From 780fbe97d48877490cc7e6e50399f4d1ae48df16 Mon Sep 17 00:00:00 2001
From: Marc Olivier Bergeron <mbergeron28@proton.me>
Date: Mon, 25 May 2026 15:56:28 -0400
Subject: [PATCH] Added production ACL to simulate Internet access during the
 CTF.

---
 ctf/templates/init/.deploy/common/acl.tf      | 49 +++++++++++++++++++
 ctf/templates/init/.deploy/common/dns.tf      |  2 +-
 .../init/.deploy/common/variables.tf          |  5 ++
 ctf/templates/new/common/main.tf.j2           |  6 +--
 4 files changed, 57 insertions(+), 5 deletions(-)
 create mode 100644 ctf/templates/init/.deploy/common/acl.tf

diff --git a/ctf/templates/init/.deploy/common/acl.tf b/ctf/templates/init/.deploy/common/acl.tf
new file mode 100644
index 0000000..b34b4d0
--- /dev/null
+++ b/ctf/templates/init/.deploy/common/acl.tf
@@ -0,0 +1,49 @@
+resource "incus_network_acl" "simulated_production_acl" {
+  remote = var.incus_remote
+
+  name        = var.ctf_acl_network
+  description = "Simulate production ACL."
+
+  egress = [
+    {
+      action           = "allow"
+      destination      = "2606:4700:10::/48"
+      protocol         = "tcp"
+      destination_port = "80"
+      description      = "archive.ubuntu.com"
+      state            = "enabled"
+    },
+    {
+      action           = "allow"
+      destination      = "2a04:4e42:20::644"
+      protocol         = "tcp"
+      destination_port = "80"
+      description      = "deb.debian.org"
+      state            = "enabled"
+    },
+    {
+      action           = "allow"
+      protocol         = "tcp"
+      destination_port = "53"
+      description      = "DNS over TCP"
+      state            = "enabled"
+    },
+    {
+      action           = "allow"
+      protocol         = "udp"
+      destination_port = "53"
+      description      = "DNS over UDP"
+      state            = "enabled"
+    }
+  ]
+
+  ingress = [
+    {
+      action = "allow"
+      state  = "enabled"
+    }
+  ]
+}
+output "ctf_acl_network" {
+  value = incus_network_acl.simulated_production_acl.name
+}
diff --git a/ctf/templates/init/.deploy/common/dns.tf b/ctf/templates/init/.deploy/common/dns.tf
index 63ee9a6..563a9ba 100644
--- a/ctf/templates/init/.deploy/common/dns.tf
+++ b/ctf/templates/init/.deploy/common/dns.tf
@@ -1,7 +1,7 @@
 resource "incus_network_zone" "this" {
   remote = var.incus_remote
 
-  name        = "ctf"
+  name        = var.ctf_dns_network_zone
   description = "DNS zone for the internal .ctf TLD"
 }
 
diff --git a/ctf/templates/init/.deploy/common/variables.tf b/ctf/templates/init/.deploy/common/variables.tf
index 8623707..1ba81bb 100644
--- a/ctf/templates/init/.deploy/common/variables.tf
+++ b/ctf/templates/init/.deploy/common/variables.tf
@@ -33,6 +33,11 @@ variable "ctf_dns_network_zone" {
   type    = string
 }
 
+variable "ctf_acl_network" {
+  default = "simulated-production-acl"
+  type    = string
+}
+
 locals {
   track = yamldecode(file("${path.module}/../track.yaml"))
 }
diff --git a/ctf/templates/new/common/main.tf.j2 b/ctf/templates/new/common/main.tf.j2
index 9b769c8..14b4802 100644
--- a/ctf/templates/new/common/main.tf.j2
+++ b/ctf/templates/new/common/main.tf.j2
@@ -55,11 +55,9 @@ resource "incus_network" "this" {
   config = merge({
     "ipv6.address" = "{{ data.ipv6_subnet }}::1/64"
     },
-    /* Uncomment if using ACL
     var.already_deployed ? {
-      "security.acls" = incus_network_acl.this[0].name
+      "security.acls" = join(",", [var.ctf_acl_network /*Uncomment if using your own ACL.*//*, incus_network_acl.this[0].name*/])
     } : {},
-    */
     var.deploy == "production" ? {
       "ipv4.address" = "none"
       "ipv6.nat"     = "false"
@@ -114,7 +112,7 @@ locals {
     "config" = {
       # These limits should only be adjusted if you NEED more resources.
       "limits.cpu"          = "2"
-      "boot.autorestart"      = "true"
+      "boot.autorestart"    = "true"
       "security.secureboot" = "false"
     }
   }