Initial release

2024-01-01 17:25:46 +01:00 · 2024-01-01 17:25:46 +01:00 · 81949e9afa
commit 81949e9afa
16 changed files with 369 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
 *~
 .*.swp
--- a/8
+++ b/8
@ -0,0 +1,8 @@
 ARG BUILD_FROM
 FROM $BUILD_FROM
 RUN apk add rsyslog openvpn openssh haproxy curl rsync
 RUN mkdir /root/.ssh && chmod 700 /root/.ssh && touch /root/.ssh/authorized_keys
 RUN mkdir -p /etc/ssh/sshd_config.d/ /etc/rsyslog.d/ /var/lib/haproxy/dev
 RUN echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config
 RUN echo '$IncludeConfig /etc/rsyslog.d/*.conf' >> /etc/rsyslog.conf
 COPY rootfs /
--- a/config.yaml
+++ b/config.yaml
@ -0,0 +1,15 @@
 name: "Remote VPN access"
 description: "Allow remote access to Home-Assistant through OpenVPN"
 version: "dev"
 slug: "ha_remote_vpn"
 init: false
 arch:
  - aarch64
  - amd64
  - armhf
  - armv7
  - i386
 map:
  - addon_config:rw
 privileged:
  - NET_ADMIN
--- a/repository.yaml
+++ b/repository.yaml
@ -0,0 +1,3 @@
 name: HomeAssistant Remote VPN access
 url: https://gitea.zionetrix.net/bn8/ha-remote-vpn-addon
 maintainer: Benjamin Renard <brenard@zionetrix.net>
--- a/rootfs/etc/services.d/haproxy/run
+++ b/rootfs/etc/services.d/haproxy/run
@ -0,0 +1,13 @@
 #!/command/with-contenv bashio
 if [ ! -e "/config/haproxy" ]
 then
 	bashio::log.info "Initialize HAproxy configuration..."
 	rsync -a /srv/haproxy/ /config/haproxy/
 	bashio::log.info "done."
 else
 	bashio::log.info  "HAproxy configuration already initialized"
 fi
 bashio::log.info "Start Haproxy ... "
 exec /usr/sbin/haproxy -f /config/haproxy/haproxy.cfg -db
--- a/rootfs/etc/services.d/openvpn/run
+++ b/rootfs/etc/services.d/openvpn/run
@ -0,0 +1,36 @@
 #!/command/with-contenv bashio
 if [ ! -e "/config/openvpn" ]
 then
 	bashio::log.info "Initialize OpenVPN configuration..."
 	rsync -a /srv/openvpn/ /config/openvpn/
 	bashio::log.info "done."
 else
 	bashio::log.info  "OpenVPN configuration already initialized"
 fi
 if [ ! -d /config/openvpn ]
 then
 	bashio::log.info "Initialize OpenVPN configuration..."
 	rsync -a /srv/openvpn/ /config/openvpn/
 	bashio::log.info "done."
 fi
 # Generate secret on first start
 if [ ! -e /config/openvpn/secret.key ]
 then
 	bashio::log.info "Generate missing share secret key file... "
 	openvpn --genkey secret /config/openvpn/secret.key
 	chmod 400 /config/openvpn/secret.key
 	bashio::log.info "done."
 fi
 # Ensure /dev/net/tun is present
 mkdir -p /dev/net
 if [ ! -c /dev/net/tun ]; then
 	mknod /dev/net/tun c 10 200
 fi
 # Start OpenVPN
 bashio::log.info "Starting OpenVPN..."
 exec /usr/sbin/openvpn --config /config/openvpn/client.conf
--- a/rootfs/etc/services.d/ssh/run
+++ b/rootfs/etc/services.d/ssh/run
@ -0,0 +1,54 @@
 #!/command/with-contenv bashio
 if [ ! -e "/config/ssh" ]
 then
 	bashio::log.info "Initialize SSH configuration..."
 	rsync -a /srv/ssh/ /config/ssh/
 	bashio::log.info "done."
