From ee8fac8ab8529e2d105c7e55c2c9b28aefd19b46 Mon Sep 17 00:00:00 2001 From: "W. Kosior" Date: Mon, 27 May 2024 12:19:19 +0200 Subject: Update and add remaining files. --- abdul-blog/Makefile | 22 ++ abdul-blog/hello-world.gmi | 5 + abdul-blog/hello-world.html | 49 +++ abdul-blog/index.gmi | 35 +++ abdul-blog/index.html | 49 +++ abdul-blog/learning-guix-home.gmi | 49 +++ abdul-blog/learning-guix-home.html | 49 +++ abdul-blog/matterbridge-in-tildeserver.gmi | 174 +++++++++++ abdul-blog/matterbridge-in-tildeserver.html | 49 +++ abdul-blog/mine-guix-shell.gmi | 19 ++ abdul-blog/mine-guix-shell.html | 49 +++ abdul-blog/minetest-server.gmi | 105 +++++++ abdul-blog/minetest-server.html | 49 +++ abdul-blog/sorry-gemini-only.gmi | 4 + abdul-home/abdultest.conf | 4 + abdul-home/config.toml | 24 ++ abdul-home/home-config.scm | 84 +++++ ctftilde/src/guile/ctftilde/main-site.scm | 84 +++-- ctftilde/src/guile/ctftilde/users.scm | 53 ++-- gemini/first-steps.gmi | 55 ++++ gemini/index.gmi | 16 +- gemini/security-warning.gmi | 11 + notes.org | 55 ++++ presentation/Awesome_Demon.svg | 407 ++++++++++++++++++++++++ presentation/Guix_logo.svg | 157 ++++++++++ presentation/Guix_logo_with_flag.svg | 276 +++++++++++++++++ presentation/Nix_logo.svg | 424 ++++++++++++++++++++++++++ presentation/Red_flag_waving.svg | 28 ++ presentation/ctf-guix-store-onlynotes.pdf | Bin 0 -> 290908 bytes presentation/ctf-guix-store-withnotes.pdf | Bin 0 -> 322458 bytes presentation/ctf-guix-store.pdf | Bin 0 -> 322458 bytes presentation/ctf-guix-store.tex | 295 ++++++++++++++++++ presentation/screenshots/abdul-blog-index.png | Bin 0 -> 30938 bytes presentation/screenshots/account-creation.png | Bin 0 -> 19403 bytes presentation/screenshots/gemini-capsule.png | Bin 0 -> 32301 bytes presentation/screenshots/hint1.png | Bin 0 -> 38728 bytes presentation/screenshots/hint2.png | Bin 0 -> 50720 bytes vm-deploy.scm | 4 +- vm.scm | 20 +- 39 files changed, 2656 insertions(+), 48 deletions(-) create mode 100644 abdul-blog/Makefile create mode 100644 abdul-blog/hello-world.gmi create mode 100644 abdul-blog/hello-world.html create mode 100644 abdul-blog/index.gmi create mode 100644 abdul-blog/index.html create mode 100644 abdul-blog/learning-guix-home.gmi create mode 100644 abdul-blog/learning-guix-home.html create mode 100644 abdul-blog/matterbridge-in-tildeserver.gmi create mode 100644 abdul-blog/matterbridge-in-tildeserver.html create mode 100644 abdul-blog/mine-guix-shell.gmi create mode 100644 abdul-blog/mine-guix-shell.html create mode 100644 abdul-blog/minetest-server.gmi create mode 100644 abdul-blog/minetest-server.html create mode 100644 abdul-blog/sorry-gemini-only.gmi create mode 100644 abdul-home/abdultest.conf create mode 100644 abdul-home/config.toml create mode 100644 abdul-home/home-config.scm create mode 100644 gemini/first-steps.gmi create mode 100644 gemini/security-warning.gmi create mode 100644 notes.org create mode 100644 presentation/Awesome_Demon.svg create mode 100644 presentation/Guix_logo.svg create mode 100644 presentation/Guix_logo_with_flag.svg create mode 100644 presentation/Nix_logo.svg create mode 100644 presentation/Red_flag_waving.svg create mode 100644 presentation/ctf-guix-store-onlynotes.pdf create mode 100644 presentation/ctf-guix-store-withnotes.pdf create mode 100644 presentation/ctf-guix-store.pdf create mode 100644 presentation/ctf-guix-store.tex create mode 100644 presentation/screenshots/abdul-blog-index.png create mode 100644 presentation/screenshots/account-creation.png create mode 100644 presentation/screenshots/gemini-capsule.png create mode 100644 presentation/screenshots/hint1.png create mode 100644 presentation/screenshots/hint2.png diff --git a/abdul-blog/Makefile b/abdul-blog/Makefile new file mode 100644 index 0000000..efa6127 --- /dev/null +++ b/abdul-blog/Makefile @@ -0,0 +1,22 @@ +GEMINI_ONLY = \ + minetest-server \ + matterbridge-in-tildeserver +GEMINI_AND_HTML = \ + index \ + hello-world \ + mine-guix-shell \ + learning-guix-home + +all: $(addsuffix .html,$(GEMINI_ONLY) $(GEMINI_AND_HTML)) +.PHONY: all + +%.html: %.gmi + if printf %s '$(GEMINI_ONLY)' | grep -q $*; then \ + ./convert_gemtext_file.py sorry-gemini-only.gmi > $@; \ + else \ + ./convert_gemtext_file.py $< > $@; \ + fi + +clean: + rm -rf *.html +.PHONY: clean diff --git a/abdul-blog/hello-world.gmi b/abdul-blog/hello-world.gmi new file mode 100644 index 0000000..ca3848f --- /dev/null +++ b/abdul-blog/hello-world.gmi @@ -0,0 +1,5 @@ +# Hello, World! + +I just discovered server ctftilde.koszko.org. It seems the first public tilde server with available GNU Guix for the users. And also it has Gemini server ^^ What an wonderful opportunity to start an blog! + +=> /~abdul/index.gmi back into blog index diff --git a/abdul-blog/hello-world.html b/abdul-blog/hello-world.html new file mode 100644 index 0000000..0c938e6 --- /dev/null +++ b/abdul-blog/hello-world.html @@ -0,0 +1,49 @@ + + + + + +
+

Hello, World!

