Stack
Challenge server
| Ubuntu 22.04 | base image |
| OpenSSH server | players connect via SSH on port 30022 |
| Linux users | level0 – level5, each with a separate home directory |
| Random passwords | generated fresh on every container start |
| Level scripts | one .sh script per level — challenge files, permissions, hints |
Infrastructure
| Kubernetes (k3s) | single-node cluster on a VPS — always-on challenge deployment |
| nginx | serves the frontend as a baked Docker image |
| Traefik | ingress controller with automatic TLS via Let's Encrypt |
| GitLab CI | builds both images in parallel, deploys to k8s on push to main |
Security
| cap_drop ALL | only required capabilities added back |
| no-new-privileges | processes can't escalate beyond their starting privileges |
| resource limits | 0.5 CPU · 256 MB RAM at the pod level |
| ulimits | per-user: max 30 processes, 50 MB writes, 5 min CPU time |
| egress blocked | NetworkPolicy denies all outbound traffic from the challenge pod |
| read-only files | challenge files owned by root — players can read, not delete |
Frontend
| Vanilla JS | no frameworks |
| HTML / CSS | monospace, dark theme |