- Features
- server✨ allow role dependancies to be roles on the router
Bug Fixes- install🐛 default to installing and syncing the bsl source
- install🐛 refresh the PATH in the current Powershell session when installing ludus client on windows
- server🐛 don't default router min ram if ram is defined but min ram isn't
- server🐛 correct error messages when range configs use roles the user does not have access to
- server🐛 better handling for user defined role resolution when router object is not defined
Refactor- server🔨 use logger for sources logging
Documentation- 📚 add minimum package age in light of javascript supply chain attacks
- 📚 update GOAD env guide to use the BSL source method
- Release notes
Ludus 2.2.0: Sources
Add blueprints, templates, and roles/collections from trusted sources to your Ludus host — shipping with native GOAD, a no-Defender Windows 11 template, and every Bad Sector Labs template and role pre-installed.
Suibhne Ó FoighilRead full notes →Features- sources✨ Sources feature to easily share blueprints, templates, and roles
- sources✨ Improve ansible collection management (you can `rm` now!)
Bug Fixes- client🐛 Fix update scope to allow for 2.x updates
- server🐛 don't leak file handles in the touch function
- server🐛 protect the SSO Oauth endpoint from being proxied
- server🐛 properly clean up template dir if no template name could be extracted
- server🐛 resolve router vm_name and hostname before validation
- server🐛 don't return early when template add --force is used and remove template
- server🐛 use new hack to hide dynamic wallpaper powershell console window that works on windows 10 and 11
- server🐛 Unify installed-ansible detection in one scan
- server🐛 more robust time sync after domain join
Refactor- server🔨 validate vm_name and hostname in range configs to be valid hostnames
- server🔨 use safer ansible command calling to prevent command injection
Documentation- 📚 Add sources documentation
- 📚 Document global scope and removal for collections
Testing- sources🚨 Cover vendored deps and scope detection in CI
Miscellaneous Tasks- 🤖 Rewrite CI to use parallel tasks across multiple VMs
- 🤖 Rewrite CI setup to create parallel templates and cluster VMs for testing automatically
- Features
- install✨ remove data pool and format options on Debian installs (installer sets); add admin password confirmation
- ✨ Make server ports configurable via config.yml
- ✨ Add optional more detailed range list/status output
Bug Fixes- server🐛 only consider *pkr.hcl and *pkr.json files in template directories
- install🐛 print credentials on successfull install (existing proxmox)
- 🐛 fix variable overlap that caused wrong WireGuard port to be used during install
- 🐛 start ludus-admin service after install complete to not overwrite initial admin user in Wireguard. Also don't overwrite wg0.conf if it exists
- 🐛 enhance ludus-install-status script to wait for root API key and initial admin user creation
- 🐛 update access restrictions for PocketBase endpoints to include /admin path
- 🐛 sequence service startup correctly to prevent database locking and overwrites
- Features
- install✨ Enumerate datastores on existing Proxmox hosts
- install✨ remove data pool and format options on Debian installs (installer sets); add admin password confirmation
- ✨ Make server ports configurable via config.yml
- ✨ add inactivity shutdown for idle ranges (enterprise)
- ✨ add --browser-data flag to antisandbox enable (enterprise)
Bug Fixes- server🐛 only consider *pkr.hcl and *pkr.json files in template directories
Other- 📦 fix entitlement constraint application for plugin binaries
- Features
- server✨ Add log history for range deploys and template builds (`--history` and `--id` to `ludus range logs` and `ludus template logs`)
- server✨ add per-user resource quota enforcement (enterprise)
Bug Fixes- api🐛 scope abort, etc-hosts, and RDP to range instead of user
- install🐛 auto-detect boot disk in grub-pc rescue
Documentation- 📚 add usage section to MCP server docs
- 📚 expand MCP page to cover skills and combined usage
- 📚 fix typo in proxmox roles commands
- 📚 update description of wireguard_vlan_default to show default is REJECT
- Features
- api✨ add GET /api/v2/openapi endpoint for MCP spec discovery
Bug Fixes- api🐛 re-buffer request body before admin proxy to prevent body doubling
- server🐛 don't allow users to config VMs with the same IP as the subnet router
- server🐛 use user uploaded or ACME certs before self signed proxmox certs for Ludus API/web UI
- server🐛 only strip known extensions from uploaded ansible role files, to perserve namespace.rolename structure
Documentation- 📚 add MCP server documentation
- 📚 fast track agent PRs 😉
- 📚 update docs to reflect current install status ouput
Styling- server💄 print actual error on failed user delete
- install💄 tweak install status output format
Miscellaneous Tasks- templates🧹 bump kali version to 2026.1
- Bug Fixes
- server🐛 handle powered off routers during range sharing with better error message; add tests to CI
- server🐛 only update packer plugin if proxmox version > 9.1
- install🐛 show admin API key in ludus-install-status
- server🐛 do not error when sharing a range that has never been deployed (access will be granted upon deploy correctly)
- Features
- server✨ allow comma separated ports in network rules
- server✨ TPM enabled templates now default to the disk format of the first disk of the VM which allows snapshots for qcow2 on dir setups (default for ludus)
