commit 80dee48143ffec0c5b87d09aca3daefd99ef48a5 Author: Benjamin Renard Date: Mon Jan 1 17:25:46 2024 +0100 Initial release diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4c5f88a --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*~ +.*.swp diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..c260bbe --- /dev/null +++ b/Dockerfile @@ -0,0 +1,8 @@ +ARG BUILD_FROM +FROM $BUILD_FROM +RUN apk add rsyslog openvpn openssh haproxy curl rsync +RUN mkdir /root/.ssh && chmod 700 /root/.ssh && touch /root/.ssh/authorized_keys +RUN mkdir -p /etc/ssh/sshd_config.d/ /etc/rsyslog.d/ /var/lib/haproxy/dev +RUN echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config +RUN echo '$IncludeConfig /etc/rsyslog.d/*.conf' >> /etc/rsyslog.conf +COPY rootfs / diff --git a/config.yaml b/config.yaml new file mode 100644 index 0000000..b56c8ca --- /dev/null +++ b/config.yaml @@ -0,0 +1,15 @@ +name: "Remote VPN access" +description: "Allow remote access to Home-Assistant through OpenVPN" +version: "dev" +slug: "ha_remote_vpn" +init: false +arch: + - aarch64 + - amd64 + - armhf + - armv7 + - i386 +map: + - addon_config:rw +privileged: + - NET_ADMIN diff --git a/rootfs/etc/services.d/haproxy/run b/rootfs/etc/services.d/haproxy/run new file mode 100755 index 0000000..7b467c1 --- /dev/null +++ b/rootfs/etc/services.d/haproxy/run @@ -0,0 +1,13 @@ +#!/command/with-contenv bashio + +if [ ! -e "/config/haproxy" ] +then + bashio::log.info "Initialize HAproxy configuration..." + rsync -a /srv/haproxy/ /config/haproxy/ + bashio::log.info "done." +else + bashio::log.info "HAproxy configuration already initialized" +fi + +bashio::log.info "Start Haproxy ... " +exec /usr/sbin/haproxy -f /config/haproxy/haproxy.cfg -db diff --git a/rootfs/etc/services.d/openvpn/run b/rootfs/etc/services.d/openvpn/run new file mode 100755 index 0000000..fa3bb72 --- /dev/null +++ b/rootfs/etc/services.d/openvpn/run @@ -0,0 +1,36 @@ +#!/command/with-contenv bashio + +if [ ! -e "/config/openvpn" ] +then + bashio::log.info "Initialize OpenVPN configuration..." + rsync -a /srv/openvpn/ /config/openvpn/ + bashio::log.info "done." +else + bashio::log.info "OpenVPN configuration already initialized" +fi + +if [ ! -d /config/openvpn ] +then + bashio::log.info "Initialize OpenVPN configuration..." + rsync -a /srv/openvpn/ /config/openvpn/ + bashio::log.info "done." +fi + +# Generate secret on first start +if [ ! -e /config/openvpn/secret.key ] +then + bashio::log.info "Generate missing share secret key file... " + openvpn --genkey secret /config/openvpn/secret.key + chmod 400 /config/openvpn/secret.key + bashio::log.info "done." +fi + +# Ensure /dev/net/tun is present +mkdir -p /dev/net +if [ ! -c /dev/net/tun ]; then + mknod /dev/net/tun c 10 200 +fi + +# Start OpenVPN +bashio::log.info "Starting OpenVPN..." +exec /usr/sbin/openvpn --config /config/openvpn/client.conf diff --git a/rootfs/etc/services.d/ssh/run b/rootfs/etc/services.d/ssh/run new file mode 100755 index 0000000..a219cae --- /dev/null +++ b/rootfs/etc/services.d/ssh/run @@ -0,0 +1,54 @@ +#!