I just discovered server ctftilde.koszko.org. It seems the first public tilde server with available GNU Guix for the users. And also it has Gemini server ^^ What an wonderful opportunity to start an blog!

back into blog index

+
+ diff --git a/abdul-blog/index.gmi b/abdul-blog/index.gmi new file mode 100644 index 0000000..d4c5585 --- /dev/null +++ b/abdul-blog/index.gmi @@ -0,0 +1,35 @@ +# Abdul's technology blog + +Hi, I'm Abdul El-Ihn-Ohn-Ih. I'm a enthusiast in programming. Lisp is mine favourite language. I also enjoy to write (I write about stuff I do on an computer). +Below is my index of mine blog entries. If something there is interesting you, feel free emailing me at abdul2007@pm.me. +Note: some of articles are avaiable only in gemini://. Use an gemini browser for view that. + +=> gemini://geminiprotocol.net/ +=> gemini://geminiprotocol.net/software/ + +## Mine entries +### 2024-03-15 + +=> /~abdul/matterbridge-in-tildeserver.gmi Matterbridge in tildeserver + +### 2024-02-29 + +=> /~abdul/minetest-server.gmi Mine Minetest + +### 2024-02-25 + +=> /~abdul/learning-guix-home.gmi Learning Guix Home + +### 2024-02-20 + +=> /~abdul/mine-guix-shell.gmi Mine Guix shell + +### 2024-02-11 + +=> /~abdul/hello-world.gmi Hello, World! + +## Other peoples blogs + +I would like to writing links to other cool Tilde Server blogs here. If you did maked the blog on ctftilde.koszko.org like I did maked, please tell me an link to this and I will write it below. + +=> https://ctftilde.koszko.org/registration Registration to Tilde Server diff --git a/abdul-blog/index.html b/abdul-blog/index.html new file mode 100644 index 0000000..1ea4af8 --- /dev/null +++ b/abdul-blog/index.html @@ -0,0 +1,49 @@ + + + + + +
+

Abdul's technology blog

Hi, I'm Abdul El-Ihn-Ohn-Ih. I'm a enthusiast in programming. Lisp is mine favourite language. I also enjoy to write (I write about stuff I do on an computer).

Below is my index of mine blog entries. If something there is interesting you, feel free emailing me at abdul2007@pm.me.

Note: some of articles are avaiable only in gemini://. Use an gemini browser for view that.

https://geminiprotocol.net/

https://geminiprotocol.net/software/

Mine entries

2024-03-15

Matterbridge in tildeserver

2024-02-29

Mine Minetest

2024-02-25

Learning Guix Home

2024-02-20

Mine Guix shell

2024-02-11

Hello, World!

Other peoples blogs

I would like to writing links to other cool Tilde Server blogs here. If you did maked the blog on ctftilde.koszko.org like I did maked, please tell me an link to this and I will write it below.

Registration to Tilde Server

+
+ diff --git a/abdul-blog/learning-guix-home.gmi b/abdul-blog/learning-guix-home.gmi new file mode 100644 index 0000000..ca3c98c --- /dev/null +++ b/abdul-blog/learning-guix-home.gmi @@ -0,0 +1,49 @@ +# Learning Guix Home + +Today I just learnt to use + +``` +guix home +``` + +command to reconfigure my home environment with functional package manager in Guix. I written this script on my UNIX Tilde account. + +``` +(use-modules ((gnu home) #:select (home-environment)) + ((gnu home services) #:select + (home-files-service-type service)) + ((gnu home services shells) #:select + (home-bash-configuration home-bash-service-type)) + ((gnu system shadow) #:select (%default-dotguile)) + ((guix gexp) #:select (file-append gexp local-file plain-file))) + +(home-environment + (services + (list + (service home-bash-service-type + (home-bash-configuration + (bash-profile (list (plain-file + "bash_ps1" + "export PS1=\"\n↓← $PS1\n→ \""))))) + + (service home-files-service-type + `((".guile" ,%default-dotguile)))))) +``` + +I written it in home-config.scm and then I run + +``` +guix home reconfigure home-config.scm +``` + +Now I having better bash shell which taking less characters, so I can write more command in one line. +## Mine currently working +I am currently working to serving Minetest Server on Tilde Server. I installed it by + +``` +guix shell minetest +``` + +and I will to write about in mine next blog post. + +=> /~abdul/index.gmi back into blog index diff --git a/abdul-blog/learning-guix-home.html b/abdul-blog/learning-guix-home.html new file mode 100644 index 0000000..42dcf9d --- /dev/null +++ b/abdul-blog/learning-guix-home.html @@ -0,0 +1,49 @@ + + + + + +
+

Learning Guix Home

Today I just learnt to use

guix home

command to reconfigure my home environment with functional package manager in Guix. I written this script on my UNIX Tilde account.

(use-modules ((gnu home) #:select (home-environment))((gnu home services) #:select(home-files-service-type service))((gnu home services shells) #:select(home-bash-configuration home-bash-service-type))((gnu system shadow) #:select (%default-dotguile))((guix gexp) #:select (file-append gexp local-file plain-file)))(home-environment(services(list(service home-bash-service-type(home-bash-configuration(bash-profile (list (plain-file"bash_ps1""export PS1=\"\n↓← $PS1\n→ \"")))))(service home-files-service-type`((".guile" ,%default-dotguile))))))

I written it in home-config.scm and then I run

guix home reconfigure home-config.scm

Now I having better bash shell which taking less characters, so I can write more command in one line.

Mine currently working

I am currently working to serving Minetest Server on Tilde Server. I installed it by

guix shell minetest

and I will to write about in mine next blog post.