Bug Fixes- cluster🐛 fix early return that prevented ACLs from being applied correctly to new range resource pools only in cluster mode
- server🐛 do not require the acting user to have a default range for user rm action
- server🐛 default office_arch value to '64bit' to allow office_version to be specified without an office_arch
Documentation- 📚 update cli docs
- 📚 add pocketbase logs section
Miscellaneous Tasks- cluster🤖 fix cluster ACL check
- 🤖 fix escaping on iptables checks for integration test
- Features
- server✨ don't require all `defaults` to be defined in a range config
Bug Fixes- server:bug: cluster fix sdn-routes to use replace vs add to not fail if route exists
- server🐛 handle deleted default ranges with grace and verbose helpful errors
Documentation- 📚 fix link to sso page
- 📚 update cluster migration docs
- 📚 fix link to templates page
- Features
- server✨ allow users to specify VMIDs for power actions
Bug Fixes- server🐛 better unqiue value enforcement for ranges
- server🐛 make sure the data directory is accessible to the ludus user
- client🐛 better error handling
- windows🐛 add ACLs to C:\ludus
- server🐛 adjust protection of c:\ludus
- server🐛 fix c:\ludus protections 2
- api,client🐛 auto-reassign default range when current default is deleted
Refactor- server🔨 update snapshot management to use default router name variable
- install🔨 change install to better display errors and use API to get creds vs file read
Documentation- server📚 better error message for edge reinstall edge cases
- 📚 update cluster documentation to reflect reality of default, not top level key for range target_node
- 📚 document default wireguard firewall behavior change
- [**breaking**] 📚 add docs for creating an admin user with root api key
- Features
- ✨ add template OS detection to template status endpoint
Bug Fixes- server🐛 fix issue deleting a range with VMs deployed in it
- server🐛 fix issue saving allowed ips and domains in testing mode
- server🐛 fix potential race when destroying a range with VMs
- install🐛 validate that initial admin user does not exist on system during form
- server🐛 quote password during user creation to prevent issues with special chars
- server🐛 allow roles on the router for pro users
- server🐛 fix nexus cache deployment
- server🐛 fix entitlement check when entitlements are empty
- server🐛 fix issue downloading plugins due to path concatination logic bug
- server🐛 allow 4TB role uploads instead of 38MB
- client🐛 properly handle 413 errors
Other- 📦 allow specifying version in dev script
Documentation- 📚 add GOAD DRACARYS and update GOAD docs
- 📚 add API changes to the 1->2 docs page
- 📚 correct the api spec to reflect reality
- 📚 update template troubleshooting steps to be more complete
- 📚 add role catalog documentation
- 📚 fix duplicate category specification
Miscellaneous Tasks- 🤖 add test for deleting a range with VMs deployed
- Bug Fixes
- server🐛 ignore stderr from ansible-galaxy sub-commands that caused JSON parsing errors on systems with warnings or errors in their ansible setups
- server[**breaking**] 🐛 change wireguard_vlan_default to REJECT and always REJECT VM traffic to Ludus host IP
- server🐛 use the impersonated user's default range if no range is specified in the request when impersonating a user (restores 1.x functionality)
- server🐛 fix user impersonation null error
Refactor- server🔨 move off depricated GetFile to GetReader for blueprints
Documentation- 📚 fix debug env variable setting commands
- 📚 update set-environement command for pocketbase
- 📚 add more steps to existing cluster upgrade
- Bug Fixes
- server🐛 truncate netbios names to 15 characters when creating AD domains
- server🐛 fix issue with deployments on powered-off ranges; users can now deploy a range from a powered off state and it will work
- server🐛 don't fail when delete default range is selected but the default range does not exist during user delete
- server🐛 properly handle blueprints when a user is deleted; make any owned blueprints owned by ROOT and remove user from shared blueprints before deleting
- install🐛 fix blueprint migration error check
- server🐛 fix router availibility check
- server🐛 fix router availibility check
- server🐛 fix missing user db field for onboarding tracking
Refactor- server🔨 remove slog, use logger
Documentation- 📚 add note about ludus_admin group membership for user promotion
- 📚 use new API docs
- 📚 update docs
- 📚 fix redirects for new doc layout
Styling- server💄 make error for cluster mode check less scary
Miscellaneous Tasks- 🤖 run cluster tests for any start-at tags
- 🤖 increase cluster install timeout
- 🤖 move to self-hosted keygen for plugins
- 🤖 fix release creation, specify package uuids
- 🤖 allow untag of latest to fail
- Bug Fixes
- install🐛 fix windows install-client.ps1 to only install completions once to the profile
- server🐛 fix vm_names with equal prefix colliding during selection in deployment
Documentation- 📚 update docs to reflect Debian 13/Proxmox 9 support
- 📚 fix capitalization on LeHack 2025 commands
- 📚 add ghostwritter role to docs
- 📚 fix link from proxmox page to create user page
- 📚 add new roles for Splunk Universal Forwarder, Splunk Enterprise, and Zeek
- 📚 remove interactive PC builder due to price volatility
- 📚 update roles page to add ludus_win_privesc and fix ghostwriter typo
- 📚 add Ludus 2 (beta) docs
- 📚 update cluster docs; add SSO docs; add pocketbase docs; clean up docs
Styling- templates💄 fix Ubuntu spelling in template descriptions
