commit 81949e9afa514447400702a6d73fea351fbbd698
Author: Benjamin Renard <brenard@easter-eggs.com>
Date:   Mon Jan 1 17:25:46 2024 +0100

    Initial release

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4c5f88a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*~
+.*.swp
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..c260bbe
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,8 @@
+ARG BUILD_FROM
+FROM $BUILD_FROM
+RUN apk add rsyslog openvpn openssh haproxy curl rsync
+RUN mkdir /root/.ssh && chmod 700 /root/.ssh && touch /root/.ssh/authorized_keys
+RUN mkdir -p /etc/ssh/sshd_config.d/ /etc/rsyslog.d/ /var/lib/haproxy/dev
+RUN echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config
+RUN echo '$IncludeConfig /etc/rsyslog.d/*.conf' >> /etc/rsyslog.conf
+COPY rootfs /
diff --git a/config.yaml b/config.yaml
new file mode 100644
index 0000000..b56c8ca
--- /dev/null
+++ b/config.yaml
@@ -0,0 +1,15 @@
+name: "Remote VPN access"
+description: "Allow remote access to Home-Assistant through OpenVPN"
+version: "dev"
+slug: "ha_remote_vpn"
+init: false
+arch:
+  - aarch64
+  - amd64
+  - armhf
+  - armv7
+  - i386
+map:
+  - addon_config:rw
+privileged:
+  - NET_ADMIN
diff --git a/repository.yaml b/repository.yaml
new file mode 100644
index 0000000..84b365c
--- /dev/null
+++ b/repository.yaml
@@ -0,0 +1,3 @@
+name: HomeAssistant Remote VPN access
+url: https://gitea.zionetrix.net/bn8/ha-remote-vpn-addon
+maintainer: Benjamin Renard <brenard@zionetrix.net>
diff --git a/rootfs/etc/services.d/haproxy/run b/rootfs/etc/services.d/haproxy/run
new file mode 100755
index 0000000..7b467c1
--- /dev/null
+++ b/rootfs/etc/services.d/haproxy/run
@@ -0,0 +1,13 @@
+#!/command/with-contenv bashio
+
+if [ ! -e "/config/haproxy" ]
+then
+	bashio::log.info "Initialize HAproxy configuration..."
+	rsync -a /srv/haproxy/ /config/haproxy/
+	bashio::log.info "done."
+else
+	bashio::log.info  "HAproxy configuration already initialized"
+fi
+
+bashio::log.info "Start Haproxy ... "
+exec /usr/sbin/haproxy -f /config/haproxy/haproxy.cfg -db
diff --git a/rootfs/etc/services.d/openvpn/run b/rootfs/etc/services.d/openvpn/run
new file mode 100755
index 0000000..fa3bb72
--- /dev/null
+++ b/rootfs/etc/services.d/openvpn/run
@@ -0,0 +1,36 @@
+#!/command/with-contenv bashio
+
+if [ ! -e "/config/openvpn" ]
+then
+	bashio::log.info "Initialize OpenVPN configuration..."
+	rsync -a /srv/openvpn/ /config/openvpn/
+	bashio::log.info "done."
+else
+	bashio::log.info  "OpenVPN configuration already initialized"
+fi
+
+if [ ! -d /config/openvpn ]
+then
+	bashio::log.info "Initialize OpenVPN configuration..."
+	rsync -a /srv/openvpn/ /config/openvpn/
+	bashio::log.info "done."
+fi
+
+# Generate secret on first start
+if [ ! -e /config/openvpn/secret.key ]
+then
+	bashio::log.info "Generate missing share secret key file... "
+	openvpn --genkey secret /config/openvpn/secret.key
+	chmod 400 /config/openvpn/secret.key
+	bashio::log.info "done."
+fi
+
+# Ensure /dev/net/tun is present
+mkdir -p /dev/net
+if [ ! -c /dev/net/tun ]; then
+	mknod /dev/net/tun c 10 200
+fi
+
+# Start OpenVPN
+bashio::log.info "Starting OpenVPN..."
+exec /usr/sbin/openvpn --config /config/openvpn/client.conf
diff --git a/rootfs/etc/services.d/ssh/run b/rootfs/etc/services.d/ssh/run
new file mode 100755
index 0000000..a219cae
--- /dev/null
+++ b/rootfs/etc/services.d/ssh/run
@@ -0,0 +1,54 @@
+#!/command/with-contenv bashio
+
+if [ ! -e "/config/ssh" ]
+then
+	bashio::log.info "Initialize SSH configuration..."
