansible collection clone to avoid azure build timeouts **Changed:** - Replace warpgate 'sources' and 'type: file' steps with a single shell provisioner that securely clones the nimbus_range repository using a git credential helper, avoiding token exposure and Azure Image Builder timeouts caused by copying large file trees. Updated inline documentation to explain rationale for the shell-based approach. - Remove redundant file provisioner and adjust steps to clone, copy, and clean up the ansible collection in one sequence. --- .../templates/ares-golden-azure/warpgate.yaml | 25 ++++++------------- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 6e162a23..5bfa20c0 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -26,17 +26,13 @@ version: latest base: image: kali-linux/kali/kali-last:latest -sources: - - name: nimbus_range - git: - repository: https://github.com/dreadnode/ares.git - ref: feat/more-attack-cov - depth: 1 - auth: - token: ${GITHUB_TOKEN} - provisioners: - # Install pipx and Ansible + # Install pipx + Ansible, then fetch the nimbus_range collection on the build VM. + # We re-clone in shell rather than using warpgate's `sources` + `type: file` + # pattern (see ares-golden-image) because Azure Image Builder expands `type: file` + # into one customizer per file and times out on the 2000+ file ansible/ tree. + # Token is passed via a credential helper so it never appears in the clone URL + # or AIB customizer logs; ref tracks the AMI variant. - type: shell inline: - apt-get update @@ -45,14 +41,7 @@ provisioners: - pipx install --force uv - pipx install --force ansible-core - pipx ensurepath - - # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands) - - type: file - source: ${sources.nimbus_range} - destination: /tmp/nimbus_range - - - type: shell - inline: + - GITHUB_TOKEN=${GITHUB_TOKEN} git -c 'credential.helper=!f() { echo username=x-access-token; echo password=$GITHUB_TOKEN; }; f' clone --depth 1 --branch feat/more-attack-cov https://github.com/dreadnode/ares.git /tmp/nimbus_range - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ - rm -rf /tmp/nimbus_range From 9541bfaf10c439c343f433168c0c352c3dc94673 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 16:31:56 -0600 Subject: [PATCH 10/14] ci: update Warpgate version to v4.6.0 in GitHub Actions workflows **Changed:** - Bump WARPGATE_VERSION from v4.4.0 to v4.6.0 in build-and-push-templates.yaml, test-template-builds.yaml, and validate-templates.yaml to use latest Warpgate release in CI workflows --- .github/workflows/build-and-push-templates.yaml | 2 +- .github/workflows/test-template-builds.yaml | 2 +- .github/workflows/validate-templates.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-push-templates.yaml b/.github/workflows/build-and-push-templates.yaml index 54c6f300..63535b4d 100644 --- a/.github/workflows/build-and-push-templates.yaml +++ b/.github/workflows/build-and-push-templates.yaml @@ -30,7 +30,7 @@ env: PYTHON_VERSION: 3.13.7 TASK_VERSION: 3.45.5 TASK_X_REMOTE_TASKFILES: 1 - WARPGATE_VERSION: "v4.4.0" + WARPGATE_VERSION: "v4.6.0" jobs: discover-templates: diff --git a/.github/workflows/test-template-builds.yaml b/.github/workflows/test-template-builds.yaml index 0a086e53..8d34e217 100644 --- a/.github/workflows/test-template-builds.yaml +++ b/.github/workflows/test-template-builds.yaml @@ -24,7 +24,7 @@ concurrency: env: DEBIAN_FRONTEND: noninteractive PYTHON_VERSION: "3.13.7" - WARPGATE_VERSION: "v4.4.0" + WARPGATE_VERSION: "v4.6.0" jobs: detect-changes: diff --git a/.github/workflows/validate-templates.yaml b/.github/workflows/validate-templates.yaml index 911f72e9..35bed776 100644 --- a/.github/workflows/validate-templates.yaml +++ b/.github/workflows/validate-templates.yaml @@ -21,7 +21,7 @@ on: workflow_dispatch: env: - WARPGATE_VERSION: "v4.4.0" + WARPGATE_VERSION: "v4.6.0" PYTHON_VERSION: "3.13.7" TASK_VERSION: "3.45.5" TASK_X_REMOTE_TASKFILES: 1 From 7fd8ca7bb343ecdee24b029b11d747850e658e43 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 7 May 