Miscellaneous Tasks- templates🧹 update debian13 URL and checksum
- Bug Fixes
- templatesDisable KasmVNC blacklist to fix remote access; bump kasmvnc release to latest
- templates🐛 update kali to 2025.3; change kali mirror to cloudflare
Documentation- 📚 update docs to reflect Debian 13/Proxmox 9 support
- 📚 update Shadow Steps env guide
- 📚 add wsus roles to roles page
- 📚 add template troubleshooting page
- 📚 update template wording to reflect proxmox terms; datastore -> pool
- 📚 add vectr roles and netbox role
- 📚 add nemisis role
- 📚 TPM snapshots are now supproted for qcow2 in PVE 9.1
- 📚 add brmkit.ludus_guacamole role to roles page
- 📚 fix debian typos
Styling- 💄 fix debian typo
Miscellaneous Tasks- templates🧹 update debian13 url and checksum
- Bug Fixes
- install🐛 timeout after 5 seconds for tty bonce and ignore errors to keep install moving along
- server🐛 force `access_grants_array` to be an empty array if none
Documentation- 📚 update docs to reflect Debian 13/Proxmox 9 support
Styling- client💄 use better language to describe power commands
Miscellaneous Tasks- templates🧹 update template URLs for windows 2012r2 and ubuntu 24.04 server
- Features
- server✨ official Debian 13/Proxmox 9 support
- templates✨ add Debian 13 template
- client✨ allow setting the Product string for anti-sandbox
Bug Fixes- install🐛 on existing proxmox, always try to enable the NAT interface in the event the installer is run more than once
- install🐛 fix bash completion during install or upgrade
- install🐛 add passlib python package to enable user creation for flare vm template
- server🐛 make additional DC deployments more resilient
Refactor- server🔨 add RunWithOutput function required by plugins
- server🔨 Handle older OSes such as Windows 7
Documentation- 📚 update install docs to include git
- 📚 add python3-debian to requirements before install
- 📚 update CI docs with manual VM setup commands
- 📚 document changes to pveproxy to overcome API timeouts
Performance- server⚡ decrease dnsmasq lease time to 5m and set timeout to 30s for proxmox API calls
- server⚡ update dynamic inventory for slow API responses
- server⚡ add leaky bucket algo to license checks
- server⚡ use exponential backoff for service restarts
Styling- server💄 clean up extra spaces
Miscellaneous Tasks- 🤖 update CI for Debian 13
- Features
- install✨ support Debian 13/Proxmox 9 during install [UNTESTED]
Bug Fixes- install🐛 fix bash completion install check as root on a machines without the pkg-config command
- install🐛 allow pip installs no matter the python version
- server🐛 fix issue with when clause on zip command for RDP files
- server🐛 fix bug that prevented access grant/revoke from taking effect immediately
Documentation- 📚 fix typo in lehack snapshot command
- 📚 add ASR and MDI roles
- 📚 fix link to config from networking page
- 📚 add ludus-impersonator.sh link
- 📚 add ludus_badblood and ludus_adtimeline_syncthing to roles page
Miscellaneous Tasks- 🤖 allow a retry for template build kickoff
- Features
- server✨ add iptables_commands to router key to allow users to run arbitrary iptables commands at the end of each firewall deploy
- install✨ use the host's first non-local DNS server as upstream for DNS in vmbr100; default to 1.1.1.1 if no non-local DNS is found
- server✨ allow users to be added to Ludus hosts that don't have an internet connection
Bug Fixes- server🐛 only try to zip RDP files if RDP files exist
- client🐛 only write to a file when success, otherwise print errors
- server🐛 default dynamic wallpaper vars to true for older range configs
- install🐛 install the BSL fork of the proxmox packer plugin during ludus install
- install🐛 fix blank proxmox web ui after install
- install🐛 fix permissions for network access to allow new windows templates to build
Refactor- templates🔨 update windows templates to modern packer standards
- server🔨 The feature ansible.windows.win_domain_membership has been depreciated
Documentation- 📚 add steps for troubleshooting range access grant issues
- 📚 document the fix for a blank proxmox web ui
- 📚 update ansible role developer page
- 📚 update help message for --limit to reflect not needing localhost
- 📚 Added ludus_sliver and ludus_redirector to the roles doc page
- Bug Fixes
- server🐛 fix AccessNetwork role check to allow direct ISO downloads to PVE for all ludus users
- antisandbox: 🐛 Fix issue with unquoted vendor string causing VMs to fail to boot after anti-sandbox enable
Documentation- templates📚 update tpm template READMEs to reflect their support in Ludus >= 1.9.7
- 📚 specify that custom templates require the qemu guest agent
Miscellaneous Tasks- 🧹 ignore .ansible directories
Features- antisandbox: ✨ Add Windows 11 24H2 LTSC antisandbox template
- Features
- server✨ add yaml-language-server to example/default range config and documentation
- server✨ switch to our fork of the packer proxmox plugin which supports tpm and cpu type
- client✨ tune non-verbose log output for templates to show the download of isos when iso_download_pve is set to true
- server✨ block any range VM from accessing the host by default
- server✨ only expose the current range's pool of VMs to ansible
- client✨ add --all option to `ludus range inventory` command if the users wants a full inventory of all VMs they have access to (admins)
- antisandbox: ✨ Improve antisandbox evasion with additional tweaks (registry) as well as more comprehensive CPU changes, and better hardware naming to appear more realistic