 else
 	bashio::log.info  "SSH configuration already initialized"
 fi
 # Generate key if missing
 if [ -z "$( ls /config/ssh/*_key 2> /dev/null )" ]
 then
 	bashio::log.info "Generate SSH host keys..."
 	ssh-keygen -A
 	cp -p /etc/ssh/*_key* /config/ssh/
 	bashio::log.info done.
 else
 	bashio::log.info "Existing SSH host keys present, reuse it"
 	# Install host keys
 	bashio::log.info "Install SSH host keys... "
 	cp -p /config/ssh/*_key /config/ssh/*_key.pub /etc/ssh/
 	chown root: /etc/ssh/*_key*
 	chmod 600 /etc/ssh/*_key
 	chmod 644 /etc/ssh/*_key.pub
 	bashio::log.info done.
 fi
 # Install configuration
 if [ -n "$( ls /config/ssh/*.conf 2> /dev/null )" ]
 then
 	bashio::log.info "Install custom SSH configuration files... "
 	cp -p /config/ssh/*.conf /etc/ssh/sshd_config.d/
 	bashio::log.info done.
 else
 	bashio::log.info "No custom SSH configuration files found. Put it in addon_config/<addon slug>/ssh if need (with .conf extension)."
 fi
 # Install authorized_keys file
 if [ -e /config/ssh/authorized_keys ]
 then
 	bashio::log.info "Install SSH authorized keys (from /config/ssh/authorized_keys file)... "
 	cat /config/ssh/authorized_keys > /root/.ssh/authorized_keys
 	chmod 644 /root/.ssh/authorized_keys
 	bashio::log.info done.
 else
 	bashio::log.info "No SSH authorized keys to install. Put it in addon_config/<addon slug>/authorized_keys file."
 fi
 # Start SSH
 bashio::log.info "Start SSH service... "
 exec /usr/sbin/sshd -f /etc/ssh/sshd_config -D
--- a/rootfs/srv/haproxy/blacklist
+++ b/rootfs/srv/haproxy/blacklist
@ -0,0 +1,2 @@
 # Access blacklist
 # 123.123.123.123
--- a/rootfs/srv/haproxy/error.http
+++ b/rootfs/srv/haproxy/error.http
@ -0,0 +1,44 @@
 HTTP/1.0 500 Server Error
 Cache-Control: no-cache
 Connection: close
 Content-Type: text/html
 <html>
 <head>
 <title>Home Assistant</title>
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
 <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"/>
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta http-equiv="X-UA-Compatible" content="IE=edge" />
 <style>
 * {
  background: white;
  color: #333;
  font-family: calibri;
  font-weight: bold;
  font-size: 1.1em;
 }
 img {
  max-height: 50vw;
  max-width: 50vh;
 }
 h1 {
  font-size: 1.1em;
 }
 p {
  font-size: 0.8em;
  font-style: italic;
 </style>
 </head>
 <body>
 <center>
 <img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAzMiAzMiI+PHRpdGxlPmZpbGVfdHlwZV9ob21lYXNzaXN0YW50PC90aXRsZT48cGF0aCBkPSJNNS4xMTQsMjcuOTQ0VjE4LjQyN0gyLjY2YS42NjguNjY4LDAsMCwxLS40Ny0xLjEzNEwxNS40MSwzLjc0OGgwYS44MTkuODE5LDAsMCwxLDEuMTY2LS4wMDhsLjAwNy4wMDcsNi45LDcuMDM3di0xLjNoMGEuNTUzLjU1MywwLDAsMSwuNTUtLjU1NmgyLjI5MmEuNTUzLjU1MywwLDAsMSwuNTQ5LjU1NnY0Ljc4TDI5LjgxMiwxNy4zaDBhLjY3MS42NzEsMCwwLDEtLjAxLjk0Mi42NTcuNjU3LDAsMCwxLS40NjIuMTlIMjYuODc2djkuNTE3YS41NTMuNTUzLDAsMCwxLS41NDkuNTU2SDUuNjY0QS