2026 20:22:28 -0600 Subject: [PATCH 11/14] refactor: generalize azure template for env vars and improve container filtering **Added:** - Parameterized Azure resource values in ares-golden-azure template and README to use environment variables, making the template reusable across subscriptions and environments - Documented required environment variables and provided explicit export instructions in the ares-golden-azure README **Changed:** - Updated container filtering logic in build-and-push-templates and test-template-builds workflows to generically skip all non-container templates (not just AMI-only), enhancing clarity and flexibility in matrix construction and test selection - Improved echo/log messaging in workflows to reflect generalized template skipping - Synchronized schema validation in validate-templates workflow to pin schema version dynamically from the WARPGATE_VERSION environment variable, ensuring validator and schema stay in lockstep - Updated ares-golden-azure warpgate.yaml to use a specific Kali rolling image by digest for reproducibility and security - Consolidated NVIDIA driver and CUDA installation steps in ares-golden-azure warpgate.yaml for more robust GPU support and moved all GPU-related provisioning to a single shell provisioner - Made VM size, subscription, and identity parameters in ares-golden-azure warpgate.yaml fully dynamic via env vars, with documentation for both GPU and CPU build scenarios - Renamed sources.nimbus_range to sources.ares in ares-golden-image warpgate.yaml and clarified comments to match new repo and collection name, while retaining the destination directory for compatibility **Removed:** - Eliminated hardcoded Azure resource identifiers and static example values from the ares-golden-azure template and README, reducing risk of misconfiguration and improving portability - Removed redundant NVIDIA driver installation provisioner in ares-golden-azure warpgate.yaml in favor of a unified approach --- .../workflows/build-and-push-templates.yaml | 23 ++++++------ .github/workflows/test-template-builds.yaml | 7 ++-- .github/workflows/validate-templates.yaml | 6 ++-- .../templates/ares-golden-azure/README.md | 31 ++++++++++++---- .../templates/ares-golden-azure/warpgate.yaml | 36 +++++++++---------- .../templates/ares-golden-image/warpgate.yaml | 8 +++-- 6 files changed, 65 insertions(+), 46 deletions(-) diff --git a/.github/workflows/build-and-push-templates.yaml b/.github/workflows/build-and-push-templates.yaml index fd2e24db..7e45a90b 100644 --- a/.github/workflows/build-and-push-templates.yaml +++ b/.github/workflows/build-and-push-templates.yaml @@ -192,15 +192,16 @@ jobs: DEPENDENCY_MAP="{}" PLATFORMS_MAP="{}" ANSIBLE_MAP="{}" - AMI_TEMPLATES=() + NON_CONTAINER_TEMPLATES=() for template_dir in "$GITHUB_WORKSPACE"/warpgate-templates/templates/*/; do if [ -f "${template_dir}warpgate.yaml" ]; then template_name=$(basename "$template_dir") - # Skip AMI-only templates - they cannot be built as containers - if grep -q "type: ami" "${template_dir}warpgate.yaml" && ! grep -q "type: container" "${template_dir}warpgate.yaml"; then - echo " $template_name: SKIPPED (AMI-only template)" - AMI_TEMPLATES+=("$template_name") + # Skip templates without a container target (e.g. AMI-only, Azure-only) + # — this workflow builds and pushes container images. + if ! grep -q "type: container" "${template_dir}warpgate.yaml"; then + echo " $template_name: SKIPPED (no container target)" + NON_CONTAINER_TEMPLATES+=("$template_name") continue fi @@ -282,13 +283,13 @@ jobs: ] }') - # Remove AMI-only templates from matrix (they have no dependency/platform maps) - if [ ${#AMI_TEMPLATES[@]} -gt 0 ]; then - AMI_JSON=$(printf '%s\n' "${AMI_TEMPLATES[@]}" | jq -R . | jq -s .) - FULL_MATRIX=$(echo "$FULL_MATRIX" | jq --argjson ami "$AMI_JSON" '{ - include: [.include[] | select(.name as $n | $ami | index($n) | not)] + # Remove non-container templates from matrix (they have no dependency/platform maps) + if [ ${#NON_CONTAINER_TEMPLATES[@]} -gt 0 ]; then + EXCLUDE_JSON=$(printf '%s\n' "${NON_CONTAINER_TEMPLATES[@]}" | jq -R . | jq -s .) + FULL_MATRIX=$(echo "$FULL_MATRIX" | jq --argjson exclude "$EXCLUDE_JSON" '{ + include: [.include[] | select(.name as $n | $exclude | index($n) | not)] }') - echo "Excluded AMI-only templates from container build matrix: ${AMI_TEMPLATES[*]}" + echo "Excluded non-container templates from container build matrix: ${NON_CONTAINER_TEMPLATES[*]}" fi # Apply template filter if provided via workflow_dispatch diff --git a/.github/workflows/test-template-builds.yaml b/.github/workflows/test-template-builds.yaml index 99a15ca1..8e2c4c6c 100644 --- a/.github/workflows/test-template-builds.yaml +++ b/.github/workflows/test-template-builds.yaml @@ -100,9 +100,10 @@ jobs: continue fi - # Skip AMI templates - they require AWS credentials and cannot be tested in CI - if grep -qE '^\s+- type: ami' "${template_dir}/warpgate.yaml"; then - echo "Skipping $template_name: AMI target type cannot be tested in CI" + # Skip templates without a container target (AMI-only, Azure-only, etc.) + # — this workflow tests container builds in CI. + if ! grep -q "type: container" "${template_dir}/warpgate.yaml"; then + echo "Skipping $template_name: no container target (only container builds are tested in CI)" continue fi diff --git a/.github/workflows/validate-templates.yaml b/.github/workflows/validate-templates.yaml index 35bed776..2ab8dd2b 100644 --- a/.github/workflows/validate-templates.yaml +++ b/.github/workflows/validate-templates.yaml @@ -169,8 +169,10 @@ jobs: from pathlib import Path from jsonschema import Draft7Validator - # Download the schema - schema_url = "https://raw.githubusercontent.com/cowdogmoo/warpgate/v4.4.0/schema/warpgate-template.json" + # Download the schema (version pinned to the warpgate binary version + # from the workflow env so schema and validator stay in lockstep) + warpgate_version = "${{ env.WARPGATE_VERSION }}" + schema_url = f"https://raw.githubusercontent.com/cowdogmoo/warpgate/{warpgate_version}/schema/warpgate-template.json" print(f"Downloading schema from: {schema_url}") try: diff --git a/warpgate-templates/templates/ares-golden-azure/README.md b/warpgate-templates/templates/ares-golden-azure/README.md index e47df0ae..fcfc00f2 100644 --- a/warpgate-templates/templates/ares-golden-azure/README.md +++ b/warpgate-templates/templates/ares-golden-azure/README.md @@ -1,8 +1,8 @@ # ares-golden-azure Azure variant of the Ares golden image. Builds a Kali Linux image via Azure -VM Image Builder and publishes a version into the `warpgateTestGallery` Compute -Gallery, with feature parity against the AWS `ares-golden-image` AMI. +VM Image Builder and publishes a version into a Compute Gallery, with feature +parity against the AWS `ares-golden-image` AMI. Ships the same red-team toolchain installed by `ansible/playbooks/ares/goad_attack_box.yml`: @@ -15,20 +15,37 @@ Ships the same red-team toolchain installed by ## Prerequisites +The template's `targets[].azure` fields are parameterized via environment +variables so the same template works across subscriptions and environments. +The values below are placeholders — substitute your own. + Provisioned manually (one-time): -- Resource group `warpgate-test-rg` in `eastus` -- Compute Gallery `warpgateTestGallery` +- An Azure subscription (`${AZURE_SUBSCRIPTION_ID}`) +- A resource group (`${AZURE_RESOURCE_GROUP}`) in your chosen region + (`${AZURE_LOCATION}`, e.g. `centralus`) +- A Compute Gallery (`${AZURE_GALLERY_NAME}`) - Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, publisher=`dreadnode`, offer=`ares`, sku=`golden`) -- User-assigned managed identity `warpgate-aib-uami` - with Contributor on `warpgate-test-rg` -- Quota for `Standard_NC4as_T4_v3` in `centralus` (T4 GPU family) +- A user-assigned managed identity (`${AZURE_IDENTITY_ID}` — full resource ID) + with Contributor on the resource group +- Quota for the chosen `${AZURE_VM_SIZE}` in `${AZURE_LOCATION}` + (e.g. `Standard_NC4as_T4_v3` for T4 GPU, `Standard_D4s_v3` for