Initial release

This commit is contained in:
Benjamin Renard 2024-01-01 17:25:46 +01:00
commit 81949e9afa
Signed by: bn8
GPG key ID: 3E2E1CE1907115BC
16 changed files with 369 additions and 0 deletions

2
.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
*~
.*.swp

8
Dockerfile Normal file
View file

@ -0,0 +1,8 @@
ARG BUILD_FROM
FROM $BUILD_FROM
RUN apk add rsyslog openvpn openssh haproxy curl rsync
RUN mkdir /root/.ssh && chmod 700 /root/.ssh && touch /root/.ssh/authorized_keys
RUN mkdir -p /etc/ssh/sshd_config.d/ /etc/rsyslog.d/ /var/lib/haproxy/dev
RUN echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config
RUN echo '$IncludeConfig /etc/rsyslog.d/*.conf' >> /etc/rsyslog.conf
COPY rootfs /

15
config.yaml Normal file
View file

@ -0,0 +1,15 @@
name: "Remote VPN access"
description: "Allow remote access to Home-Assistant through OpenVPN"
version: "dev"
slug: "ha_remote_vpn"
init: false
arch:
- aarch64
- amd64
- armhf
- armv7
- i386
map:
- addon_config:rw
privileged:
- NET_ADMIN

3
repository.yaml Normal file
View file

@ -0,0 +1,3 @@
name: HomeAssistant Remote VPN access
url: https://gitea.zionetrix.net/bn8/ha-remote-vpn-addon
maintainer: Benjamin Renard <brenard@zionetrix.net>

View file

@ -0,0 +1,13 @@
#!/command/with-contenv bashio
if [ ! -e "/config/haproxy" ]
then
bashio::log.info "Initialize HAproxy configuration..."
rsync -a /srv/haproxy/ /config/haproxy/
bashio::log.info "done."
else
bashio::log.info "HAproxy configuration already initialized"
fi
bashio::log.info "Start Haproxy ... "
exec /usr/sbin/haproxy -f /config/haproxy/haproxy.cfg -db

View file

@ -0,0 +1,36 @@
#!/command/with-contenv bashio
if [ ! -e "/config/openvpn" ]
then
bashio::log.info "Initialize OpenVPN configuration..."
rsync -a /srv/openvpn/ /config/openvpn/
bashio::log.info "done."
else
bashio::log.info "OpenVPN configuration already initialized"
fi
if [ ! -d /config/openvpn ]
then
bashio::log.info "Initialize OpenVPN configuration..."
rsync -a /srv/openvpn/ /config/openvpn/
bashio::log.info "done."
fi
# Generate secret on first start
if [ ! -e /config/openvpn/secret.key ]
then
bashio::log.info "Generate missing share secret key file... "
openvpn --genkey secret /config/openvpn/secret.key
chmod 400 /config/openvpn/secret.key
bashio::log.info "done."
fi
# Ensure /dev/net/tun is present
mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
fi
# Start OpenVPN
bashio::log.info "Starting OpenVPN..."
exec /usr/sbin/openvpn --config /config/openvpn/client.conf