back into blog index

+
+ diff --git a/abdul-blog/matterbridge-in-tildeserver.gmi b/abdul-blog/matterbridge-in-tildeserver.gmi new file mode 100644 index 0000000..f7e3e03 --- /dev/null +++ b/abdul-blog/matterbridge-in-tildeserver.gmi @@ -0,0 +1,174 @@ +# Matterbridge in tildeserver + +Hello friends, today I maked a bridge with Matterbridge program for Discord and Matrix room I talk in. It is cool because I run this in Guix functional package manager with UNIX Tilde server. + +## Config .scm + +I added 1 line to mine home config to using new modules + +``` + ((gnu packages messaging) #:select (matterbridge)) +``` + +And I has added more lines down under + +``` +(define home-matterbridge-services + (const + (list (shepherd-service + (provision '(mattermost)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append matterbridge "/bin/matterbridge") + "--conf" + #$(local-file "config.toml")) + #:log-file (string-append %user-log-dir + "/matterbridge.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start local matterbridge."))))) + +(define home-matterbridge-service-type + (service-type + (name 'home-matterbridge) + (extensions + (list (service-extension home-shepherd-service-type + home-matterbridge-services))) + (description "Bridge messaging platforms using matterbridge.") + (default-value #f))) +``` + +That define service, that I use in home environment, like this + +``` + (service home-matterbridge-service-type) +``` + +This is similar to Minetest Server service. + +=> /~abdul/minetest-server.gmi mine Minetest Server blog post + +## Matterbridge config .toml + +I use also an .toml file to configuring the Matterbridge program. It have this + +``` +[matrix.noevil-pl] +Server="https://matrix.noevil.pl" +Login="abdul" +Password="***************" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +NoHomeServerSuffix=false + +[discord.cyber] +Server="3333333333333333333" +Token="000000000000000000000000.111111.22222222222222222222222222222222222222" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +PreserveThreading=true + +[[gateway]] +name="secret_room" +enable=true + +[[gateway.inout]] +account="matrix.noevil-pl" +channel="!HNiADouYMzLGUUxtxw:noevil.pl" + +[[gateway.inout]] +account="discord.cyber" +channel="ID:1207786885481500702" +``` + +There I replace an real password with "***************". + +## Full config .scm + +This is mine config full + +``` +(use-modules ((gnu home) #:select (home-environment)) + ((gnu home services) #:select + (home-activation-service-type home-files-service-type service + service-extension service-type)) + ((gnu home services shells) #:select + (home-bash-configuration home-bash-service-type)) + ((gnu home services shepherd) #:select + (home-shepherd-service-type shepherd-service)) + ((gnu packages messaging) #:select (matterbridge)) + ((gnu packages minetest) #:select (minetest-server)) + ((gnu system shadow) #:select (%default-dotguile)) + ((guix gexp) #:select (file-append gexp local-file plain-file))) + +(define home-matterbridge-services + (const + (list (shepherd-service + (provision '(mattermost)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append matterbridge "/bin/matterbridge") + "--conf" + #$(local-file "config.toml")) + #:log-file (string-append %user-log-dir + "/matterbridge.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start local matterbridge."))))) + +(define home-matterbridge-service-type + (service-type + (name 'home-matterbridge) + (extensions + (list (service-extension home-shepherd-service-type + home-matterbridge-services))) + (description "Bridge messaging platforms using matterbridge.") + (default-value #f))) + +(define home-minetest-services + (const + (list (shepherd-service + (provision '(minetest)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append minetest-server "/bin/minetestserver") + "--gameid" "minetest" + "--config" #$(local-file "abdultest.conf")) + #:environment-variables + (cons + (format #f "MINETEST_SUBGAME_PATH=~a/share/minetest/games" + #$(@@ (gnu packages minetest) minetest-data)) + (default-environment-variables)) + #:log-file (string-append %user-log-dir + "/minetest.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start Minetest block game like Minecraft."))))) + +(define home-minetest-activation + (const #~(mkdir-p "/home/ctftilde/ctftilde-abdul/.local/minetest/abdultest"))) + +(define home-minetest-service-type + (service-type + (name 'home-minetest) + (extensions + (list (service-extension home-shepherd-service-type + home-minetest-services) + (service-extension home-activation-service-type + home-minetest-activation))) + (description "Minetest block game like Minecraft.") + (default-value #f))) + +(home-environment + (services + (list + (service home-bash-service-type + (home-bash-configuration + (bash-profile (list (plain-file + "bash_ps1" + "export PS1=\"\n↓← $PS1\n→ \""))))) + + (service home-files-service-type + `((".guile" ,%default-dotguile))) + + (service home-matterbridge-service-type) + + (service home-minetest-service-type)))) +``` + +=> /~abdul/index.gmi back into blog index diff --git a/abdul-blog/matterbridge-in-tildeserver.html b/abdul-blog/matterbridge-in-tildeserver.html new file mode 100644 index 0000000..ca128da --- /dev/null +++ b/abdul-blog/matterbridge-in-tildeserver.html @@ -0,0 +1,49 @@ + + + + + +
+

Gemini-only page

Sorry, that page is unavaiable for viewing in HTTPS. Please use Gemini instead of.

back into blog index

+
+ diff --git a/abdul-blog/mine-guix-shell.gmi b/abdul-blog/mine-guix-shell.gmi new file mode 100644 index 0000000..eca28fa --- /dev/null +++ b/abdul-blog/mine-guix-shell.gmi @@ -0,0 +1,19 @@ +# Mine guix shell + +An + +``` +guix shell +``` + +command is very cool. Today I maked Lagrange Gemini client installed in an shell. I can do that by + +``` +guix shell lagrange +``` + +=> https://gmi.skyjake.fi/lagrange/ Lagrange Browser Website + +I display many interesting Gemini websites under Lagrange. I can even reading Wikipedia on Gemini. It's cool and I'd like to more people use Gemini instead of HTTPS. + +=> /~abdul/index.gmi back into blog index diff --git a/abdul-blog/mine-guix-shell.html b/abdul-blog/mine-guix-shell.html new file mode 100644 index 0000000..442aac7 --- /dev/null +++ b/abdul-blog/mine-guix-shell.html @@ -0,0 +1,49 @@ + + + + + +
+

Mine guix shell

An

guix shell

command is very cool. Today I maked Lagrange Gemini client installed in an shell. I can do that by

guix shell lagrange

Lagrange Browser Website

I display many interesting Gemini websites under Lagrange. I can even reading Wikipedia on Gemini. It's cool and I'd like to more people use Gemini instead of HTTPS.

back into blog index

+
+ diff --git a/abdul-blog/minetest-server.gmi b/abdul-blog/minetest-server.gmi new file mode 100644 index 0000000..0a0c819 --- /dev/null +++ b/abdul-blog/minetest-server.gmi @@ -0,0 +1,105 @@ +# Mine Minetest + +Haha, 2x "Mine", I hope you see an joke. +I write to explain you how I setup minetest server under this Tilde UNIX server. Also is this mine first blog post which only is on Gemini and not on HTTPS. You have to installed a Gemini client to reading it. + +## Guix config + +Mine Guix Home config has growing a lot and this is now + +``` +(use-modules ((gnu home) #:select (home-environment)) + ((gnu home services) #:select + (home-files-service-type service service-extension + service-type)) + ((gnu home services shells) #:select + (home-bash-configuration home-bash-service-type)) + ((gnu home services shepherd) #:select + (home-shepherd-service-type shepherd-service)) + ((gnu packages minetest) #:select (minetest-server)) + ((gnu system shadow) #:select (%default-dotguile)) + ((guix gexp) #:select (file-append gexp local-file plain-file))) + +(define home-minetest-services + (const + (list (shepherd-service + (provision '(minetest)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append minetest-server "/bin/minetestserver") + "--gameid" "minetest" + "--config" #$(local-file "abdultest.conf")) + #:log-file (string-append %user-log-dir + "/minetest.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start Minetest block game like Minecraft."))))) + +(define home-minetest-activation + (const #~(mkdir-p "/home/ctftilde/ctftilde-abdul/.local/minetest/abdultest"))) + +(define home-minetest-service-type + (service-type + (name 'home-minetest) + (extensions + (list (service-extension home-shepherd-service-type + home-minetest-services) + (service-extension home-activation-service-type + home-minetest-activation))) + (description "Minetest block game like Minecraft.") + (default-value #f))) + +(home-environment + (services + (list + (service home-bash-service-type + (home-bash-configuration + (bash-profile (list (plain-file + "bash_ps1" + "export PS1=\"\n↓← $PS1\n→ \""))))) + + (service home-files-service-type + `((".guile" ,%default-dotguile))) + + (service home-minetest-service-type)))) +``` + +But this is no all, and I had advice to writing Minetest Server map config in a new file abdultest.conf. This is inside that + +``` +map-dir = /home/ctftilde/abdul/.local/minetest/abdultest +server_name = Abdul & friends +motd = I and mine friends build of blocks +port = 20030 +``` + +Then I use + +``` +#$(local-file "abdultest.conf") +``` + +to putting the file into Guix and it put an path to .conf file in Minetest Server command. (I had been said this helps because Guix can "declaratively" define the system) + +## Adding to Cron + +Services from .scm configuration file are runned by shepderd who is started when user logins. So yeah, I want a initial shepherd process starting when reboot and a Minetest Server process starting by shepherd then. For that I edit crontab like + +``` +crontab -e +``` + +and write line like + +``` +* * * * * bash -l +``` + +## Thanks + +I wanted to thank to Wojtek Kosior for helping me 2x to write Guix home configs and write cron configs. Thank you and you also for wanting to reading my blog. + +## Mine currently working + +I am now plan to using matterbridge software to connecting Matrix and Discord. I try to doing this similar to doing the Minetest Server and to using Guix Home functional package manager to doing that. + +=> /~abdul/index.gmi back into blog index diff --git a/abdul-blog/minetest-server.html b/abdul-blog/minetest-server.html new file mode 100644 index 0000000..ca128da --- /dev/null +++ b/abdul-blog/minetest-server.html @@ -0,0 +1,49 @@ + + + + + +
+

