dreadnode · l50 · Apr 30, 2026 · Apr 29, 2026 · Apr 30, 2026 · Apr 30, 2026
@@ -30,7 +30,7 @@ env:
   PYTHON_VERSION: 3.13.7
   TASK_VERSION: 3.45.5
   TASK_X_REMOTE_TASKFILES: 1
-  WARPGATE_VERSION: "v4.4.0"
+  WARPGATE_VERSION: "v4.6.0"
 
 jobs:
   discover-templates:

@@ -24,7 +24,7 @@ concurrency:
 env:
   DEBIAN_FRONTEND: noninteractive
   PYTHON_VERSION: "3.13.7"
-  WARPGATE_VERSION: "v4.4.0"
+  WARPGATE_VERSION: "v4.6.0"
 
 jobs:
   detect-changes:

@@ -21,7 +21,7 @@ on:
   workflow_dispatch:
 
 env:
-  WARPGATE_VERSION: "v4.4.0"
+  WARPGATE_VERSION: "v4.6.0"
-  WARPGATE_VERSION: "v4.6.0"
+  WARPGATE_VERSION: "v4.6.0"
+  WARPGATE_SCHEMA_URL: "https://raw.githubusercontent.com/warp-tech/warpgate/v4.6.0/schema/warpgate-template.json"
-  WARPGATE_VERSION: "v4.6.0"
+  WARPGATE_VERSION: "v4.6.0"
+  WARPGATE_SCHEMA_URL: "https://raw.githubusercontent.com/warp-tech/warpgate/v4.6.0/schema/warpgate-template.json"
   PYTHON_VERSION: "3.13.7"
   TASK_VERSION: "3.45.5"
   TASK_X_REMOTE_TASKFILES: 1