CPU-only) - Kali Marketplace terms accepted on the subscription: `az vm image terms accept --publisher kali-linux --offer kali --plan kali-2026-1` ## Build +Export the required env vars, then build: + ```bash +export AZURE_SUBSCRIPTION_ID= +export AZURE_LOCATION=centralus +export AZURE_RESOURCE_GROUP= +export AZURE_GALLERY_NAME= +export AZURE_IDENTITY_ID=/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/ +export AZURE_VM_SIZE=Standard_NC4as_T4_v3 +export GITHUB_TOKEN= + warpgate build path/to/ares-golden-azure --target azure ``` diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 5bfa20c0..121a31ca 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -24,7 +24,7 @@ name: ares-golden-azure version: latest base: - image: kali-linux/kali/kali-last:latest + image: kalilinux/kali-rolling@sha256:dddc31e0f4bc57b4b91e9027762544506bf91c7cdd7ff52104daaa4449b4c726 provisioners: # Install pipx + Ansible, then fetch the nimbus_range collection on the build VM. @@ -46,13 +46,6 @@ provisioners: - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ - rm -rf /tmp/nimbus_range - # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU) - - type: shell - inline: - - apt-get update - - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree - - nvidia-smi || echo "nvidia-smi not available during image build (expected if no GPU attached)" - # Attack Box - all red team tools + Alloy telemetry # NOTE: Using shell instead of ansible provisioner because the playbook # exceeds Azure VM Image Builder's customizer length limit when inlined. @@ -61,13 +54,15 @@ provisioners: - PATH=/root/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-galaxy collection install -r /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/requirements.yml --force - HOME=/root ANSIBLE_REMOTE_TMP=/tmp/ansible-tmp-$USER PATH=/root/.local/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-playbook /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/playbooks/ares/goad_attack_box.yml -i localhost, -c local -e ansible_shell_executable=/bin/bash -e ansible_python_interpreter=/usr/bin/python3 -e cracking_tools_gpu_support=true -e cracking_tools_hashcat_from_source=true -e cracking_tools_nvidia_opencl_icd=true - # NVIDIA GPU drivers + CUDA toolkit for hashcat GPU acceleration. + # NVIDIA GPU drivers + CUDA toolkit for hashcat GPU acceleration on NCas T4 v3. # Kernel headers + dkms are required so the nvidia module builds for the - # running kernel. The image then works on GPU instances (e.g. NCas T4 v3) - # without manual driver setup. + # running kernel. The image then works on GPU instances without manual driver + # setup. nvidia-smi may not be available during image build if no GPU is attached. - type: shell inline: - - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends linux-headers-$(uname -r) dkms nvidia-driver nvidia-cuda-toolkit + - apt-get update + - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends linux-headers-$(uname -r) dkms nvidia-driver nvidia-cuda-toolkit firmware-misc-nonfree + - nvidia-smi || echo "nvidia-smi not available during image build (expected if no GPU attached)" # Cleanup - type: shell @@ -78,15 +73,16 @@ provisioners: targets: - type: azure - subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 - location: centralus - resource_group: WARPGATE-TEST-RG - gallery: warpgateTestGallery + os_type: Linux + subscription_id: ${AZURE_SUBSCRIPTION_ID} + location: ${AZURE_LOCATION} + resource_group: ${AZURE_RESOURCE_GROUP} + gallery: ${AZURE_GALLERY_NAME} gallery_image_definition: ares-golden-azure - identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami - vm_size: Standard_D4s_v3 - # For GPU: - # vm_size: Standard_NC4as_T4_v3 + identity_id: ${AZURE_IDENTITY_ID} + vm_size: ${AZURE_VM_SIZE} + # For GPU: set AZURE_VM_SIZE=Standard_NC4as_T4_v3 + # For CPU-only test builds: set AZURE_VM_SIZE=Standard_D4s_v3 source_image: marketplace: publisher: kali-linux diff --git a/warpgate-templates/templates/ares-golden-image/warpgate.yaml b/warpgate-templates/templates/ares-golden-image/warpgate.yaml