/command/with-contenv bashio + +if [ ! -e "/config/ssh" ] +then + bashio::log.info "Initialize SSH configuration..." + rsync -a /srv/ssh/ /config/ssh/ + bashio::log.info "done." +else + bashio::log.info "SSH configuration already initialized" +fi + +# Generate key if missing +if [ -z "$( ls /config/ssh/*_key 2> /dev/null )" ] +then + bashio::log.info "Generate SSH host keys..." + ssh-keygen -A + cp -p /etc/ssh/*_key* /config/ssh/ + bashio::log.info done. +else + bashio::log.info "Existing SSH host keys present, reuse it" + + # Install host keys + bashio::log.info "Install SSH host keys... " + cp -p /config/ssh/*_key /config/ssh/*_key.pub /etc/ssh/ + chown root: /etc/ssh/*_key* + chmod 600 /etc/ssh/*_key + chmod 644 /etc/ssh/*_key.pub + bashio::log.info done. +fi + +# Install configuration +if [ -n "$( ls /config/ssh/*.conf 2> /dev/null )" ] +then + bashio::log.info "Install custom SSH configuration files... " + cp -p /config/ssh/*.conf /etc/ssh/sshd_config.d/ + bashio::log.info done. +else + bashio::log.info "No custom SSH configuration files found. Put it in addon_config//ssh if need (with .conf extension)." +fi + +# Install authorized_keys file +if [ -e /config/ssh/authorized_keys ] +then + bashio::log.info "Install SSH authorized keys (from /config/ssh/authorized_keys file)... " + cat /config/ssh/authorized_keys > /root/.ssh/authorized_keys + chmod 644 /root/.ssh/authorized_keys + bashio::log.info done. +else + bashio::log.info "No SSH authorized keys to install. Put it in addon_config//authorized_keys file." +fi + +# Start SSH +bashio::log.info "Start SSH service... " +exec /usr/sbin/sshd -f /etc/ssh/sshd_config -D diff --git a/rootfs/srv/haproxy/blacklist b/rootfs/srv/haproxy/blacklist new file mode 100755 index 0000000..000340d --- /dev/null +++ b/rootfs/srv/haproxy/blacklist @@ -0,0 +1,2 @@ +# Access blacklist +# 123.123.123.123 diff --git a/rootfs/srv/haproxy/error.http b/rootfs/srv/haproxy/error.http new file mode 100755 index 0000000..e7eea07 --- /dev/null +++ b/rootfs/srv/haproxy/error.http @@ -0,0 +1,44 @@ +HTTP/1.0 500 Server Error +Cache-Control: no-cache +Connection: close +Content-Type: text/html + + + +Home Assistant + + + + + + + +
+ +

Your Home Assistant seem not reacheable for the moment.

+

Please check your installation or retry later.

+
+ + + diff --git a/rootfs/srv/haproxy/haproxy.cfg b/rootfs/srv/haproxy/haproxy.cfg new file mode 100755 index 0000000..e74ae4c --- /dev/null +++ b/rootfs/srv/haproxy/haproxy.cfg @@ -0,0 +1,76 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats timeout 30s + user haproxy + group haproxy + daemon + maxconn 100 + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + option log-health-checks + option log-separate-errors + option logasap + option contstats + option abortonclose + #option forwardfor except 172.16.81.0/24 + + timeout connect 3s + timeout client 60s + timeout server 60s + timeout http-request 5s + timeout check 2s + + retries 3 + + option splice-auto + option tcp-smart-connect + + errorfile 400 /srv/haproxy/error.http + errorfile 403 /srv/haproxy/error.http + errorfile 408 /srv/haproxy/error.http + errorfile 500 /srv/haproxy/error.http + errorfile 502 /srv/haproxy/error.http + errorfile 503 /srv/haproxy/error.http + errorfile 504 /srv/haproxy/error.http + + # Force source IP address to connect to HA + #source 192.168.8.161 + +frontend ha_front + bind 0.0.0.0:80 + #bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem + mode http + maxconn 10000 + + # Get user ip behind uppon reverse proxy + capture request header X-Forwarded-For len 15 + + # Blacklist + acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist + http-request deny if blacklist + + default_backend ha_back + +backend ha_back + mode http + balance roundrobin + option httpchk GET / HTTP/1.0 + + timeout server 60s + + server