Bug Fixes- server🐛 create empty log on user creation to prevent range log errors before a deployment for a new user
- server🐛 prevent admin users from removing VMs of other ranges if the VMs have the same name as the VM(s) in the range the admin is removing
- templates🐛 fix tpm templates to work with custom proxmox plugin
Refactor- server🔨 change default range config to use office 2021 and choco packages instead of install_additional_tools
Documentation- 📚 update BarbHack env guide; update snapshot wording for other env guides
- 📚 fix Barbhack Kali IP
Styling- server💄 when setting a password via ludus, make it clear that this does not change the password in proxmox
Miscellaneous Tasks- 🤖 use office 2021 as the 2019 installer is no longer working on unpatched win11 22h2
- Bug Fixes
- server🐛 fix Ludus share setup
- server🐛 add anon_share_access GPO to available GPOs
- server🐛 fix bug when an action is taken as root for a user a file could be owned by root if it did not exist previously
- server🐛 fix bug creating RDP files on ranges without domains defined
- server🐛 fix permission issue that prevented users from seeing the summary page of the host
- server🐛 fix issue with CentOS and Ubuntu 20.04 getting a static IP
- server🐛 update Kali to 2025.1c since they lost their apt signing key
- server🐛 better failed_when detection for AdGuardHome install
- server🐛 fix issue with Almalinux getting a static IP
- server🐛 fix issue that caused GPOs specified in the config to not get applied correctly
Refactor- server🔨 remove install_additional_tools from default range and config example as users should specify their own choco packages explicitly
- server🔨 fix formatting for almalinux group_vars file
Documentation- 📚 fix typo in anon_share_access gpo
- 📚 add file share page
- 📚 update network diagram
- 📚 Fix link for cicd
- 📚 update GOAD docs to user the --user flag when snapshotting ranges
- 📚 remove old doc page for SANS
- 📚 add KMS docs
- 📚 add Splunk attach range env guide
- 📚 update anti-sandbox page with new features and tip for older CPUs to avoid BSOD
Features- antisandbox: ✨ updated custom QEMU package to 9.2.0-5
- antisandbox: ✨ allow users to set custom CPU types
- antisandbox: ✨ allow users to set custom SystemBiosVersion string
- antisandbox: ✨ allow users to vendors other than Dell (HP, Lenovo, IBM, Google)
- antisandbox: ✨ allow users to persist CPU and SystemBiosVersion changes across reboots
- antisandbox: ✨ changed SMBIOS values (type 3 and 4) to get rid of even more QEMU strings
- bug: Bug Fixes
- client:bug: fix issue with cli uploading the config during edit if the editor forks
- server:bug: if autologon_user is defined but does not exist in AD, use the default DA account to query the Domain Users SID for multilingual support
- server:bug: merge in fallback IP change method for older/slower hardware (extra VM reboot required) (thanks @esp0xdeadbeef!)
books: Documentation- :books: add kms details to networking docs
- :books: add link to flare troubleshooting on the malware lab page
- :books: merged in flare troubleshooting page
- Features
- client✨ add KMS commands
- server✨ add license to version output
Bug Fixes- client🐛 fix anti-sandbox endpoint
- server🐛 only append one templates worth of debug logs if a build fails and the user requested verbose logs
- client🐛 fix snapshot rm with userID arg
- server🐛 make sure files written during ansible execution are owned by ludus when run as root
- installer🐛 validate that the proxmox node does not contain spaces or dots
- server🐛 fix issue getting latest office installer version
Documentation- 📚 add pc builder to bare metal page
- 📚 update docs for SANS environment
- 📚 update GOAD docs to user the --user flag when snapshotting ranges
- 📚 remove old doc page for SANS
- 📚 add KMS docs
- 📚 add Splunk attack range env guide
Styling- server💄 fix task name
- server💄 set license message for community license
- server💄 change license message on server
- Features
- server✨ allow users to control traffic to/from the WireGuard subnet with network rules
- server✨ refuse to overwrite existing PAM users during Ludus user creation
- server✨ allow users to specify packages to install on linux machines
Bug Fixes- server🐛 make the RDP user group addition during domain-join multilingual
- installer🐛 disable ipv6 since GitHub doesn't support it (and we pull packages from GitHub during install)
- server🐛 fix issue with multilingual domain users sid resolution
Documentation- 📚 add mythic role to roles page
- 📚 update google cloud page to reflect new install and node name changes
- 📚 update bare metal docs with 128GB ram link and sheet link
Performance- server⚡ don't refresh inventory unless a vm has been cloned
Miscellaneous Tasks- 🧹 add repomix config and bundle files
- Features
- client✨ allow LUDUS_EDITOR env var to specify the editor to use for range config edits
- server✨ add disable_defender GPO
- server✨ leave telemetry enabled by default
- server✨ disable first run popups on Chrome and Edge
- server✨ force an OS (windows, linux, or macOS) key for each VM during config validation
- server,client✨ add snapshot API endpoints (list, create, rollback, and remove) and CLI commands to allow the management of arbitrary snapshots for VMs
Bug Fixes- server🐛 don't allow users to specify deploy tags that don't exist
- server🐛 Don't allow the ROOT API Key to be used for ansible actions
Documentation- 📚 add note about putting manually built templates in the SHARED pool