41NTMuNTUzLDAsMCwxLDUuMTE0LDI3Ljk0NFoiIHN0eWxlPSJmaWxsOiMzZGJjZjM7ZmlsbC1ydWxlOmV2ZW5vZGQiLz48cGF0aCBkPSJNMjEuNzE4LDE1LjA3YTIuODQxLDIuODQxLDAsMCwwLTIuODI2LDIuODU3LDIuODc2LDIuODc2LDAsMCwwLC4yMjQsMS4xMTZsLTIuMDYxLDIuMDgzVjE0Ljc5MWEyLjgyNiwyLjgyNiwwLDEsMC0yLjEyLDB2Ni4zMzVsLTIuMDYxLTIuMDgzYTIuODc2LDIuODc2LDAsMCwwLC4yMjQtMS4xMTYsMi44MjYsMi44MjYsMCwxLDAtMi44MjYsMi44NTgsMi43OTEsMi43OTEsMCwwLDAsMS4xLS4yMjdsMy41NTksMy42VjI4LjVoMi4xMlYyNC4xNTdsMy41Ni0zLjZhMi43ODIsMi43ODIsMCwwLDAsMS4xLjIyNywyLjg1OCwyLjg1OCwwLDAsMCwwLTUuNzE1Wm0tMTEuNDQ2LDRhMS4xNDMsMS4xNDMsMCwxLDEsMS4xMy0xLjE0M0ExLjEzNiwxLjEzNiwwLDAsMSwxMC4yNzIsMTkuMDdaTTE2LDEzLjI4NGExLjE0MywxLjE0MywwLDEsMSwxLjEzMS0xLjE0M0ExLjEzNiwxLjEzNiwwLDAsMSwxNiwxMy4yODRabTUuNzIzLDUuNzg2YTEuMTQzLDEuMTQzLDAsMSwxLDEuMTMxLTEuMTQzQTEuMTM2LDEuMTM2LDAsMCwxLDIxLjcxOCwxOS4wN1oiIHN0eWxlPSJmaWxsOiNmZmYiLz48L3N2Zz4=" border="0"/>
 <h1>Your Home Assistant seem not reacheable for the moment.</h1>
 <p>Please check your installation or retry later.</p>
 </center>
 </body>
 </html>
--- a/rootfs/srv/haproxy/haproxy.cfg
+++ b/rootfs/srv/haproxy/haproxy.cfg
@ -0,0 +1,76 @@
 global
 	log /dev/log	local0
 	log /dev/log	local1 notice
 	chroot /var/lib/haproxy
 	stats timeout 30s
 	user haproxy
 	group haproxy
 	daemon
 	maxconn 100
 	# Default SSL material locations
 	ca-base /etc/ssl/certs
 	crt-base /etc/ssl/private
 	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
 	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 	ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 defaults
 	log	global
 	mode	http
 	option	httplog
 	option	dontlognull
        option  log-health-checks
        option  log-separate-errors
        option  logasap
        option  contstats
 	option  abortonclose
 	#option  forwardfor except 172.16.81.0/24
        timeout connect 3s
        timeout client  60s
        timeout server  60s
 	timeout http-request 5s
 	timeout check 2s
 	retries 3
        option splice-auto
        option tcp-smart-connect
 	errorfile 400 /srv/haproxy/error.http
 	errorfile 403 /srv/haproxy/error.http
 	errorfile 408 /srv/haproxy/error.http
 	errorfile 500 /srv/haproxy/error.http
 	errorfile 502 /srv/haproxy/error.http
 	errorfile 503 /srv/haproxy/error.http
 	errorfile 504 /srv/haproxy/error.http
 	# Force source IP address to connect to HA
 	#source 192.168.8.161
 frontend ha_front
 	bind 0.0.0.0:80
 	#bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem
 	mode http
 	maxconn 10000
        # Get user ip behind uppon reverse proxy
 	capture request header X-Forwarded-For len 15
 	# Blacklist
 	acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist
 	http-request deny if blacklist
 	default_backend ha_back
 backend ha_back
 	mode http
 	balance roundrobin
 	option httpchk GET / HTTP/1.0
 	timeout server 60s
 	server ha-host 172.30.32.1:8123 check observe layer4