Gemini-only page

Sorry, that page is unavaiable for viewing in HTTPS. Please use Gemini instead of.

back into blog index

+
+ diff --git a/abdul-blog/sorry-gemini-only.gmi b/abdul-blog/sorry-gemini-only.gmi new file mode 100644 index 0000000..ce34f26 --- /dev/null +++ b/abdul-blog/sorry-gemini-only.gmi @@ -0,0 +1,4 @@ +# Gemini-only page +Sorry, that page is unavaiable for viewing in HTTPS. Please use Gemini instead of. + +=> /~abdul/index.gmi back into blog index diff --git a/abdul-home/abdultest.conf b/abdul-home/abdultest.conf new file mode 100644 index 0000000..552c257 --- /dev/null +++ b/abdul-home/abdultest.conf @@ -0,0 +1,4 @@ +map-dir = /home/ctftilde/ctftilde-abdul/.local/minetest/abdultest +server_name = Abdul & friends +motd = I and mine friends build of blocks +port = 20030 diff --git a/abdul-home/config.toml b/abdul-home/config.toml new file mode 100644 index 0000000..c41cb25 --- /dev/null +++ b/abdul-home/config.toml @@ -0,0 +1,24 @@ +[matrix.noevil-pl] +Server="https://matrix.noevil.pl" +Login="abdul" +Password="fla\u0067{full_source-bootstrap}" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +NoHomeServerSuffix=false + +[discord.cyber] +Server="1204895616921112586" +Token="NzY1OTgwMjA2Nzc4Mjg2MTIx.Gpz4tE.HOslqKftF2_bm2y_bIaaACyy3_vLBmbevl02JQ" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +PreserveThreading=true + +[[gateway]] +name="secret_room" +enable=true + +[[gateway.inout]] +account="matrix.noevil-pl" +channel="!HNiADouYMzLGUUxtxw:noevil.pl" + +[[gateway.inout]] +account="discord.cyber" +channel="ID:1207786885481500702" diff --git a/abdul-home/home-config.scm b/abdul-home/home-config.scm new file mode 100644 index 0000000..8f46e84 --- /dev/null +++ b/abdul-home/home-config.scm @@ -0,0 +1,84 @@ +(use-modules ((gnu home) #:select (home-environment)) + ((gnu home services) #:select + (home-activation-service-type home-files-service-type service + service-extension service-type)) + ((gnu home services shells) #:select + (home-bash-configuration home-bash-service-type)) + ((gnu home services shepherd) #:select + (home-shepherd-service-type shepherd-service)) + ((gnu packages messaging) #:select (matterbridge)) + ((gnu packages minetest) #:select (minetest-server)) + ((gnu system shadow) #:select (%default-dotguile)) + ((guix gexp) #:select (file-append gexp local-file plain-file))) + +(define home-matterbridge-services + (const + (list (shepherd-service + (provision '(mattermost)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append matterbridge "/bin/matterbridge") + "--conf" + #$(local-file "config.toml")) + #:log-file (string-append %user-log-dir + "/matterbridge.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start local matterbridge."))))) + +(define home-matterbridge-service-type + (service-type + (name 'home-matterbridge) + (extensions + (list (service-extension home-shepherd-service-type + home-matterbridge-services))) + (description "Bridge messaging platforms using matterbridge.") + (default-value #f))) + +(define home-minetest-services + (const + (list (shepherd-service + (provision '(minetest)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append minetest-server "/bin/minetestserver") + "--gameid" "minetest" + "--config" #$(local-file "abdultest.conf")) + #:environment-variables + (cons + (format #f "MINETEST_SUBGAME_PATH=~a/share/minetest/games" + #$(@@ (gnu packages minetest) minetest-data)) + (default-environment-variables)) + #:log-file (string-append %user-log-dir + "/minetest.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start Minetest block game like Minecraft."))))) + +(define home-minetest-activation + (const #~(mkdir-p "~/.local/minetest/abdultest"))) + +(define home-minetest-service-type + (service-type + (name 'home-minetest) + (extensions + (list (service-extension home-shepherd-service-type + home-minetest-services) + (service-extension home-activation-service-type + home-minetest-activation))) + (description "Minetest block game like Minecraft.") + (default-value #f))) + +(home-environment + (services + (list + (service home-bash-service-type + (home-bash-configuration + (bash-profile (list (plain-file + "bash_ps1" + "export PS1=\"\n↓← $PS1\n→ \""))))) + + (service home-files-service-type + `((".guile" ,%default-dotguile))) + + ;;(service home-matterbridge-service-type) + + (service home-minetest-service-type)))) diff --git a/ctftilde/src/guile/ctftilde/main-site.scm b/ctftilde/src/guile/ctftilde/main-site.scm index 1598ff3..fc9e6c2 100644 --- a/ctftilde/src/guile/ctftilde/main-site.scm +++ b/ctftilde/src/guile/ctftilde/main-site.scm @@ -93,22 +93,68 @@ and minimalism. Besides this, you can run your own website or Gemini capsule.") package manager & operating system. And it lets the users benefit from this tooling as well!") - (h2 "What to do?") + (h2 "Unconvinced?") (p "If you're not yet sure you want to join, take time to browse other user's tilde websites/capsules and see how they spend time here. You might also want to familiarize yourself with GNU Guix. Once you're ready, jump to our -registration page.") +registration page. You might also want to read our short \"First Steps\" +article.") (ul (li (a (@ (href "https://guix.gnu.org/")) "GNU Guix website")) (li (a (@ (href "https://ctftilde.koszko.org/registration")) - "Registration page"))) + "Registration page")) + (li (a (@ (href "https://ctftilde.koszko.org/first-steps")) + "First Steps"))) (h2 "Our users' blogs") + (p "(please send an email to admin@ctftilde.koszko.org if you want to have +your blog listed here)") (ul (li (a (@ (href "./~abdul")) "~abdul")))))) +(cant:define-endpoint %endset first-steps + ("first-steps") '() + (contents->html + '((h1 "First steps") + (p "So, you've made an account through the registration page and can now +connect via SSH. You're surely wondering where to put your HTML pages to have +them served, etc…") + (ul + (li (a (@ (href "https://ctftilde.koszko.org/registration")) + "Registration page"))) + + (h2 "HTTP user directory") + (p "Your very own HTTP directory is at") + (pre "/srv/http/users/$YOUR_USERNAME/") + (p "It is served by Apache. Whatever you put there, will be viewable at") + (pre "https://ctftilde.koszko.org/~$YOUR_USERNAME/") + (p "Btw, if you like simple and lean web pages, feel free to load the +minimal CC0-licensed stylesheet at") + (pre "https://ctftilde.koszko.org/resources/ctftilde.css") + (p "into your HTML documents :)") + + (h2 "Gemini user directory") + (p "Don't you also feel that \"Web\" is sometimes too much? Wouldn't you +love to let others view your blog (or whatever you publish) using a friendlier +technology? Here's how to: put your files under") + (pre "/srv/gemini-users/$YOUR_USERNAME/") + (p "They will immediately become available under") + (pre "gemini://ctftilde.koszko.org/~$YOUR_USERNAME") + (p "Make sure not to miss gemtext, the minimal markup language desined for +Gemini.") + (ul + (li (a (@ (href "https://geminiprotocol.net/")) + "Project Gemini website")) + (li (a (@ (href "gemini://geminiprotocol.net/")) + "Project Gemini capsule (over the gemini protocol)"))) + + (h2 "Cron") + (p "We've made the effort to have a working") + (pre "crontab") + (p "command. Use it as you would on any GNU+Linux distro!")))) + (define query-param-regex (make-regexp "^([^=]+)(=(.