54
rootfs/etc/services.d/ssh/run Executable file
View file

@ -0,0 +1,54 @@
#!/command/with-contenv bashio
if [ ! -e "/config/ssh" ]
then
bashio::log.info "Initialize SSH configuration..."
rsync -a /srv/ssh/ /config/ssh/
bashio::log.info "done."
else
bashio::log.info "SSH configuration already initialized"
fi
# Generate key if missing
if [ -z "$( ls /config/ssh/*_key 2> /dev/null )" ]
then
bashio::log.info "Generate SSH host keys..."
ssh-keygen -A
cp -p /etc/ssh/*_key* /config/ssh/
bashio::log.info done.
else
bashio::log.info "Existing SSH host keys present, reuse it"
# Install host keys
bashio::log.info "Install SSH host keys... "
cp -p /config/ssh/*_key /config/ssh/*_key.pub /etc/ssh/
chown root: /etc/ssh/*_key*
chmod 600 /etc/ssh/*_key
chmod 644 /etc/ssh/*_key.pub
bashio::log.info done.
fi
# Install configuration
if [ -n "$( ls /config/ssh/*.conf 2> /dev/null )" ]
then
bashio::log.info "Install custom SSH configuration files... "
cp -p /config/ssh/*.conf /etc/ssh/sshd_config.d/
bashio::log.info done.
else
bashio::log.info "No custom SSH configuration files found. Put it in addon_config/<addon slug>/ssh if need (with .conf extension)."
fi
# Install authorized_keys file
if [ -e /config/ssh/authorized_keys ]
then
bashio::log.info "Install SSH authorized keys (from /config/ssh/authorized_keys file)... "
cat /config/ssh/authorized_keys > /root/.ssh/authorized_keys
chmod 644 /root/.ssh/authorized_keys
bashio::log.info done.
else
bashio::log.info "No SSH authorized keys to install. Put it in addon_config/<addon slug>/authorized_keys file."
fi
# Start SSH
bashio::log.info "Start SSH service... "
exec /usr/sbin/sshd -f /etc/ssh/sshd_config -D

2
rootfs/srv/haproxy/blacklist Executable file
View file

@ -0,0 +1,2 @@
# Access blacklist
# 123.123.123.123

44
rootfs/srv/haproxy/error.http Executable file
View file

@ -0,0 +1,44 @@
HTTP/1.0 500 Server Error
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html>
<head>
<title>Home Assistant</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"/>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<style>
* {
background: white;
color: #333;
font-family: calibri;
font-weight: bold;
font-size: 1.1em;
}
img {
max-height: 50vw;
max-width: 50vh;
}
h1 {
font-size: 1.1em;
}
p {
font-size: 0.8em;
font-style: italic;
</style>
</head>
<body>
<center>
<img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAzMiAzMiI+PHRpdGxlPmZpbGVfdHlwZV9ob21lYXNzaXN0YW50PC90aXRsZT48cGF0aCBkPSJNNS4xMTQsMjcuOTQ0VjE4LjQyN0gyLjY2YS42NjguNjY4LDAsMCwxLS40Ny0xLjEzNEwxNS40MSwzLjc0OGgwYS44MTkuODE5LDAsMCwxLDEuMTY2LS4wMDhsLjAwNy4wMDcsNi45LDcuMDM3di0xLjNoMGEuNTUzLjU1MywwLDAsMSwuNTUtLjU1NmgyLjI5MmEuNTUzLjU1MywwLDAsMSwuNTQ5LjU1NnY0Ljc4TDI5LjgxMiwxNy4zaDBhLjY3MS42NzEsMCwwLDEtLjAxLjk0Mi42NTcuNjU3LDAsMCwxLS40NjIuMTlIMjYuODc2djkuNTE3YS41NTMuNTUzLDAsMCwxLS41NDkuNTU2SDUuNjY0QS41NTMuNTUzLDAsMCwxLDUuMTE0LDI3Ljk0NFoiIHN0eWxlPSJmaWxsOiMzZGJjZjM7ZmlsbC1ydWxlOmV2ZW5vZGQiLz48cGF0aCBkPSJNMjEuNzE4LDE1LjA3YTIuODQxLDIuODQxLDAsMCwwLTIuODI2LDIuODU3LDIuODc2LDIuODc2LDAsMCwwLC4yMjQsMS4xMTZsLTIuMDYxLDIuMDgzVjE0Ljc5MWEyLjgyNiwyLjgyNiwwLDEsMC0yLjEyLDB2Ni4zMzVsLTIuMDYxLTIuMDgzYTIuODc2LDIuODc2LDAsMCwwLC4yMjQtMS4xMTYsMi44MjYsMi44MjYsMCwxLDAtMi44MjYsMi44NTgsMi43OTEsMi43OTEsMCwwLDAsMS4xLS4yMjdsMy41NTksMy42VjI4LjVoMi4xMlYyNC4xNTdsMy41Ni0zLjZhMi43ODIsMi43ODIsMCwwLDAsMS4xLjIyNywyLjg1OCwyLjg1OCwwLDAsMCwwLTUuNzE1Wm0tMTEuNDQ2LDRhMS4xNDMsMS4xNDMsMCwxLDEsMS4xMy0xLjE0M0ExLjEzNiwxLjEzNiwwLDAsMSwxMC4yNzIsMTkuMDdaTTE2LDEzLjI4NGExLjE0MywxLjE0MywwLDEsMSwxLjEzMS0xLjE0M0ExLjEzNiwxLjEzNiwwLDAsMSwxNiwxMy4yODRabTUuNzIzLDUuNzg2YTEuMTQzLDEuMTQzLDAsMSwxLDEuMTMxLTEuMTQzQTEuMTM2LDEuMTM2LDAsMCwxLDIxLjcxOCwxOS4wN1oiIHN0eWxlPSJmaWxsOiNmZmYiLz48L3N2Zz4=" border="0"/>
<h1>Your Home Assistant seem not reacheable for the moment.</h1>
<p>Please check your installation or retry later.</p>
</center>
</body>
</html>