@@ -0,0 +1,34 @@
+# ares-golden-azure
+
+Azure variant of the Ares golden image. Builds a Kali Linux image via Azure
+VM Image Builder and publishes a version into the `warpgateTestGallery` Compute
+Gallery, with feature parity against the AWS `ares-golden-image` AMI.
+
+Ships the same red-team toolchain installed by
+`ansible/playbooks/ares/goad_attack_box.yml`:
+
+- recon, credential access, privilege escalation
+- password cracking (hashcat from source, GPU-accelerated)
+- lateral movement, ACL abuse, coercion
+- Alloy telemetry agent
+- NVIDIA driver + CUDA toolkit for T4 GPU acceleration
+
+## Prerequisites
+
+Provisioned manually (one-time):
+
+- Resource group `warpgate-test-rg` in `eastus`
+- Compute Gallery `warpgateTestGallery`
+- Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2,
+  publisher=`dreadnode`, offer=`ares`, sku=`golden`)
+- User-assigned managed identity `warpgate-aib-uami`
+  with Contributor on `warpgate-test-rg`
-Provisioned manually (one-time):
-
- Resource group `warpgate-test-rg` in `eastus`
- Compute Gallery `warpgateTestGallery`
- Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2,
-  publisher=`dreadnode`, offer=`ares`, sku=`golden`)
- User-assigned managed identity `warpgate-aib-uami`
-  with Contributor on `warpgate-test-rg`
+Provisioned manually (one-time). These values match the checked-in
+`warpgate.yaml` and should be kept in sync if the template values change:
+
+- Resource group `WARPGATE-TEST-RG` in `centralus`
+- Compute Gallery `warpgateTestGallery`
+- Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2,
+  publisher=`dreadnode`, offer=`ares`, sku=`golden`)
+- User-assigned managed identity `warpgate-aib-uami`
+  with Contributor on `WARPGATE-TEST-RG`
-Provisioned manually (one-time):
-
- Resource group `warpgate-test-rg` in `eastus`
- Compute Gallery `warpgateTestGallery`
- Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2,
-  publisher=`dreadnode`, offer=`ares`, sku=`golden`)
- User-assigned managed identity `warpgate-aib-uami`
-  with Contributor on `warpgate-test-rg`
+Provisioned manually (one-time). These values match the checked-in
+`warpgate.yaml` and should be kept in sync if the template values change:
+
+- Resource group `WARPGATE-TEST-RG` in `centralus`
+- Compute Gallery `warpgateTestGallery`
+- Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2,
+  publisher=`dreadnode`, offer=`ares`, sku=`golden`)
+- User-assigned managed identity `warpgate-aib-uami`
+  with Contributor on `WARPGATE-TEST-RG`
+- Quota for `Standard_NC4as_T4_v3` in `centralus` (T4 GPU family)
+- Kali Marketplace terms accepted on the subscription:
+  `az vm image terms accept --publisher kali-linux --offer kali --plan kali-2026-1`
+
+## Build
+
+```bash
+warpgate build path/to/ares-golden-azure --target azure
+```
@@ -0,0 +1,104 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/cowdogmoo/warpgate/main/schema/warpgate-template.json
+metadata:
+  name: ares-golden-azure
+  version: 1.0.0
+  description: Azure variant of the Ares golden image with all red team tools - recon, credential access, privesc, cracking, lateral movement, ACL abuse, and coercion
+  author: Dreadnode <info@dreadnode.io>
+  license: MIT
+  tags:
+    - ares
+    - golden-image
+    - azure
+    - red-team
+    - reconnaissance
+    - credential-access
+    - privilege-escalation
+    - password-cracking
+    - lateral-movement
+    - acl
+    - coercion
+  requires:
+    warpgate: '>=1.0.0'
+
+name: ares-golden-azure
+version: latest
+
+base:
+  image: kali-linux/kali/kali-last:latest
-  image: kali-linux/kali/kali-last:latest
+  image: kali-linux/kali/kali-last:latest@sha256:<REPLACE_WITH_VERIFIED_KALI_IMAGE_DIGEST>
-  image: kali-linux/kali/kali-last:latest
+  image: kali-linux/kali/kali-last:latest@sha256:<REPLACE_WITH_VERIFIED_KALI_IMAGE_DIGEST>
+
+provisioners:
+  # Install pipx + Ansible, then fetch the nimbus_range collection on the build VM.
+  # We re-clone in shell rather than using warpgate's `sources` + `type: file`
+  # pattern (see ares-golden-image) because Azure Image Builder expands `type: file`
+  # into one customizer per file and times out on the 2000+ file ansible/ tree.
+  # Token is passed via a credential helper so it never appears in the clone URL
+  # or AIB customizer logs; ref tracks the AMI variant.
+  - type: shell
+    inline:
+      - apt-get update
+      - apt-get install -y --no-install-recommends ca-certificates git procps sudo python3-apt python3-pip python3-venv pipx
+      - 'sed -i ''s|^PATH="|PATH="/root/.local/bin:/root/.cargo/bin:|'' /etc/environment || echo ''PATH="/root/.local/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'' > /etc/environment'
+      - pipx install --force uv
+      - pipx install --force ansible-core
+      - pipx ensurepath
+      - GITHUB_TOKEN=${GITHUB_TOKEN} git -c 'credential.helper=!f() { echo username=x-access-token; echo password=$GITHUB_TOKEN; }; f' clone --depth 1 --branch feat/more-attack-cov https://github.com/dreadnode/ares.git /tmp/nimbus_range
+      - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range
+      - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/
+      - rm -rf /tmp/nimbus_range
+
+  # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU)