*))?")) @@ -172,7 +218,8 @@ registration page.") (and (not (regexp-exec start-with-lowercase-regex username)) "Username must start with a lowercase letter.")) ,(lambda _ - (and (false-if-exception (getpwnam username)) + (and (false-if-exception (getpwnam (format #f "ctftilde-~a" + username))) "This username is unavailable.")))) ("password" @@ -192,7 +239,7 @@ registration page.") (and (not (regexp-exec email-regex email)) "Provided email is not valid."))))))) -(cant:define-endpoint %endset main-page +(cant:define-endpoint %endset registration-page ("registration") '() (define legal-POST? @@ -216,21 +263,24 @@ registration page.") (cond ((and legal-POST? (eq? '() params-mistakes)) - (write (list (format #f "ctftilde-~a" (assoc-ref params "username")) - (encrypt-password (assoc-ref params "password"))) - (%daemon-write-port)) + (let ((username (format #f "ctftilde-~a" (assoc-ref params "username")))) - (contents->html - (match (read (%daemon-read-port)) + (write (list username (encrypt-password (assoc-ref params "password"))) + (%daemon-write-port)) + + (contents->html + (match (read (%daemon-read-port)) - ('(ok) - `((h1 "Done") - (p ,(format #f "Try connecting via ssh to ~a@ctftilde.koszko.org." - (assoc-ref params "username"))))) + ('(ok) + `((h1 "Done") + (p ,(format #f "Try connecting via ssh to ~a@ctftilde.koszko.org." + username)) + (p "Also, please don't abuse our server's resources. Let others use +the platform, too :)"))) - (_ - `((h1 "Ooops!") - (p "Something went wrong X(")))))) + (_ + `((h1 "Ooops!") + (p "Something went wrong X("))))))) (else (contents->html diff --git a/ctftilde/src/guile/ctftilde/users.scm b/ctftilde/src/guile/ctftilde/users.scm index 3d17362..aaaae51 100644 --- a/ctftilde/src/guile/ctftilde/users.scm +++ b/ctftilde/src/guile/ctftilde/users.scm @@ -6,6 +6,7 @@ #:use-module ((ice-9 exceptions) #:select (raise-exception with-exception-handler)) #:use-module ((ice-9 match) #:select (match)) + #:use-module ((ice-9 regex) #:select (match:substring)) #:use-module ((system repl debug) #:select (terminal-width)) @@ -61,6 +62,18 @@ (dynamic-wind noop loop (cut closedir dir)))) +(define ctftilde-user-regex + (make-regexp "^ctftilde-(.*)")) + +(define (strip-ctftilde username) + (match (regexp-exec ctftilde-user-regex username) + + (#f + username) + + ((= (cut match:substring <> 1) stripped-username) + stripped-username))) + (define (*delete-user username) @@ -74,8 +87,10 @@ (false-if-exception (delete-file creation-file)) (system* "userdel" "-rf" username) - (system* "rm" "-rf" (string-append "/srv/gemini-users/" username)) - (system* "rm" "-rf" (string-append "/srv/http-users/" username)) + (system* "rm" "-rf" (string-append "/srv/gemini-users/" + (strip-ctftilde username))) + (system* "rm" "-rf" (string-append "/srv/http-users/" + (strip-ctftilde username))) (sync) (false-if-exception (delete-file deletion-file)) (sync))) @@ -94,21 +109,25 @@ (make-regexp "^[a-zA-Z][a-zA-Z0-9-]*$")) (define* (*make-user username encrypted-password #:optional recreated-user-uid) + (define home-dir + (string-append "/home/ctftilde/" (strip-ctftilde username))) + (define (add-user) - (when (> (apply system* - `("useradd" - "--shell" "/run/current-system/profile/bin/bash" - "--home-dir" ,(string-append "/home/ctftilde/" username) - "--create-home" - ,@(or (and=> recreated-user-uid - (compose (cut list "--uid" <>) - number->string)) - '()) - "--gid" "hackers" - "-p" ,encrypted-password - ,username)) - 0) - (raise-exception "User could not be added."))) + (if (> (apply system* + `("useradd" + "--shell" "/run/current-system/profile/bin/bash" + "--home-dir" ,home-dir + "--create-home" + ,@(or (and=> recreated-user-uid + (compose (cut list "--uid" <>) + number->string)) + '()) + "--gid" "hackers" + "-p" ,encrypted-password + ,username)) + 0) + (raise-exception "User could not be added.") + (chmod home-dir #o700))) (define (add-user-files) (define user @@ -116,7 +135,7 @@ (define (make-user-file path-format what) (define path - (format #f path-format username)) + (format #f path-format (strip-ctftilde username))) (unless (file-exists? path) (match what diff --git a/gemini/first-steps.gmi b/gemini/first-steps.gmi new file mode 100644 index 0000000..47512e7 --- /dev/null +++ b/gemini/first-steps.gmi @@ -0,0 +1,55 @@ +# First steps + +So, you've made an account through the registration page and can now connect via SSH. You're surely wondering where to put your HTML pages to have them served, etc…") + +=> https://ctftilde.koszko.org/registration Registration page + +## HTTP user directory + +Your very own HTTP directory is at + +``` +/srv/http/users/$YOUR_USERNAME/ +``` + +It is served by Apache. Whatever you put there, will be viewable at + +``` +https://ctftilde.koszko.org/~$YOUR_USERNAME/ +``` + +Btw, if you like simple and lean web pages, feel free to load the minimal CC0-licensed stylesheet at + +``` +https://ctftilde.koszko.org/resources/ctftilde.css +``` + +into your HTML documents :) + +## Gemini user directory + +Don't you also feel that \"Web\" is sometimes too much? Wouldn't you love to let others view your blog (or whatever you publish) using a friendlier technology? Here's how to: put your files under + +``` +/srv/gemini-users/$YOUR_USERNAME/ +``` + +They will immediately become available under + +``` +gemini://ctftilde.koszko.org/~$YOUR_USERNAME +``` + +Make sure not to miss gemtext, the minimal markup language desined for