--- a/rootfs/srv/openvpn/.gitignore
+++ b/rootfs/srv/openvpn/.gitignore
@ -0,0 +1 @@
 *.key
--- a/rootfs/srv/openvpn/client.conf
+++ b/rootfs/srv/openvpn/client.conf
@ -0,0 +1,53 @@
 # Remote host
 remote remote.fqdn.tdl 1188
 # Protocol & port
 proto udp
 port 1188
 # Interface
 dev vpn-ha
 dev-type tap
 # MTU
 tun-mtu 1500
 # Secret shared key (generated on first client start)
 # Note: to manually generate it, run:
 #  openvpn --genkey secret /config/openvpn/secret.key
 #  cp /config/openvpn/secret.key /etc/openvpn/secret.key
 #  chmod 400 /config/openvpn/secret.key /etc/openvpn/secret.key
 secret /config/openvpn/secret.key
 cipher AES-256-CBC
 # Keepalive
 ping 30
 ping-restart 60
 # Allow remote address changed
 float
 # IP address inside VPN
 ifconfig 172.16.88.2 255.255.255.0
 route-gateway 172.16.88.1
 # Optional routes recheable througt the remote host
 # route 192.168.8.0 255.255.255.0
 # Run openvpn using this specified user & group
 user nobody
 group nogroup
 persist-key
 persist-tun
 ## Logging
 # Log level (0-9)
 verb 3
 # Max repeat count for logged messages
 mute 10
 # Managing interface
 # management 127.0.0.1 7588
--- a/rootfs/srv/openvpn/server.conf
+++ b/rootfs/srv/openvpn/server.conf
@ -0,0 +1,58 @@
 # Listen on specific IP address (optional, default: all)
 # local 192.168.1.8
 # Protocol & port
 proto udp
 port 1188
 # Interface
 dev vpn-ha
 dev-type tap
 # MTU
 tun-mtu 1500
 # Secret shared key (generated on first client start)
 # Note: to manually generate it, run:
 #  openvpn --genkey secret /etc/openvpn/homeassistant.key
 #  cp /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key
 #  chmod 400 /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key
 secret /etc/openvpn/homeassistant.key
 cipher AES-256-CBC
 # Keepalive
 ping 30
 # Allow remote address changed
 float
 # IP address inside VPN
 ifconfig 172.16.88.1 255.255.255.0
 route-gateway 172.16.88.2
 # Optional routes recheable througt the remote host
 # route 192.168.9.0 255.255.255.0
 # Run openvpn using this specified user & group
 user nobody
 group nogroup
 persist-key
 persist-tun
 ## Logging
 # Log level (0-9)
 verb 3
 # Max repeat count for logged messages
 mute 10
 # Daemon log
 log /var/log/openvpn/homeassistant.log
 # Daemon status file
 status /var/log/openvpn/homeassistant.status
 # Managing interface
 # management 127.0.0.1 7588
--- a/rootfs/srv/ssh/.gitignore
+++ b/rootfs/srv/ssh/.gitignore
@ -0,0 +1,2 @@
 *_key
 *_key.pub
--- a/rootfs/srv/ssh/authorized_keys
+++ b/rootfs/srv/ssh/authorized_keys
@ -0,0 +1 @@
 # Put your SSH key here to get access to your container (as root)
--- a/rootfs/srv/ssh/permit_root_login.conf
+++ b/rootfs/srv/ssh/permit_root_login.conf
@ -0,0 +1 @@
 PermitRootLogin prohibit-password
		`@ -0,0 +1 @@`
							`# Put your SSH key here to get access to your container (as root)`