+	rsync -a /srv/ssh/ /config/ssh/
+	bashio::log.info "done."
+else
+	bashio::log.info  "SSH configuration already initialized"
+fi
+
+# Generate key if missing
+if [ -z "$( ls /config/ssh/*_key 2> /dev/null )" ]
+then
+	bashio::log.info "Generate SSH host keys..."
+	ssh-keygen -A
+	cp -p /etc/ssh/*_key* /config/ssh/
+	bashio::log.info done.
+else
+	bashio::log.info "Existing SSH host keys present, reuse it"
+
+	# Install host keys
+	bashio::log.info "Install SSH host keys... "
+	cp -p /config/ssh/*_key /config/ssh/*_key.pub /etc/ssh/
+	chown root: /etc/ssh/*_key*
+	chmod 600 /etc/ssh/*_key
+	chmod 644 /etc/ssh/*_key.pub
+	bashio::log.info done.
+fi
+
+# Install configuration
+if [ -n "$( ls /config/ssh/*.conf 2> /dev/null )" ]
+then
+	bashio::log.info "Install custom SSH configuration files... "
+	cp -p /config/ssh/*.conf /etc/ssh/sshd_config.d/
+	bashio::log.info done.
+else
+	bashio::log.info "No custom SSH configuration files found. Put it in addon_config/<addon slug>/ssh if need (with .conf extension)."
+fi
+
+# Install authorized_keys file
+if [ -e /config/ssh/authorized_keys ]
+then
+	bashio::log.info "Install SSH authorized keys (from /config/ssh/authorized_keys file)... "
+	cat /config/ssh/authorized_keys > /root/.ssh/authorized_keys
+	chmod 644 /root/.ssh/authorized_keys
+	bashio::log.info done.
+else
+	bashio::log.info "No SSH authorized keys to install. Put it in addon_config/<addon slug>/authorized_keys file."
+fi
+
+# Start SSH
+bashio::log.info "Start SSH service... "
+exec /usr/sbin/sshd -f /etc/ssh/sshd_config -D
diff --git a/rootfs/srv/haproxy/blacklist b/rootfs/srv/haproxy/blacklist
new file mode 100755
index 0000000..000340d
--- /dev/null
+++ b/rootfs/srv/haproxy/blacklist
@@ -0,0 +1,2 @@
+# Access blacklist
+# 123.123.123.123
diff --git a/rootfs/srv/haproxy/error.http b/rootfs/srv/haproxy/error.http
new file mode 100755
index 0000000..e7eea07
--- /dev/null
+++ b/rootfs/srv/haproxy/error.http
@@ -0,0 +1,44 @@
+HTTP/1.0 500 Server Error
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html>
+<head>
+<title>Home Assistant</title>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"/>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<meta http-equiv="X-UA-Compatible" content="IE=edge" />
+<style>
+* {
+  background: white;
+  color: #333;
+  font-family: calibri;
+  font-weight: bold;
+  font-size: 1.1em;
+}
+
+img {
+  max-height: 50vw;
+  max-width: 50vh;
+}
+
+h1 {
+  font-size: 1.1em;
+}
+
+p {
+  font-size: 0.8em;
+  font-style: italic;
+</style>
+</head>
+<body>
+<center>
+<img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAzMiAzMiI+PHRpdGxlPmZpbGVfdHlwZV9ob21lYXNzaXN0YW50PC90aXRsZT48cGF0aCBkPSJNNS4xMTQsMjcuOTQ0VjE4LjQyN0gyLjY2YS42NjguNjY4LDAsMCwxLS40Ny0xLjEzNEwxNS40MSwzLjc0OGgwYS44MTkuODE5LDAsMCwxLDEuMTY2LS4wMDhsLjAwNy4wMDcsNi45LDcuMDM3di0xLjNoMGEuNTUzLjU1MywwLDAsMSwuNTUtLjU1NmgyLjI5MmEuNTUzLjU1MywwLDAsMSwuNTQ5LjU1NnY0Ljc4TDI5LjgxMiwxNy4zaDBhLjY3MS42NzEsMCwwLDEtLjAxLjk0Mi42NTcuNjU3LDAsMCwxLS40NjIuMTlIMjYuODc2djkuNTE3YS41NTMuNTUzLDAsMCwxLS41NDkuNTU