+  - type: shell
+    inline:
+      - apt-get update
+      - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree
-  # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU)
-  - type: shell
-    inline:
-      - apt-get update
-      - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree
+  # Probe for NVIDIA tooling during image build; the actual driver/CUDA
+  # installation happens later in a single consolidated step.
+  - type: shell
+    inline:
-  # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU)
-  - type: shell
-    inline:
-      - apt-get update
-      - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree
+  # Probe for NVIDIA tooling during image build; the actual driver/CUDA
+  # installation happens later in a single consolidated step.
+  - type: shell
+    inline:
+      - nvidia-smi || echo "nvidia-smi not available during image build (expected if no GPU attached)"
+
+  # Attack Box - all red team tools + Alloy telemetry
+  # NOTE: Using shell instead of ansible provisioner because the playbook
+  # exceeds Azure VM Image Builder's customizer length limit when inlined.
+  - type: shell
+    inline:
+      - PATH=/root/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-galaxy collection install -r /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/requirements.yml --force
+      - HOME=/root ANSIBLE_REMOTE_TMP=/tmp/ansible-tmp-$USER PATH=/root/.local/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-playbook /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/playbooks/ares/goad_attack_box.yml -i localhost, -c local -e ansible_shell_executable=/bin/bash -e ansible_python_interpreter=/usr/bin/python3 -e cracking_tools_gpu_support=true -e cracking_tools_hashcat_from_source=true -e cracking_tools_nvidia_opencl_icd=true
+
+  # NVIDIA GPU drivers + CUDA toolkit for hashcat GPU acceleration.
+  # Kernel headers + dkms are required so the nvidia module builds for the
+  # running kernel. The image then works on GPU instances (e.g. NCas T4 v3)
+  # without manual driver setup.
+  - type: shell
+    inline:
+      - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends linux-headers-$(uname -r) dkms nvidia-driver nvidia-cuda-toolkit
+
+  # Cleanup
+  - type: shell
+    inline:
+      - apt-get clean
+      - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+      - echo "Ares golden azure build completed successfully"
+
+targets:
+  - type: azure
+    subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02
+    location: centralus
+    resource_group: WARPGATE-TEST-RG
+    gallery: warpgateTestGallery
+    gallery_image_definition: ares-golden-azure
+    identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami
+    vm_size: Standard_D4s_v3
-    subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02
-    location: centralus
-    resource_group: WARPGATE-TEST-RG
-    gallery: warpgateTestGallery
-    gallery_image_definition: ares-golden-azure
-    identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami
-    vm_size: Standard_D4s_v3
+    subscription_id: ${AZURE_SUBSCRIPTION_ID}
+    location: ${AZURE_LOCATION}
+    resource_group: ${AZURE_RESOURCE_GROUP}
+    gallery: ${AZURE_GALLERY_NAME}
+    gallery_image_definition: ares-golden-azure
+    identity_id: ${AZURE_IDENTITY_ID}
+    vm_size: ${AZURE_VM_SIZE}
-    subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02
-    location: centralus
-    resource_group: WARPGATE-TEST-RG
-    gallery: warpgateTestGallery
-    gallery_image_definition: ares-golden-azure
-    identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami
-    vm_size: Standard_D4s_v3
+    subscription_id: ${AZURE_SUBSCRIPTION_ID}
+    location: ${AZURE_LOCATION}
+    resource_group: ${AZURE_RESOURCE_GROUP}
+    gallery: ${AZURE_GALLERY_NAME}
+    gallery_image_definition: ares-golden-azure
+    identity_id: ${AZURE_IDENTITY_ID}
+    vm_size: ${AZURE_VM_SIZE}
+    # For GPU:
+    # vm_size: Standard_NC4as_T4_v3
+    source_image:
+      marketplace:
+        publisher: kali-linux
+        offer: kali
+        sku: kali-2026-1
+        version: latest
+        plan:
+          name: kali-2026-1
+          product: kali
+          publisher: kali-linux
+    image_tags:
+      Project: ares
+      Role: RedTeamAttackBox
+      ManagedBy: warpgate
+      Tools: recon,credential-access,privesc,cracker,lateral-movement,acl-abuse,coercion
@@ -1,3 +1,3 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/cowdogmoo/warpgate/main/schema/warpgate-template.json
 metadata:
  name: ares-golden-image
@@ -36,7 +36,8 @@
 sources:
   - name: nimbus_range
     git:
-      repository: https://github.com/dreadnode/ansible-collection-nimbus_range.git
+      repository: https://github.com/dreadnode/ares.git
+      ref: feat/more-attack-cov
       depth: 1
       auth:
         token: ${GITHUB_TOKEN}
@@ -60,7 +61,7 @@
   - type: shell
     inline:
       - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range
-      - cp -r /tmp/nimbus_range/* /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/
+      - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/
       - rm -rf /tmp/nimbus_range
 
   # Install NVIDIA drivers for GPU-accelerated hashcat on g4dn (T4 GPU)