Gemini. + +=> gemini://geminiprotocol.net/ Project Gemini capsule + +## Cron + +We've made the effort to have a working + +``` +crontab +``` + +command. Use it as you would on any GNU+Linux distro! diff --git a/gemini/index.gmi b/gemini/index.gmi index 7536215..10837d3 100644 --- a/gemini/index.gmi +++ b/gemini/index.gmi @@ -1,10 +1,18 @@ # Tildeverse on GNU Guix + Welcome to ctftilde, a public tilde server. -We provide free UNIX accounts for enthusiasts of free/libre software and minimalism. Besides this, you can run your own website or Gemini capsule. -What makes this ~ special? It is powered by GNU Guix functional package manager & operating system. And it lets the users benefit from this tooling as well! -## What to do? -If you're not yet sure you want to join, take time to browser other user's tilde websites/capsules and see how they spend time here. You might also want to familiarize yourself with GNU Guix. Once you're ready, jump to our registration page. + +We provide free UNIX accounts for enthusiasts of free/libre software and minimalism. Besides this, you can run your own website or Gemini capsule. What makes this ~ special? It is powered by GNU Guix functional package manager & operating system. And it lets the users benefit from this tooling as well! + +## Unconvinced? +If you're not yet sure you want to join, take time to browse other user's tilde websites/capsules and see how they spend time here. You might also want to familiarize yourself with GNU Guix. Once you're ready, jump to our registration page. You might also want to read our short \"First Steps\" article. + => https://guix.gnu.org/ GNU Guix website => https://ctftilde.koszko.org/registration Registration page +=> ./first-steps.gmi First Steps + ## Our users' blogs + +(please send an email to admin@ctftilde.koszko.org if you want to have your blog listed here) + => ./~abdul ~abdul diff --git a/gemini/security-warning.gmi b/gemini/security-warning.gmi new file mode 100644 index 0000000..2ad3087 --- /dev/null +++ b/gemini/security-warning.gmi @@ -0,0 +1,11 @@ +# Security considerations + +Dear user, when running programs on ctftilde, please make sure none of your sesitive configuration files are placed in the Store directory. In particular, please be careful when using macros from the + +``` +(guix gexp) +``` + +Guile module in your code. + +=> https://guix.gnu.org/manual/en/html_node/The-Store.html GNU Guix manual — The Store diff --git a/notes.org b/notes.org new file mode 100644 index 0000000..6c30a6c --- /dev/null +++ b/notes.org @@ -0,0 +1,55 @@ +* What, where and how + +The system definition relies on some private Guix modifications you can find +[[https://git.koszko.org/guix/][here]]. + +The VM preparation commands below expect some files to already exist in +project's directory +- =fullchain.pem= - certificate chain +- =privkey.pem= - its private key +- =owner.pub= - SSH public key to set up SSH root access to the VM + +#+begin_src shell-script + # guix shell qemu-minimal parted + qemu-img create -f qcow2 vm.qcow2 100G + sudo modprobe nbd max_part=63 + sudo qemu-nbd -n -c /dev/nbd0 vm.qcow2 + sudo parted --script /dev/nbd0 mktable msdos + sudo parted --script /dev/nbd0 mkpart primary 0% 100% + sudo mkfs.ext4 -L ctftilde-root /dev/nbd0p1 + sudo tune2fs -O ^metadata_csum_seed /dev/nbd0p1 + sudo mount /dev/nbd0p1 /mnt + sudo sh -c "CTFTILDE_DISK_DEV=/dev/nbd0 guix system init vm.scm /mnt/" + sudo mkdir -p /mnt/etc/cert-ctftilde + sudo cp fullchain.pem privkey.pem /mnt/etc/cert-ctftilde/ + sudo umount /mnt + sudo qemu-nbd -d /dev/nbd0 + + # Verification that `guix deploy` works, optional. + HOSTFWD= + for VM_PORT in 22 80 443 1965 20030; do + HOSTFWD="$HOSTFWD,hostfwd=tcp::$VM_PORT-:$VM_PORT" + done + for VM_PORT in 20030; do + HOSTFWD="$HOSTFWD,hostfwd=udp::$VM_PORT-:$VM_PORT" + done + sudo qemu-system-x86_64 -net nic,model=rtl8139 -net user"$HOSTFWD" \ + -m 2G -hda vm.qcow2 -nographic -enable-kvm + ssh-keygen -R localhost + VM_SSH_HOST_KEY="$(ssh root@localhost 'awk "{print \$1 \" \" \$2}" /etc/ssh/ssh_host_ed25519_key.pub')" + sed -i "s|ssh-ed25519 [^\"]\+|$VM_SSH_HOST_KEY|" vm-deploy.scm + guix deploy vm-deploy.scm +#+end_src + +Some work is then needed to manually create Abdul's user account and copy the +relevant files (no automation, unfortunately). + +The HTML version of Abdul's blog has been generated from Gemtext version using a +modifier variant of =convert_gemtext_file.py= from [[https://raw.githubusercontent.com/huntingb/gemtext-html-converter][here]]. The modified variant +is unfortunately not included here (because GPL requires documenting what +exactly got changed and I am too lazy). + +* Copying + +Unless specified otherwise, files were authored by Wojtek Kosior and are +available under the terms of CC0-1.0. diff --git a/presentation/Awesome_Demon.svg b/presentation/Awesome_Demon.svg new file mode 100644 index 0000000..694e212 --- /dev/null +++ b/presentation/Awesome_Demon.svg @@ -0,0 +1,407 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + Openclipart + + + + + + + + + + + diff --git a/presentation/Guix_logo.svg b/presentation/Guix_logo.svg new file mode 100644 index 0000000..fd31fa2 --- /dev/null +++ b/presentation/Guix_logo.svg @@ -0,0 +1,157 @@ + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + diff --git a/presentation/Guix_logo_with_flag.svg b/presentation/Guix_logo_with_flag.svg new file mode 100644 index 0000000..bb3c700 --- /dev/null +++ b/presentation/Guix_logo_with_flag.svg @@ -0,0 +1,276 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + diff --git a/presentation/Nix_logo.svg b/presentation/Nix_logo.svg new file mode 100644 index 0000000..40dee5f --- /dev/null +++ b/presentation/Nix_logo.svg @@ -0,0 +1,424 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/presentation/Red_flag_waving.svg b/presentation/Red_flag_waving.svg new file mode 100644 index 0000000..2fe3305 --- /dev/null +++ b/presentation/Red_flag_waving.svg @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/presentation/ctf-guix-store-onlynotes.pdf b/presentation/ctf-guix-store-onlynotes.pdf new file mode 100644 index 0000000..21bd9ff Binary files /dev/null and b/presentation/ctf-guix-store-onlynotes.pdf differ diff --git a/presentation/ctf-guix-store-withnotes.pdf b/presentation/ctf-guix-store-withnotes.pdf new file mode 100644 index 0000000..7364b15 Binary