2SDUuNjY0QS41NTMuNTUzLDAsMCwxLDUuMTE0LDI3Ljk0NFoiIHN0eWxlPSJmaWxsOiMzZGJjZjM7ZmlsbC1ydWxlOmV2ZW5vZGQiLz48cGF0aCBkPSJNMjEuNzE4LDE1LjA3YTIuODQxLDIuODQxLDAsMCwwLTIuODI2LDIuODU3LDIuODc2LDIuODc2LDAsMCwwLC4yMjQsMS4xMTZsLTIuMDYxLDIuMDgzVjE0Ljc5MWEyLjgyNiwyLjgyNiwwLDEsMC0yLjEyLDB2Ni4zMzVsLTIuMDYxLTIuMDgzYTIuODc2LDIuODc2LDAsMCwwLC4yMjQtMS4xMTYsMi44MjYsMi44MjYsMCwxLDAtMi44MjYsMi44NTgsMi43OTEsMi43OTEsMCwwLDAsMS4xLS4yMjdsMy41NTksMy42VjI4LjVoMi4xMlYyNC4xNTdsMy41Ni0zLjZhMi43ODIsMi43ODIsMCwwLDAsMS4xLjIyNywyLjg1OCwyLjg1OCwwLDAsMCwwLTUuNzE1Wm0tMTEuNDQ2LDRhMS4xNDMsMS4xNDMsMCwxLDEsMS4xMy0xLjE0M0ExLjEzNiwxLjEzNiwwLDAsMSwxMC4yNzIsMTkuMDdaTTE2LDEzLjI4NGExLjE0MywxLjE0MywwLDEsMSwxLjEzMS0xLjE0M0ExLjEzNiwxLjEzNiwwLDAsMSwxNiwxMy4yODRabTUuNzIzLDUuNzg2YTEuMTQzLDEuMTQzLDAsMSwxLDEuMTMxLTEuMTQzQTEuMTM2LDEuMTM2LDAsMCwxLDIxLjcxOCwxOS4wN1oiIHN0eWxlPSJmaWxsOiNmZmYiLz48L3N2Zz4=" border="0"/>
+<h1>Your Home Assistant seem not reacheable for the moment.</h1>
+<p>Please check your installation or retry later.</p>
+</center>
+</body>
+</html>
+
diff --git a/rootfs/srv/haproxy/haproxy.cfg b/rootfs/srv/haproxy/haproxy.cfg
new file mode 100755
index 0000000..e74ae4c
--- /dev/null
+++ b/rootfs/srv/haproxy/haproxy.cfg
@@ -0,0 +1,76 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	maxconn 100
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+	ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+        option  log-health-checks
+        option  log-separate-errors
+        option  logasap
+        option  contstats
+	option  abortonclose
+	#option  forwardfor except 172.16.81.0/24
+
+        timeout connect 3s
+        timeout client  60s
+        timeout server  60s
+	timeout http-request 5s
+	timeout check 2s
+
+	retries 3
+
+        option splice-auto
+        option tcp-smart-connect
+
+	errorfile 400 /srv/haproxy/error.http
+	errorfile 403 /srv/haproxy/error.http
+	errorfile 408 /srv/haproxy/error.http
+	errorfile 500 /srv/haproxy/error.http
+	errorfile 502 /srv/haproxy/error.http
+	errorfile 503 /srv/haproxy/error.http
+	errorfile 504 /srv/haproxy/error.http
+
+	# Force source IP address to connect to HA
+	#source 192.168.8.161
+
+frontend ha_front
+	bind 0.0.0.0:80
+	#bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem
+	mode http
+	maxconn 10000
+
+        # Get user ip behind uppon reverse proxy
+	capture request header X-Forwarded-For len 15
+
+	# Blacklist
+	acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist
+	http-request deny if blacklist
+	
+	default_backend ha_back
+
+backend ha_back
+	mode http
+	balance roundrobin
+	option httpchk GET / HTTP/1.0
+
+	timeout server 60s
+
+	server ha-host 172.30.32.1:8123 check observe layer4
diff --git a/rootfs/srv/openvpn/.gitignore b/rootfs/srv/openvpn/.gitignore
new file mode 100755
index 0000000..c996e50
--- /dev/null
+++ b/rootfs/srv/openvpn/.gitignore
@@ -0,0 +1 @@
+*.key
diff --git a/rootfs/srv/openvpn/client.conf b/rootfs/srv/openvpn/client.conf
new file mode 100755
index 0000000..d7c78b0
--- /dev/null
+++ b/rootfs/srv/openvpn/client.conf
@@ -0,0 +1,53 @@