ha-host 172.30.32.1:8123 check observe layer4 diff --git a/rootfs/srv/openvpn/.gitignore b/rootfs/srv/openvpn/.gitignore new file mode 100755 index 0000000..c996e50 --- /dev/null +++ b/rootfs/srv/openvpn/.gitignore @@ -0,0 +1 @@ +*.key diff --git a/rootfs/srv/openvpn/client.conf b/rootfs/srv/openvpn/client.conf new file mode 100755 index 0000000..d7c78b0 --- /dev/null +++ b/rootfs/srv/openvpn/client.conf @@ -0,0 +1,53 @@ +# Remote host +remote remote.fqdn.tdl 1188 + +# Protocol & port +proto udp +port 1188 + +# Interface +dev vpn-ha +dev-type tap + +# MTU +tun-mtu 1500 + +# Secret shared key (generated on first client start) +# Note: to manually generate it, run: +# openvpn --genkey secret /config/openvpn/secret.key +# cp /config/openvpn/secret.key /etc/openvpn/secret.key +# chmod 400 /config/openvpn/secret.key /etc/openvpn/secret.key +secret /config/openvpn/secret.key +cipher AES-256-CBC + +# Keepalive +ping 30 +ping-restart 60 + +# Allow remote address changed +float + +# IP address inside VPN +ifconfig 172.16.88.2 255.255.255.0 +route-gateway 172.16.88.1 + +# Optional routes recheable througt the remote host +# route 192.168.8.0 255.255.255.0 + +# Run openvpn using this specified user & group +user nobody +group nogroup + +persist-key +persist-tun + +## Logging + +# Log level (0-9) +verb 3 + +# Max repeat count for logged messages +mute 10 + +# Managing interface +# management 127.0.0.1 7588 diff --git a/rootfs/srv/openvpn/server.conf b/rootfs/srv/openvpn/server.conf new file mode 100755 index 0000000..a519c5f --- /dev/null +++ b/rootfs/srv/openvpn/server.conf @@ -0,0 +1,58 @@ +# Listen on specific IP address (optional, default: all) +# local 192.168.1.8 + +# Protocol & port +proto udp +port 1188 + +# Interface +dev vpn-ha +dev-type tap + +# MTU +tun-mtu 1500 + +# Secret shared key (generated on first client start) +# Note: to manually generate it, run: +# openvpn --genkey secret /etc/openvpn/homeassistant.key +# cp /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key +# chmod 400 /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key +secret /etc/openvpn/homeassistant.key +cipher AES-256-CBC + +# Keepalive +ping 30 + +# Allow remote address changed +float + +# IP address inside VPN +ifconfig 172.16.88.1 255.255.255.0 +route-gateway 172.16.88.2 + +# Optional routes recheable througt the remote host +# route 192.168.9.0 255.255.255.0 + +# Run openvpn using this specified user & group +user nobody +group nogroup + +persist-key +persist-tun + +## Logging + +# Log level (0-9) +verb 3 + +# Max repeat count for logged messages +mute 10 + +# Daemon log +log /var/log/openvpn/homeassistant.log + +# Daemon status file +status /var/log/openvpn/homeassistant.status + +# Managing interface +# management 127.0.0.1 7588 diff --git a/rootfs/srv/ssh/.gitignore b/rootfs/srv/ssh/.gitignore new file mode 100755 index 0000000..80b29eb --- /dev/null +++ b/rootfs/srv/ssh/.gitignore @@ -0,0 +1,2 @@ +*_key +*_key.pub diff --git a/rootfs/srv/ssh/authorized_keys b/rootfs/srv/ssh/authorized_keys new file mode 100755 index 0000000..7c92cb9 --- /dev/null +++ b/rootfs/srv/ssh/authorized_keys @@ -0,0 +1 @@ +# Put your SSH key here to get access to your container (as root) diff --git a/rootfs/srv/ssh/permit_root_login.conf b/rootfs/srv/ssh/permit_root_login.conf new file mode 100755 index 0000000..7a3ebbb --- /dev/null +++ b/rootfs/srv/ssh/permit_root_login.conf @@ -0,0 +1 @@ +PermitRootLogin prohibit-password