Performance- server⚡ set the winrm timeout to 900 for slower CPUs
- Features
- server✨ don't block any DNS requests by default (lists are still present, just not enabled)
- antisandbox: ✨ hold apt packages after custom install
- antisandbox: ✨ don't allow users to enable on other user's ranges without impersonation
Bug Fixes- client🐛 allow users to update the client binary without an API key
- server🐛 prevent users from deleting core ansible roles that ludus uses
- server🐛 add missing collection in requirements for share creation
- server🐛 better automatic ipv6 detection and warning for outbound WireGuard configs
Documentation- 📚 update tags docs
- 📚 update defaults for example antisandbox config
Performance- server⚡ set Windows DNS cache to 2 seconds
Styling- client💄 better choco error message
- Features
- server✨ add a SMB share at 192.0.2.3 that hosts two shares, readonlyshare and readwriteshare
- server✨ create RDP files for user specified autologon users
- server✨ enable network sharing for windows VMs
Bug Fixes- client🐛 fix external editor temp path on Windows
- server🐛 fix issue getting router to action during range access operations
Documentation- 📚 add juiceshop role to roles page
- 📚 improve building from source docs
- 📚 improve updating docs
- 📚 add tags docs
- Features
- templates✨ add ubuntu 24.04 server template
- client✨ provide a helpful error when choco hashes don't match
- server✨ allow range numbers to be reserved and not used via a config setting
- server✨ allow users to disable dynamic wallpaper on windows with `defaults.enable_dynamic_wallpaper: false`
Bug Fixes- templates🐛 fix ubuntu 24.04 desktop url
- install🐛 don't tell the user the install will reboot the box if it is an existing proxmox install
- server🐛 fix rare bug with secondary-dc deployment
- server🐛 make sure vm objects have a template and name before casting them
- server🐛 fix access grant error if source user had a custom router name
Refactor- server🔨 better handling of existing plugins
Documentation- 📚 add enterprise documentation
- 📚 update anti-sandbox docs
- 📚 add note about impersonation to GOAD docs
- 📚 fix spacing on roles header
- 📚 document the enable_dynamic_wallpaper option
Testing- 🚨 add required items to defaults for integration test
- Features
- server✨ add force_ip boolean config option for VMs without qemu-guest-agent
- server✨ add support for autologon_user and autologon_password in the range config
- server✨ add arg that skips all dep checking for speed during dev testing
- server✨ don't require localhost in the --limit option for a deploy (add it automatically)
- client✨ save config incase edits are rejected by server; allow changes to be used as a starting point
- client✨ throw a verbose error if a template build fails due to missing ansible role
- client✨ add 'range config edit' command
Bug Fixes- install🐛 don't fail if install can't get interface names
- templates🐛 update debain 10 URL and hash
- server🐛 fix issue with older ubuntu when setting static ip
Performance- templates⚡ add ngen tasks to improve windows template first boot performance
Documentation- 📚 add more roles to roles directory
- 📚 add instructions to restart the ludus server to pick up config changes
- 📚 update API docs
Miscellaneous Tasks- 🤖 add force_ip and autologon values to integration test
- 📦 add dev scripts to easily build all of Ludus for local testing
- 📦 update dependencies
- Features
- server✨ add force_ip boolean config option for VMs without qemu-guest-agent
Bug Fixes- templates🐛 fix links for Windows 2016 and 2019 templates
- client🐛 fix client update on Windows
- templates🐛 update win10 enterprise template to 22h2 as 21h1 is no longer avilable from official sources
- server🐛 refuse to do power operations if the ROOT API key is being used
- server🐛 fix access actions if defaults are defined
- install🐛 restart dnsmasq on proxmox install to resolve issues with DHCP
- server🐛 don't require outbound_wireguard_vlans for outbound wireguard actions
Documentation- 📚 simplify wireguard command
- 📚 add detail around manually created templates
- 📚 fix configuration link
- Bug Fixes
- server🐛 fix plugin paths
Refactor- server🔨 expose GetProxmoxClientForUser for plugins
Performance- server⚡ make the API 100x faster by lowering the bcrypt hash cost without sacrificing security (newly created Ludus users only)
- server⚡ use SQLite3 Shared cache and WAL mode
Miscellaneous Tasks- 🧹 update dependencies
- Bug Fixes
- server🐛 fix a bug in the pre 1.4.0 compatibility layer for the router that prevented upgrades when a range was not in testing mode
- install🐛 wait up to 10 seconds for the root api key to be generated before trying to print it while tailing the final logs (avoid race condition)
- installer script🐛 fix version identification crash in windows powershell client installer
- range-management🐛 make domain joining user add to RDU group multilingual
Refactor- 🔨 use correct syntax for variables in plays during ludus install
Documentation- 📚 add bagelByt3s.ludus_adfs to roles page
Miscellaneous Tasks- templates🧹 bump kali to 2024.4
- Features
- server✨ make windows domain groups support any language
Refactor- server🔨 allow community plugins for standard and admin server; only run enterprise plugin for standard server
Miscellaneous Tasks- 🤖 fix enterprise keygen uploads
- 🤖 fix enterprise plugin building for binary compatibility with server
Revert- ci⏪ enable additional tools now that chrome MSI is fixed by Google