files /dev/null and b/presentation/ctf-guix-store-withnotes.pdf differ diff --git a/presentation/ctf-guix-store.pdf b/presentation/ctf-guix-store.pdf new file mode 100644 index 0000000..2259a4f Binary files /dev/null and b/presentation/ctf-guix-store.pdf differ diff --git a/presentation/ctf-guix-store.tex b/presentation/ctf-guix-store.tex new file mode 100644 index 0000000..65ecebd --- /dev/null +++ b/presentation/ctf-guix-store.tex @@ -0,0 +1,295 @@ +\documentclass[notes]{beamer} +\usetheme{Rochester} +\usecolortheme{seagull} +\usepackage{svg} +\usepackage[export]{adjustbox} + +% \setbeameroption{show notes} + +\title{CTF — GNU Guix storefile mistake} + +\begin{document} + +\frame{ + \titlepage + \begin{figure}[h] + \includesvg[height=0.25\textheight]{Guix_logo_with_flag.svg} + \end{figure} +} + + +\begin{frame}{Functional package management in a pill} + \begin{itemize} + \item Dolstra, Eelco (2006). ``The Purely Functional Software Deployment + Model'' (Ph.D.). Utrecht University + \item pioneered by Nix \includesvg[height=\baselineskip]{Nix_logo.svg} + \item also employed by GNU Guix + \includesvg[height=\baselineskip]{Guix_logo.svg} + \item no Filesystem Hierarchy Standard (no /usr/bin, /usr/share, etc.) + \item packages live in a \textbf{store} directory, e.g. + \begin{itemize} + \item /gnu/store/y0d8ab1mi6lh0a3vpx5lyd4ksq9wbn4x-orc-0.4.32 + \item /gnu/store/9pypr3c3y379shbwm9ilb4pik9mkfd83-mesa-22.2.4 + \item /gnu/store/rv91v4s30kcjh7xq6k4l2njklk79frxk-freeglut-3.4.0 + \item /gnu/store/30zfbjasrsk2wg8nhsd1xgi3q3n9796z-less-608 + \end{itemize} + \item a daemon \includesvg[height=\baselineskip]{Awesome_Demon.svg} builds + packages from definitions and puts them in the store + \end{itemize} +\end{frame} + +\note{ + \begin{itemize} + \item we're using GNU Guix here (no, not the trademarked GUIX…) + \item store filename determine by hash of package inputs + definition + \item multiple versions of a package can coexist + \item per-project development environments + \item easy rollbacks + \item emphasis on reproducible builds + \end{itemize} +} + +\begin{frame}[fragile]{Functional package management in a pill (sample package)} + \small +\begin{verbatim} +$ cd /gnu/store/30zfbjasrsk2wg8nhsd1xgi3q3n9796z-less-608/ +$ find . -type f +./bin/less +./bin/lessecho +./bin/lesskey +./etc/ld.so.cache +./share/doc/less-608/LICENSE +./share/doc/less-608/COPYING +./share/man/man1/lessecho.1.gz +./share/man/man1/lesskey.1.gz +./share/man/man1/less.1.gz +$ ls -lh bin/less +-r-xr-xr-x 2 root root 192K Jan 1 1970 bin/less +\end{verbatim} +\end{frame} + +\note{ + \begin{itemize} + \item store is read-only (only Nix/Guix daemon can write) + \item store files are root-owned and world-readable => secrets must be managed + differently + \item dates set to Epoch (but ls -lch shows real creation time) + \item the same package won't be built twice, even if requested by multiple + users + \item a package will built again (or grafted) when one of its dependencies + gets updated + \item a package not in use can be garbage-collected + \item no support for quotas yet as of 2024 + \end{itemize} +} + +\begin{frame}[fragile]{Functional package management in a pill (declarative OS)} + \begin{itemize} + \item \textbf{packages} are defined declaratively + \pause + \item \textbf{services} are defined declaratively as well + \pause + \item service \textbf{configurations} are defined declaratively \textit{as + well}… {\small +\begin{verbatim} +(service httpd-service-type + (httpd-configuration + (config + (httpd-config-file + (server-name "www.example.com") + (document-root "/var/public_html"))))) +\end{verbatim} + } + \begin{itemize} + \item …and result in store files like + /gnu/store/54ywa5x1b75simbvzhxqkfxsjk040ail-httpd.conf + \end{itemize} + \item Yay, we can replace Ansible! But what about secrets? + \begin{itemize} + \item option 1: keep private keys and passwords outside the store + \item option 2: put them encrypted in the store + \end{itemize} + \end{itemize} +\end{frame} + +\note{ + \begin{itemize} + \item GNU Guix and Nix have their DSLs (the first one is actually Scheme Lisp + + some APIs) + \item on Guix/Nix server packages and configurations are immutable (we can + switch to different ones but not alter the existing ones) — convenient + \item an application may require database credentials, some API token, a + private key for TLS certificate, etc. + \item encrypted secrets in store — one master key kept outside the store + \end{itemize} +} + +\begin{frame}{Sensitive information exposure scenario} + challenge — password hunt in /gnu/store\\~\\ + + \textit{``You're an employee of a secret government agency. Analysis of + wiretap recordings have lead the agency to believe that an individual known + as Abdul Al-Inh-Ohn-Ih has come into possession of highly classified + government documents. If this turn out true and Abdul blows the whistle on + information from those materials, years of intelligence efforts shall be + ruined.\\~\\} + + \textit{Abdul has been using the Matrix protocol for some of his + communication. Your current task is to get access to his Matrix account. + Start your investigation by taking a look at his blog.''} +\end{frame} + +\note{ + A user of certain shared GNU Guix system has put a secret (a password) in + /gnu/store by mistake. The CTF competitioneer has to SSH into another account + on said system and find the password. + + \begin{itemize} + \item we have some lore + \item real-world references might be intended or not… + \item no direct info about the exposures (one needs to figure this out) + \end{itemize} +} + +\begin{frame}{Investigation (Abdul's blog)} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/abdul-blog-index.png} +\end{frame} + +\note{ + \begin{itemize} + \item language — itself a hint Abdul is likely to make mistakes + \item only the few relevant blog entries (no misleading of competitioneers) + \item mechanics of Guix relevant to the challenge are touched in the posts + \item some extra effort required — obtaining a Gemini browser + \end{itemize} +} + +\begin{frame}[fragile]{Investigation (peeking through Gemini)} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/gemini-capsule.png} +\end{frame} + +\note{ + \begin{itemize} + \item most relevant parts of blog only accessible through Gemini (a lightweight + alternative to HTTP) + \item a Gemini browser ``Lagrage'' recommended in HTTP part of Abdul's blog + \end{itemize} +} + +\begin{frame}[fragile]{Investigation (Spotting mistakes)} + configuration which hits a mistake is included in Abdul's blog + \footnotesize +\begin{verbatim} +;;; ... +(list (shepherd-service + (provision '(mattermost)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append matterbridge "/bin/matterbridge") + "--conf" + #$(local-file "config.toml")) + #:log-file (string-append %user-log-dir + "/matterbridge.