nsec · MOBergeron · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/ctf/models.py b/ctf/models.py
@@ -102,7 +102,7 @@ class TrackInstance(BaseModel):
     ipv6: str | None = None
     config: InstanceConfig
     devices: list[InstanceDevice]
-    wait_for: InstanceWaitFor | None = None
+    wait_for: list[InstanceWaitFor] | None = None
     services: list[InstanceService]
 
 

diff --git a/ctf/new.py b/ctf/new.py
@@ -15,10 +15,11 @@
 
 
 class Template(StrEnum):
+    INFRA_SKELETON = "infra-skeleton"
+    TRACK_YAML_ONLY = "track-yaml-only"
+    FILES_ONLY = "files-only"
     APACHE_PHP = "apache-php"
     PYTHON_SERVICE = "python-service"
-    FILES_ONLY = "files-only"
-    TRACK_YAML_ONLY = "track-yaml-only"
     RUST_WEBSERVICE = "rust-webservice"
     WINDOWS_VM = "windows-vm"
 
@@ -40,7 +41,7 @@ def new(
             help="Template to use for the track.",
             prompt="Template to use for the track.",
         ),
-    ] = Template.APACHE_PHP,
+    ] = Template.INFRA_SKELETON,
     force: Annotated[
         bool,
         typer.Option(
@@ -55,6 +56,14 @@ def new(
             help="If a build container is required.",
         ),
     ] = False,
+    with_virtual_machine: Annotated[
+        bool,
+        typer.Option(
+            "--vm",
+            "--with-virtual-machine",
+            help="If a virtual machine is required.",
+        ),
+    ] = False,
 ) -> None:
     LOG.info(msg=f"Creating a new track: {name}")
     if not re.match(pattern=r"^[a-z][a-z0-9\-]{0,61}[a-z0-9]$", string=name):
@@ -130,6 +139,7 @@ def new(
             "is_windows": template == Template.WINDOWS_VM,
             "template": template.value,
             "with_build": with_build_container,
+            "with_virtual_machine": with_virtual_machine,
         }
     )
     with open(
@@ -206,6 +216,7 @@ def new(
             "ipv6_subnet": ipv6_subnet,
             "full_ipv6_address": full_ipv6_address,
             "with_build": with_build_container,
+            "with_virtual_machine": with_virtual_machine,
             "is_windows": template == Template.WINDOWS_VM,
         }
     )
@@ -245,7 +256,11 @@ def new(
 
     track_template = env.get_template(name=os.path.join(template, "deploy.yaml.j2"))
     render = track_template.render(
-        data={"name": name, "with_build": with_build_container}
+        data={
+            "name": name,
+            "with_build": with_build_container,
+            "with_virtual_machine": with_virtual_machine,
+        }
     )
     with open(
         file=(p := os.path.join(ansible_directory, "deploy.yaml")),
@@ -283,6 +298,7 @@ def new(
         data={
             "name": name,
             "with_build": with_build_container,
+            "with_virtual_machine": with_virtual_machine,
             "is_windows": template == Template.WINDOWS_VM,
         }
     )

diff --git a/ctf/templates/init/.deploy/cleanup.yaml b/ctf/templates/init/.deploy/cleanup.yaml
@@ -1,5 +1,5 @@
 - name: Pre-deployment system cleanup
-  hosts: all,!build,!windows
+  hosts: all,!build,!windows,!linux-incus-vm
   order: shuffle
   gather_facts: false
   any_errors_fatal: true

diff --git a/ctf/templates/init/schemas/track.yaml.json b/ctf/templates/init/schemas/track.yaml.json
@@ -142,7 +142,7 @@
               }
             },
             "wait_for": {
-              "type": "object",
+              "type": "array",
               "description": "Optional wait condition for instance startup.",
               "additionalProperties": true
             },

diff --git a/ctf/templates/new/apache-php/deploy.yaml.j2 b/ctf/templates/new/apache-php/deploy.yaml.j2
@@ -37,9 +37,9 @@
         path: "/var/www/html/index.html"
         state: absent
 