- Features
- client✨ add self-update command
- server✨ automate enterprise plugin download/activation
Bug Fixes- installer🐛 fix command not found error if pkg-config is not installed
- templates🐛 fix Kali python-apt bug
Documentation- 📚 document the lack of support for advanced nic configs
- 📚 update docs to reflect the deny-by-default testing mode
Miscellaneous Tasks- 🤖 Don't upload the ludus-server to keygen since we don't have self-updates for the server
- 🤖 build enterprise plugin when a tag is created
- Features
- server✨ allow users to expose admin API globally via config
- client✨ check if there is an API key set via env when running the api key command to prevent user confusion
- client✨ add taskoutput command to client
Bug Fixes- server🐛 fix issue with role depends_on not being used
- 🐛 don't update windows DNS if machine is domain joined (GOAD fix)
- 🐛 use win_shell vs win_powershell as win_shell sets stdout on the registered variable
- 🐛 fix bash-completion sourcing error
- 🐛 make removing a user more idempotent
Documentation- 📚 update docs (minor fixes)
- 📚 update GOAD environment guides
- 📚 fix hyper-v image alignment
Miscellaneous Tasks- 🤖 googlechrome choco is broken, skip it
- 🤖 add keygen-upload step and update git-cliff
- Features
- ✨ add 'global_role_vars' top level config key to range configs
- ✨ Add support for notifications on range build success/failure
Bug Fixes- 🐛 remove extra dot net check during choco install
- 🐛 fix multiple IP bug on Ubuntu VMs
- 🐛 fix nexus build issue by pinning version to working version
Miscellaneous Tasks- 🧹 bump kasmvnc to latest on kali template
Build- 📦 build server with CGO so it can load plugins
- Bug Fixes
- 🐛 don't allow user ID of '0' as proxmox doesn't correctly create a pool called '0'
- 🐛 update .NET framework to 4.8 when necessary to satisfy chocolatey 2.0 requirements (thanks @coffeegist!)
- 🐛 Clean up .NET install before chocolatey if .NET does not exist or is too old
- 🐛 fix kali to use vda vs sda with new scsi controller for better disk speeds
Documentation- 📚 update links to use .md (prevent 404s), update deps
Features- ✨ add Ubuntu 24.04 Desktop template
Miscellaneous Tasks- 🧹 bump Go dependencies
Performance- ⚡ update templates to use virtio type drives for speed improvements
Styling- 💄 add logo to backgrounds
- 💄 fix machine domain entry in backgrounds to show full DNS name of domain
Build- 📦 build client without CGO to prevent glibc issues on older Linux OSs
- Bug Fixes
- 🐛 update ubuntu 22.04 url and checksum
- 🐛 set env vars on Proxmox installs where they are not set to prevent issues with network detection
- 🐛 check that the template object is not nil (half created templates?) before casting to prevent crash
- 🐛 pin packer plugin versions to prevent upstream bugs from breaking Ludus
Documentation- 📚 add NetExec lab env guide
- 📚 documentation updates to improve the new user experience
- 📚 add tailscale and velociraptor community roles
- 📚 update baremetal page to reflect the K8 being gone
Features- ✨ add install script for Windows
- ✨ add plugin support to Ludus server to support a unified open-core codebase
Styling- 💄 Add message about the time it takes to add a user when creating a user
- Bug Fixes
- 🐛 fix issues with zsh in the install script
- 🐛 default to accepting self-singed proxmox cert during install
- 🐛 fix --only-roles (broke during 1.5.0 changes)
Documentation- 📚 update docs for new installer/local client (1.5.0)
Features- ✨ add win2019 no security updates template
- ✨ increase timeout for win2019 with security updates
- ✨ output full error message when unable to log into proxmox
- ✨ log to ansible log when validating the range config to give users full details
Miscellaneous Tasks- 🧹 bump kasmvnc version for kali
- Features
- ✨ new interactive installer
- ✨ depends_on for roles
- ✨ global roles
- ✨ add install script
- ✨ add 32 bit ARM linux client and checksum file to releases
- ✨ allow users to run the client completions arg without an API key
Bug Fixes- 🐛 update jdk dependency for Nexus cache to work with latest Nexus release
- 🐛 tell the user there will be no logs in parallel mode when building multiple templates
- 🐛 fix datastore permissions for existing proxmox installs
- 🐛 allow completions to work without API key
Documentation- 📚 add outbound WireGuard documentation
- 📚 add enterprise configuration tab to configuration page
- 📚 document depends_on for roles
Miscellaneous Tasks- 🧹 update Kali to 2024.2
Performance- ⚡ change default upstream DNS over HTTPS to 1.1.1.1 to prevent the need to bootstrap with regular DNS
Refactor- 🔨 update stress-test script to not re-deploy ranges if run more than once
Styling- 💄 capitalize testing API responses
- 💄 fix ansible-lint issues
- Documentation
- 📚 update packet capture documentation
- 📚 update docusaurus
- 📚 add VC++ tasks to fix errors with SCCM install in GOAD (thanks @zeroone1337)
Features- ✨ add -v flag to 'templates log' command and don't print debug messages by default
Styling- 💄 change wording of office install check to prevent users from thinking there was a failure during the check
- 💄 add 'Build complete!' message to the end of the packer log
- Bug Fixes
- 🐛 default action_ips to a blank array to handle the case where all VMs are set to be blocked from the internet
- 🐛 make sure the ansible log file is owned by the calling user, not root, during user actions
Documentation- 📚 add SCCM env guide