+# Remote host
+remote remote.fqdn.tdl 1188
+
+# Protocol & port
+proto udp
+port 1188
+
+# Interface
+dev vpn-ha
+dev-type tap
+
+# MTU
+tun-mtu 1500
+
+# Secret shared key (generated on first client start)
+# Note: to manually generate it, run:
+#  openvpn --genkey secret /config/openvpn/secret.key
+#  cp /config/openvpn/secret.key /etc/openvpn/secret.key
+#  chmod 400 /config/openvpn/secret.key /etc/openvpn/secret.key
+secret /config/openvpn/secret.key
+cipher AES-256-CBC
+
+# Keepalive
+ping 30
+ping-restart 60
+
+# Allow remote address changed
+float
+
+# IP address inside VPN
+ifconfig 172.16.88.2 255.255.255.0
+route-gateway 172.16.88.1
+
+# Optional routes recheable througt the remote host
+# route 192.168.8.0 255.255.255.0
+
+# Run openvpn using this specified user & group
+user nobody
+group nogroup
+
+persist-key
+persist-tun
+
+## Logging
+
+# Log level (0-9)
+verb 3
+
+# Max repeat count for logged messages
+mute 10
+
+# Managing interface
+# management 127.0.0.1 7588
diff --git a/rootfs/srv/openvpn/server.conf b/rootfs/srv/openvpn/server.conf
new file mode 100755
index 0000000..a519c5f
--- /dev/null
+++ b/rootfs/srv/openvpn/server.conf
@@ -0,0 +1,58 @@
+# Listen on specific IP address (optional, default: all)
+# local 192.168.1.8
+
+# Protocol & port
+proto udp
+port 1188
+
+# Interface
+dev vpn-ha
+dev-type tap
+
+# MTU
+tun-mtu 1500
+
+# Secret shared key (generated on first client start)
+# Note: to manually generate it, run:
+#  openvpn --genkey secret /etc/openvpn/homeassistant.key
+#  cp /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key
+#  chmod 400 /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key
+secret /etc/openvpn/homeassistant.key
+cipher AES-256-CBC
+
+# Keepalive
+ping 30
+
+# Allow remote address changed
+float
+
+# IP address inside VPN
+ifconfig 172.16.88.1 255.255.255.0
+route-gateway 172.16.88.2
+
+# Optional routes recheable througt the remote host
+# route 192.168.9.0 255.255.255.0
+
+# Run openvpn using this specified user & group
+user nobody
+group nogroup
+
+persist-key
+persist-tun
+
+## Logging
+
+# Log level (0-9)
+verb 3
+
+# Max repeat count for logged messages
+mute 10
+
+# Daemon log
+log /var/log/openvpn/homeassistant.log
+
+# Daemon status file
+status /var/log/openvpn/homeassistant.status
+
+# Managing interface
+# management 127.0.0.1 7588
diff --git a/rootfs/srv/ssh/.gitignore b/rootfs/srv/ssh/.gitignore
new file mode 100755
index 0000000..80b29eb
--- /dev/null
+++ b/rootfs/srv/ssh/.gitignore
@@ -0,0 +1,2 @@
+*_key
+*_key.pub
diff --git a/rootfs/srv/ssh/authorized_keys b/rootfs/srv/ssh/authorized_keys
new file mode 100755
index 0000000..7c92cb9
--- /dev/null
+++ b/rootfs/srv/ssh/authorized_keys
@@ -0,0 +1 @@
+# Put your SSH key here to get access to your container (as root)
diff --git a/rootfs/srv/ssh/permit_root_login.conf b/rootfs/srv/ssh/permit_root_login.conf
new file mode 100755
index 0000000..7a3ebbb
--- /dev/null
+++ b/rootfs/srv/ssh/permit_root_login.conf
@@ -0,0 +1 @@
+PermitRootLogin prohibit-password