Hack the Future 2025: Deep Dive Linux

Hack the Future had a deep-sea theme this year, so the Linux challenge was called Deep Dive Linux. The premise was short. “Here’s SSH access to a real server, you and your teammate have the day, do something with it”. No spec, no goal. Victor and I spent the first few minutes a bit thrown by that before deciding we’d treat the box like a small production deploy instead of a playground.

What we ended up with was two static HTML pages, running in a container, behind nginx doing TLS, with the whole server described in Ansible so we could wipe it and rebuild from one command. The site itself was nothing. The work was all underneath it.

The container

The app runs in a Podman container. It’s Alpine with Python on top, serving the files with python3 -m http.server. Victor built it and pushed it to his Quay registry.

FROM alpine:latest
RUN apk add --no-cache python3
WORKDIR /srv
COPY public/ .
EXPOSE 8000
CMD ["python3", "-m", "http.server", "8000", "--bind", "0.0.0.0"]

Under 50MB and does nothing clever, which was the point. We went with Podman over Docker mainly because it was already on the box and rootless containers are one less thing to argue with.

The Ansible side

I took the automation, and it was the first time either of us had used Ansible. A good chunk of the day was me in the docs, breaking things and working out why. The setup itself is two roles, one for nginx and one for the container.

The webserver role installs Podman, grabs the image, and starts the container. I mounted the host’s public/ folder into it so we could edit the pages without rebuilding the image every time.

- name: Run the container
  containers.podman.podman_container:
    name: sarthak
    image: simpleserver
    state: started
    detach: true
    ports:
      - 8000:8000
    volumes: /home/ec2-user/public:/srv

nginx sits in front. It listens on 443, terminates TLS, and proxies everything through to the container on localhost:8000. Port 80 just 301s to HTTPS. We pointed it all at the domain they handed us, www1.htf25.qubr.be.

The plan was a proper certificate from Let’s Encrypt, and I started a letsencrypt role to do it. Then time happened. We dropped a cert in by hand so we’d have working HTTPS end to end, and the half-finished role is still sitting in the repo. You can see the exact moment we gave up on doing it the clean way.

What actually ate the time

Before the bugs, some context for why they hurt as much as they did. On top of it being our first time with Ansible, we’d set ourselves a rule going in. No AI tools at all. A lot of the other teams used them and it clearly gave them an edge. Stuck on an Ansible error or an nginx directive they didn’t recognise, they could ask and keep moving while we were back in the docs guessing. I’d make the same call again, but it was a real disadvantage and I’m not going to pretend otherwise.

The bugs themselves were the kind you’d expect from learning a tool live. One was forgetting become: true on the tasks that write into /etc/nginx and restart the service. They kept failing in vaguely worded ways until it clicked that ec2-user can’t touch any of that unprivileged. Fine in hindsight. Less fine at hour three.

The other was nginx config. There’s a commit called “Solve nginx config issues” and one from Victor called “Possible fix,” which tells you roughly how that stretch went.

Worth it?

The Let’s Encrypt thing still bugs me, and it’s the first thing I’d go back and fix. What I came away happy with is that the server stopped being something we’d hand-tuned and would’ve had to rebuild from memory. By the end it was a playbook. Re-run it and you’re back where you started. For a one-day thing where you break stuff constantly, and especially as two people learning Ansible without a safety net, that mattered more than I expected going in.

Repo, if you want the real configs: https://github.com/WautLornoy/HackTheFuture-2025-DeepDiveLinux