- 📚 add option to use host machine to setup Nexus cache
- 📚 add warning about the time it takes to build flare/remnux in the malware lab
Miscellaneous Tasks- 🧹 update rocky 8 URL and hash
- Bug Fixes
- 🐛 fix edge case where firewall service detection could throw an ansible error
- 🐛 fix typo in roles page (@brimston3)
- 🐛 fix commando and flare templates to allow for user defined datastores
- 🐛 allow client to specify users when running power commands
- 🐛 fix win11-23h2 template to use the user specified proxmox_storage_pool vs hardcoded local
- 🐛 add 4 hour timeouts to flare, commando, and remnux templates for slower machines
Features- ✨ regenerate SSH host keys for all Linux templates on first boot
- Features
- ✨ allow users to define `always_blocked_networks` in their config to protect LAN or other networks
- ✨ allow users to define the timezone for all VMs in their range
Bug Fixes- 🐛 correctly clean up range access grants when deleting a user
- 🐛 allow 'all' as a vlan_dst in the range config network rules
- 🐛 remove existing access grants for a deleted user to prevent unintended access when the range number is re-assigned
- 🐛 fix bug that prevented the ability to impersonate other users when running testing allow/deny commands
- 🐛 fix issue where range list all would return a stale, incorrect number of VMs for users
- 🐛 fix bug that prevented the ability to impersonate other user when running testing status
- 🐛 fix issue with access_grants_array being NoneType and causing a template error with ansible
Documentation- 📚 fix bloodhound spelling on roles page
- 📚 More specific requirements (passmark score)
- 📚 link to proxmox page from install
- 📚 include dnsmasq in network troubleshooting
- 📚 increase width of docs content, for the configuration page make the width of content 100%
- 📚 update security docs
Refactor- 🔨 refactor bginfo task to use ansible vs powershell
- 🔨 change router firewall to default drop traffic, total refactor of how testing mode works
Styling- 💄 change RANGE NUMBER to RANGE NETWORK in `range list` output which is more useful for users
- 💄 filter debug errors during template builds and replace them with a nice `waiting for the VM to boot` message
- Bug Fixes
- 🐛 put the generated config file in the same directory as the ludus binary, not the pwd
- 🐛 ignore empty strings when checking for roles when the user supplies --only-roles
- 🐛 fix checks for if the response had been set already (default status code is 200, not 0)
Documentation- 📚 update roles page with new exchange role link
- 📚 add ludus_emux role to roles page
Features- ✨ fail if --only-roles is used and the roles don't exist on the server for the user
- ✨ allow force during range access revoke
- ✨ store range access grant in DB even if router is not accessible
Styling- 💄 better error message when a deploy is run with an active deployment in progress
- Bug Fixes
- 🐛 don't hang up on restarting getty if it takes longer than 5 seconds
- 🐛 Add domainadmin user to Enterprise Admins, Schema Admins, and Group Policy Creator Owners groups
Documentation- 📚 Update roles pages
- 📚 Add recommended hardware to bare metal page and RAID0 video
- 📚 Fix links on docs pages
- 📚 add link to developer page on role page
- Bug Fixes
- 🐛 better defaults for get-firewall-status for windows VMs (again)
Documentation- 📚 make API documentation more clear for /user endpoint and /user/apikey endpoint
- 📚 Edits to GOAD environment guides for clarity
- 📚 add api-key troubleshooting; add roles docs page; rename quick start and environment guides to remove spaces
Refactor- 🔨 check that firewall_service_running is defined before checking its boolean state
- 🔨 move golang dep only used for CI to ci script
Styling- 💄 fix typo in RDP help message
- Bug Fixes
- 🐛 check for ansible path vs english error message to support other languages
- 🐛 use user defined datastore for EFI disk on Windows 11 template
- 🐛 don't set a default iso_storage_pool for Windows 11 template as it is not overwritten by env var
- 🐛 check that the firewall service is running before adding rules to the firewall on windows
- 🐛 allow config set force value to be unset without an error
Documentation- 📚 add malware lab env guide
- 📚 add step to ensure WireGuard port is open in Azure
- 📚 add update tip for GOAD SCCM env guide
Features- ✨ add commando-vm template
- ✨ add flare-vm template
- ✨ add remnux template
Performance- ⚡ ignore time setting errors (command vm/flare vm) on windows machines during testing stop
Refactor- 🔨 better error handling for failed range creation during user creation
- 🔨 change default ludus nat interface to vmbr1000 to allow users to manually select it in the proxmox interface
- 🔨 add the RangeAccessObject to initial DB create
Styling- 💄 use FQDNs for ansible tasks
- Bug Fixes
- 🐛 allow roles to be installed for other users from local dirs
- 🐛 fix bug that would prevent older ubuntu VMs from deploying due to not having /etc/cloud
Documentation- 📚 update goad docs to put kali in the same subnet as windows for LLMNR attacks; remove manual goad sccm step now that pull is merged
- 📚 add share to range cli docs
- 📚 add note about instance size to Azure docs
- 📚 remind users they need to actually remember creds when installing operating systems
- 📚 link to bare metal guide in proxmox page
- 📚 link to security page at the end of quickstart
- 📚 add prevent_user_ansible_add to install docs
Features- ✨ check and fix the ownership of the ludus.db on server start