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start local matterbridge."))))) +;;; ... +\end{verbatim} +\end{frame} + +\note{ + \begin{itemize} + \item the config suggests Matrix password is in config.toml in /gnu/store + \end{itemize} +} + +\begin{frame}{Investigation (Account creation)} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/account-creation.png} +\end{frame} + +\note{ + \begin{itemize} + \item both Abdul's blog and the server's main website urge one to make an + account and log in to the tilde server with SSH + \item emails entered not actually used + \end{itemize} +} + +\begin{frame}{Hint 1} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/hint1.png} +\end{frame} + +\note{ + \begin{itemize} + \item page with the hint accessible through Gemini only + \end{itemize} +} + +\begin{frame}{Hint 2} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/hint2.png} +\end{frame} + +\note{ + \begin{itemize} + \item link to GNU Guix HTML documentation + \item suggestion that it has sth to do with the local-file macro (used in + Abdul's code) + \end{itemize} +} + +\begin{frame}[fragile]{Finding the flag} +\begin{verbatim} +~$ (cd /gnu/store && ls -cht *config.toml*) +qmdh299prllp4fygw893w00lv9ypi5z2-config.toml +~$ +\end{verbatim} + +rather expected contents of qmdh299prllp4fygw893w00lv9ypi5z2-config.toml + +\small +\begin{verbatim} +# ... +[matrix.noevil-pl] +Server="https://matrix.noevil.pl" +Login="abdul" +Password="fla\u0067{full_source-bootstrap}" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +NoHomeServerSuffix=false +# ... +\end{verbatim} +\end{frame} + +\note{ + \begin{itemize} + \item ``g'' in flag replaced with unicode escape to make bypassing with + recursive grepping harder + \end{itemize} +} + +\begin{frame}{Credits} + \begin{itemize} + \item GNU Guix logo — \copy 2015 Luis Felipe López Acevedo (CC BY-SA 4.0 + International) + \item red flag — by Wikipedia user Wereon, uploaded 2007 (released into + public domain) + \item Nix logo — \copy 2016 Tim Cuthbertson (CC BY-SA 4.0 International) + \item Awesome Demon — by Openclipart user qubodup, uploaded 2014 (released + into public domain with CC Zero v1.0) + \end{itemize} +\end{frame} + +\end{document} diff --git a/presentation/screenshots/abdul-blog-index.png b/presentation/screenshots/abdul-blog-index.png new file mode 100644 index 0000000..c94c5ac Binary files /dev/null and b/presentation/screenshots/abdul-blog-index.png differ diff --git a/presentation/screenshots/account-creation.png b/presentation/screenshots/account-creation.png new file mode 100644 index 0000000..de10a58 Binary files /dev/null and b/presentation/screenshots/account-creation.png differ diff --git a/presentation/screenshots/gemini-capsule.png b/presentation/screenshots/gemini-capsule.png new file mode 100644 index 0000000..0821d53 Binary files /dev/null and b/presentation/screenshots/gemini-capsule.png differ diff --git a/presentation/screenshots/hint1.png b/presentation/screenshots/hint1.png new file mode 100644 index 0000000..a143e43 Binary files /dev/null and b/presentation/screenshots/hint1.png differ diff --git a/presentation/screenshots/hint2.png b/presentation/screenshots/hint2.png new file mode 100644 index 0000000..0a63f3e Binary files /dev/null and b/presentation/screenshots/hint2.png differ diff --git a/vm-deploy.scm b/vm-deploy.scm index 08dce6c..ec169fb 100644 --- a/vm-deploy.scm +++ b/vm-deploy.scm @@ -5,8 +5,8 @@ (operating-system %os) (environment managed-host-environment-type) (configuration (machine-ssh-configuration - (host-name "localhost") + (host-name "ctftilde.koszko.org") (system "x86_64-linux") (port 22) - (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0aj062v8Mnxidud6DAyEN8XI8eCx+0fe6ad7QG1fXj") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6BoIa4pfY/WCGqNTxRdobteq3J5PYELz/slkjF7Zvd") (allow-downgrades? #t))))) diff --git a/vm.scm b/vm.scm index 2c20f3f..68cff3e 100644 --- a/vm.scm +++ b/vm.scm @@ -19,11 +19,12 @@ ((gnu packages tls) #:select (openssl)) ((gnu packages web) #:select (httpd)) ((gnu services) #:select - (activation-service-type modify-services service-extension + (activation-service-type modify-services service service-extension service-type simple-service)) ((gnu services base) #:select (guix-service-type guix-extension %base-services)) - ((gnu services mcron) #:prefix mc:) + ((gnu services desktop) #:select (elogind-service-type)) + ((gnu services mcron) #:select (cron-daemon-service-type)) ((gnu services networking) #:select (dhcp-client-service-type)) ((gnu services shepherd) #:select (shepherd-root-service-type shepherd-service)) @@ -130,10 +131,14 @@ Cantius, part of a CTF competition VM.") '("" "/fullchain.pem" "/privkey.pem") '(#o750 #o640 #o640))))) +(prepend %services + (service elogind-service-type)) + (prepend %services (simple-service 'gemini-main-server-directory activation-service-type #~(begin (false-if-exception (delete-file "/srv/gemini")) + (mkdir-p "/srv") (symlink #$(local-file (string-append %here "/gemini") #:recursive? #t) "/srv/gemini")))) @@ -176,8 +181,7 @@ Cantius, part of a CTF competition VM.") "proxy" "proxy_http" "rewrite" - "ssl" - "userdir")) + "ssl")) web:%default-httpd-modules)) (extra-config (list "\ @@ -197,7 +201,9 @@ Cantius, part of a CTF competition VM.") ServerAlias www.ctftilde.koszko.org ServerAdmin webmaster@ctftilde.koszko.org - UserDir /srv/http-users + RewriteEngine On + + RewriteRule \"^/~([^/]+)(.*)\" \"/srv/http-users/$1$2\" ProxyPassMatch ^/(([^~].*)?)$ http://127.0.0.1:8080/$1 ProxyPassReverse / http://127.0.0.1:8080/ @@ -212,9 +218,7 @@ Cantius, part of a CTF competition VM.") '(80 443)))) (prepend %services - (service mc:mcron-service-type - (mc:mcron-configuration - (/var-tabs? #t)))) + (service cron-daemon-service-type)) (prepend %services (service openssh-service-type -- cgit v1.2.3