-# Run this only on the `{{ data.name }}` host. Sets up apache2 and php.
-- name: Specific tasks for "{{ data.name }}"
-  hosts: "{{ data.name }}"
+# Run this only on the `{% if data.with_virtual_machine %}team-orig-{% endif %}{{ data.name }}` host. Sets up apache2 and php.
+- name: Specific tasks for "{% if data.with_virtual_machine %}team-orig-{% endif %}{{ data.name }}"
+  hosts: "{% if data.with_virtual_machine %}team-orig-{% endif %}{{ data.name }}"
   tasks:
     - name: Copy the main site file (index.php)
       ansible.builtin.template:

diff --git a/ctf/templates/new/common/inventory.j2 b/ctf/templates/new/common/inventory.j2
@@ -1,6 +1,7 @@
 # This YAML file defines all machines that Ansible needs to know about to run playbooks and configure machines.
+# CHANGE SINCE 5.0.1: Virtual machines are deployed in another remote/project in production. Added/Modified a few variables with templates to enable that.
 all:
-  hosts:{% if not data.is_windows %}
+  hosts:{% if not data.is_windows and not data.with_virtual_machine %}
     # The following line defines how this machine will be referred to in Ansible scripts.
     {{ data.name }}:
       # This one tells Ansible that this host is reached using incus, and the name of the machine in incus is `{{ data.name }}`.
@@ -15,30 +16,53 @@ all:
     # Do not change these.
     ansible_connection: community.general.incus
     ansible_user: root
+    # If you have virtual machines, do not alter this line.
     ansible_incus_remote: "{{ '{{' }} ansible_incus_container_remote if ansible_incus_container_remote else 'local' {{ '}}' }}"
     # Name of your track. Do not change.
     ansible_incus_project: {{ data.name }}
 
     # Add variables if needed here.
 {% if data.with_build %}
 # This section is needed if you need a build container. It's a group of hosts regrouped under the name "build" which MUST remain the same.
-# The group "build" is removed from the "cleanup.yaml" and "common.yaml", which is why you should not change it.
+# The group "build" is removed from the "cleanup.yaml" and "common.yaml", which is why it should remain the same.
 build:
   hosts:
     # The following line defines how this machine will be referred to in "build.yaml" Ansible script.
     build-container:
       # The name must be the same as the previous line.
       ansible_incus_host: build-container
+{% endif %}{% if data.with_virtual_machine %}
+# This section is needed if you need Linux virtual machines. It's a group of hosts regrouped under the name "linux-incus-vm" which MUST remain the same.
+# The group "linux-incus-vm" is partially included in the "cleanup.yaml" playbook, which is why it should remain the same.
+# The name of any VM must begin with `team-orig-` for production
+linux-incus-vm:
+  hosts:
+    # The following line defines how this machine will be referred to in Ansible scripts. KEEP THE `team-orig-` prefix.
+    team-orig-{{ data.name }}:
+      # This one tells Ansible that this host is reached using incus, and the name of the machine in incus is `team-orig-{{ data.name }}`.
+      ansible_incus_host: team-orig-{{ data.name }}
+  vars:
+    # This variable is used to tell Ansible that the hosts are Windows hosts and require a PowerShell shell.
+    ansible_connection: community.general.incus
+    ansible_user: root
+    # For virtual machines, the remote and project changes in production.
+    ansible_incus_remote: "{{ '{{' }} ansible_incus_container_remote if ansible_incus_vm_remote else ansible_incus_container_remote {{ '}}' }}"
+    ansible_incus_project: "{{ '{{' }} ansible_incus_vm_project if ansible_incus_vm_project else ansible_incus_project {{ '}}' }}"
 {% endif %}{% if data.is_windows %}
 # This section is needed if you need Windows virtual machines. It's a group of hosts regrouped under the name "windows" which MUST remain the same.
-# The group "windows" is removed from the "cleanup.yaml" and "common.yaml", which is why you should not change it.
+# The group "windows" is removed from the "cleanup.yaml" and "common.yaml", which is why it should remain the same.
+# The name of any VM must begin with `team-orig-` for production
 windows:
   hosts:
-    # The following line defines how this machine will be referred to in Ansible scripts.
-    {{ data.name }}:
-      # This one tells Ansible that this host is reached using incus, and the name of the machine in incus is `{{ data.name }}`.
-      ansible_incus_host: {{ data.name }}
+    # The following line defines how this machine will be referred to in Ansible scripts. KEEP THE `team-orig-` prefix.
+    team-orig-{{ data.name }}:
+      # This one tells Ansible that this host is reached using incus, and the name of the machine in incus is `team-orig-{{ data.name }}`.
+      ansible_incus_host: team-orig-{{ data.name }}
   vars:
     # This variable is used to tell Ansible that the hosts are Windows hosts and require a PowerShell shell.
     ansible_shell_type: powershell
+    ansible_user: administrator
+    # For virtual machines, the remote and project changes in production.
+    ansible_incus_remote: "{{ '{{' }} ansible_incus_container_remote if ansible_incus_vm_remote else ansible_incus_container_remote {{ '}}' }}"
+    ansible_incus_project: "{{ '{{' }} ansible_incus_vm_project if ansible_incus_vm_project else ansible_incus_project {{ '}}' }}"
 {% endif %}