- ✨ add prompt to `user apikey` command to prevent accidental apikey resets
- ✨ add Ubuntu 20.04 template
Performance- ⚡ force VMs to be removed during range rm
Styling- 💄 better error messages for DB permissions failures
- Bug Fixes
- 🐛 persist iptables rules after access action
- 🐛 prevent the ludus-admin server from any actions besides user actions
Documentation- 📚 add wifi warning to install step
- 📚 make sure all roles are owned by ludus before updating them
- 📚 add network troubleshooting docs page
- 📚 add /range/access endpoint to api documentation
- 📚 add sharing doc page; add ansible testing to ansible page; style prompts
- 📚 update SSH access firewall rule to un-hardcode range second octet
- 📚 fix styling in code samples
- Bug Fixes
- 🐛 allow for configs where no VMs have internet blocked during testing
- 🐛 fix error rearming windows VMs with < 30 days remaining
- 🐛 make sure SSH is installed during Ludus install
- 🐛 respect the setJSON flag in isAdmin
- 🐛 fix race condition when removing a range that would cause incomplete removal
Documentation- 📚 add updating docs
- 📚 add Elastic guide
- 📚 add powerhell to Hyper-V docs to enable virt support
- 📚 add GOAD SCCM env guide
- 📚 add info about SSH access to security documentation
Features- ✨ add --limit option to range deploy command
- ✨ add --only-roles option to range deploy command
- ✨ validate Windows hostname (first 15 chars) are unique to prevent issues with AD
- ✨ allow balloon RAM size to be a float (not exposed to users via config)
- ✨ allow admins to disable ansible role/collection add ability by standard users
- ✨ allow admins to share ranges between users via the cli/API
Miscellaneous Tasks- 🤖 allow retry on server update during ci
- 🧹 bump all deps to current versions
- 🧹 move from community.windows to microsoft.ad for AD tasks
Performance- ⚡ attempt to skip inventory refresh if VM is not deployed
- ⚡ change the router to be 2 core and .5/2GB RAM (balloon)
Refactor- 🔨 create the LUDUS_DEFAULTS chain in separate task
- 🔨 new users get the lowest available range number
Styling- 💄 modify help message of user add to reflect actual limits of userid
- 💄 use ansible FQDNs in configure-router
- 💄 capitalize results and errors from testing API endpoints
Testing- 🚨 add stress testing script and config
- Bug Fixes
- 🐛 use OS agnostic path separator to support template uploads on windows
Documentation- 📚 update GOAD guide and user creation warning
- 📚 update ADCS guide with ansible-galaxy instructions
- 📚 add discord link
- 📚 add DNS tip for GOAD setup
- 📚 fix issue with ADCS role install
Miscellaneous Tasks- 🧹 fix typo in testing error message when config IPs don't match inventory
- Features
- ✨ support installing Ludus on existing proxmox installations
- ✨ add 'ludus_nat_interface' to ludus config.yml to support existing proxmox installs
Bug Fixes- 🐛 fix kali install issue with dpkg/GRUB
- 🐛 fix panic on nil conversion of VM properties during `range list`
- 🐛 fix config schema not accepting ranges of ip_last_octets in network rules
- 🐛 increase timeout values for winrm for slower systems
Miscellaneous Tasks- 🧹 remove ntp during setup now that chrony is installed
- 🤖 add 'start-at' tags to CI
- 🤖 force time sync at start of all ci jobs
- 🤖 add integration test to CI
Refactor- 🔨 move the CLI's VM unreachable detection code to utils and run it during 'range errors'
- Bug Fixes
- 🐛 delete built system templates when the user asks to rm them (but keep template files)
- 🐛 small fixes with testing mode, longer timeout for VS install
- 🐛 template name uniqueness is now enforced; non-admins cannot delete other users templates
- 🐛 allow users to overwrite their own templates (was broken due to duplicate name checks)
Documentation- 📚 fix links in README
- 📚 server manual build wording change
- 📚 specify the need to have .pkr. as part of packer filenames (may have other json or hcl files that are not the packer file)
Features- ✨ add 'errors' command and automatic error parsing to CLI
- ✨ client now checks if the template path is a directory; fix long help for template rm
Miscellaneous Tasks- 🤖 add template tests, use the status for power tests vs sleeps
- 🤖 fix user test CI to not change the PW as its needed...
- 🤖 fix ci user tests and power tests
- 🤖 fix retries in template tests
- 🤖 fix template test
- 🤖 ci fixes for job retries; make testing mode tests more robust
- 🧹 clean up old directories from .gitignore (now unused)
- 🤖 add tests for duplicate template names
- 🤖 add templates tests for force uploading a template that does not belong to the user
Refactor- 🔨 change the isAdmin check to take a bool to set or not set response JSON
- Features
- ✨ allow for meta/version.yml to specify a version of the role for roles added from local directories
- ✨ add -v flag to 'templates log' command and don't print debug messages by default
Bug Fixes- 🐛 force a time sync on Windows VMs when stopping testing to get past 'time change was to big' error
- 🐛 ignore errors while setting time after testing stop on Windows VMs
- 🐛 allow client to update VMs for other users when --user is specified
Documentation- 📚 add enterprise configuration tab to configuration page
- 📚 add outbound WireGuard documentation
Styling- 💄 capitalize testing API responses
- 💄 fix typo in template validation message for range config
Refactor- 🔨 update stress-test script to not re-deploy ranges if run more than once
Chore- 🧹 remove legacy code for user SSH keys from pre 1.0