index 55c84f43..65b43f0f 100644 --- a/warpgate-templates/templates/ares-golden-image/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-image/warpgate.yaml @@ -33,7 +33,7 @@ base: most_recent: true sources: - - name: nimbus_range + - name: ares git: repository: https://github.com/dreadnode/ares.git ref: feat/more-attack-cov @@ -52,9 +52,11 @@ provisioners: - pipx install --force ansible-core - pipx ensurepath - # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands) + # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands). + # The destination keeps the `nimbus_range` name because the ansible collection is published as + # `dreadnode.nimbus_range`; subsequent steps install it under that namespace. - type: file - source: ${sources.nimbus_range} + source: ${sources.ares} destination: /tmp/nimbus_range - type: shell From ca58e9af39af552dec06f1e96869c2234c295b68 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 7 May 2026 21:02:55 -0600 Subject: [PATCH 12/14] ci: add placeholder environment variables for warpgate template validation **Added:** - Introduced placeholder values for Azure and GitHub environment variables in the warpgate validation job to allow syntax-only checks without requiring real secrets or IDs --- .github/workflows/validate-templates.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/validate-templates.yaml b/.github/workflows/validate-templates.yaml index 2ab8dd2b..9b7895f9 100644 --- a/.github/workflows/validate-templates.yaml +++ b/.github/workflows/validate-templates.yaml @@ -103,6 +103,17 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Validate templates with warpgate (syntax-only) + # warpgate validate resolves ${VAR} references before checking required + # fields, so placeholders are needed for env-driven values (Azure target + # IDs, GITHUB_TOKEN). Real values are supplied at build time. + env: + GITHUB_TOKEN: placeholder + AZURE_SUBSCRIPTION_ID: 00000000-0000-0000-0000-000000000000 + AZURE_LOCATION: centralus + AZURE_RESOURCE_GROUP: placeholder-rg + AZURE_GALLERY_NAME: placeholder-gallery + AZURE_IDENTITY_ID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/placeholder-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/placeholder-uami + AZURE_VM_SIZE: Standard_D4s_v3 run: | failed=0 while IFS= read -r template; do From 3b7ad3e648ce3a0844cbc7579dd762689b950c3e Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 7 May 2026 21:06:54 -0600 Subject: [PATCH 13/14] ci: update Warpgate version to v4.7.0 in all workflows **Changed:** - Bump WARPGATE_VERSION from v4.6.0 to v4.7.0 in build-and-push-templates, test-template-builds, and validate-templates workflows - Update yamllint configuration in validate-templates workflow to use the project-wide .hooks/linters/yamllint.yaml for consistent linting and reduced log noise --- .github/workflows/build-and-push-templates.yaml | 2 +- .github/workflows/test-template-builds.yaml | 2 +- .github/workflows/validate-templates.yaml | 7 +++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-push-templates.yaml b/.github/workflows/build-and-push-templates.yaml index 7e45a90b..20ed2805 100644 --- a/.github/workflows/build-and-push-templates.yaml +++ b/.github/workflows/build-and-push-templates.yaml @@ -30,7 +30,7 @@ env: PYTHON_VERSION: 3.13.7 TASK_VERSION: 3.45.5 TASK_X_REMOTE_TASKFILES: 1 - WARPGATE_VERSION: "v4.6.0" + WARPGATE_VERSION: "v4.7.0" jobs: discover-templates: diff --git a/.github/workflows/test-template-builds.yaml b/.github/workflows/test-template-builds.yaml index 8e2c4c6c..e70c0453 100644 --- a/.github/workflows/test-template-builds.yaml +++ b/.github/workflows/test-template-builds.yaml @@ -24,7 +24,7 @@ concurrency: env: DEBIAN_FRONTEND: noninteractive PYTHON_VERSION: "3.13.7" - WARPGATE_VERSION: "v4.6.0" + WARPGATE_VERSION: "v4.7.0" jobs: detect-changes: diff --git a/.github/workflows/validate-templates.yaml b/.github/workflows/validate-templates.yaml index 9b7895f9..9eb7b852 100644 --- a/.github/workflows/validate-templates.yaml +++ b/.github/workflows/validate-templates.yaml @@ -21,7 +21,7 @@ on: workflow_dispatch: env: - WARPGATE_VERSION: "v4.6.0" + WARPGATE_VERSION: "v4.7.0" PYTHON_VERSION: "3.13.7" TASK_VERSION: "3.45.5" TASK_X_REMOTE_TASKFILES: 1 @@ -161,11 +161,14 @@ jobs: fi - name: Validate YAML syntax + # Reuse the project-wide yamllint config (.hooks/linters/yamllint.yaml) + # so this step matches what pre-commit runs locally — keeps shell-heavy + # provisioner inlines from drowning the log in line-length warnings. run: | pip install yamllint find warpgate-templates -name '*.yaml' -o -name '*.yml' | while read -r file; do echo "Checking YAML syntax: $file" - yamllint -d "{extends: relaxed, rules: {line-length: {max: 120}}}" "$file" + yamllint -c .hooks/linters/yamllint.yaml "$file" done - name: Validate against JSON schema From f2eaf58c1d9e105929ec4b96813394eafdc9c407 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 7 May 2026 21:07:23 -0600 Subject: [PATCH 14/14] feat: switch ares-golden-image to local source and bump warpgate to v4.7.0 (#265) **Key Changes:** - Replace git-based source for ares-golden-image with a warpgate `local` source pointing at the in-repo `ansible/` tree, eliminating GITHUB_TOKEN usage and branch ref drift at build time - Bump WARPGATE_VERSION from v4.6.0 to v4.7.0 across all three template workflows so CI uses a binary that supports the `local` source type - Adjust the in-VM collection copy path to match the new source layout (`/tmp/nimbus_range/.` instead of `/tmp/nimbus_range/ansible/.`) **Changed:** - Switch `warpgate-templates/templates/ares-golden-image/warpgate.yaml` from a `git` source (cloning dreadnode/ares.git@feat/more-attack-cov via GITHUB_TOKEN) to a `local` source at `../../../ansible`, so builds always match the working copy and ship only the ansible tree - Update the post-copy provisioner shell step to `cp -r /tmp/nimbus_range/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/` to reflect that the local source is rooted at `ansible/` rather than the full repo - Bump `WARPGATE_VERSION` to `v4.7.0` in `.github/workflows/build-and-push-templates.yaml`, `.github/workflows/test-template-builds.yaml`, and `.github/workflows/validate-templates.yaml`, since the `local` source type was added in CowDogMoo/warpgate#1841 and released in v4.7.0 - Refresh the inline comments in `warpgate.yaml` to describe the local-source setup instead of the prior secure-clone behavior --- .../templates/ares-golden-image/warpgate.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-image/warpgate.yaml b/warpgate-templates/templates/ares-golden-image/warpgate.yaml index 65b43f0f..d56af8af 100644 --- a/warpgate-templates/templates/ares-golden-image/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-image/warpgate.yaml @@ -33,13 +33,12 @@ base: most_recent: true sources: + # Use the in-repo ansible/ tree directly so builds match the working copy + # (no GITHUB_TOKEN, no branch ref drift). Path is relative to this template's + # directory; requires warpgate >= v4.7.0 (local source type). - name: ares - git: - repository: https://github.com/dreadnode/ares.git - ref: feat/more-attack-cov - depth: 1 - auth: - token: ${GITHUB_TOKEN} + local: + path: ../../../ansible provisioners: # Install pipx and Ansible @@ -52,7 +51,7 @@ provisioners: - pipx install --force ansible-core - pipx ensurepath - # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands). + # Copy ansible collection from the local source (the in-repo ansible/ tree). # The destination keeps the `nimbus_range` name because the ansible collection is published as # `dreadnode.nimbus_range`; subsequent steps install it under that namespace. - type: file @@ -62,7 +61,7 @@ provisioners: - type: shell inline: - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range - - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ + - cp -r /tmp/nimbus_range/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ - rm -rf /tmp/nimbus_range # Install NVIDIA drivers for GPU-accelerated hashcat on g4dn (T4 GPU)