76
rootfs/srv/haproxy/haproxy.cfg Executable file
View file

@ -0,0 +1,76 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 100
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option log-health-checks
option log-separate-errors
option logasap
option contstats
option abortonclose
#option forwardfor except 172.16.81.0/24
timeout connect 3s
timeout client 60s
timeout server 60s
timeout http-request 5s
timeout check 2s
retries 3
option splice-auto
option tcp-smart-connect
errorfile 400 /srv/haproxy/error.http
errorfile 403 /srv/haproxy/error.http
errorfile 408 /srv/haproxy/error.http
errorfile 500 /srv/haproxy/error.http
errorfile 502 /srv/haproxy/error.http
errorfile 503 /srv/haproxy/error.http
errorfile 504 /srv/haproxy/error.http
# Force source IP address to connect to HA
#source 192.168.8.161
frontend ha_front
bind 0.0.0.0:80
#bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem
mode http
maxconn 10000
# Get user ip behind uppon reverse proxy
capture request header X-Forwarded-For len 15
# Blacklist
acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist
http-request deny if blacklist
default_backend ha_back
backend ha_back
mode http
balance roundrobin
option httpchk GET / HTTP/1.0
timeout server 60s
server ha-host 172.30.32.1:8123 check observe layer4

1
rootfs/srv/openvpn/.gitignore vendored Executable file
View file

@ -0,0 +1 @@
*.key

53
rootfs/srv/openvpn/client.conf Executable file
View file

@ -0,0 +1,53 @@
# Remote host
remote remote.fqdn.tdl 1188
# Protocol & port
proto udp
port 1188
# Interface
dev vpn-ha
dev-type tap
# MTU
tun-mtu 1500
# Secret shared key (generated on first client start)
# Note: to manually generate it, run:
# openvpn --genkey secret /config/openvpn/secret.key
# cp /config/openvpn/secret.key /etc/openvpn/secret.key
# chmod 400 /config/openvpn/secret.key /etc/openvpn/secret.key
secret /config/openvpn/secret.key
cipher AES-256-CBC
# Keepalive
ping 30
ping-restart 60
# Allow remote address changed
float
# IP address inside VPN
ifconfig 172.16.88.2 255.255.255.0
route-gateway 172.16.88.1
# Optional routes recheable througt the remote host
# route 192.168.8.0 255.255.255.0
# Run openvpn using this specified user & group
user nobody
group nogroup
persist-key
persist-tun
## Logging
# Log level (0-9)
verb 3
# Max repeat count for logged messages
mute 10
# Managing interface
# management 127.0.0.1 7588

58
rootfs/srv/openvpn/server.conf Executable file
View file

@ -0,0 +1,58 @@
# Listen on specific IP address (optional, default: all)
# local 192.168.1.8
# Protocol & port
proto udp
port 1188
# Interface
dev vpn-ha
dev-type tap
# MTU
tun-mtu 1500
# Secret shared key (generated on first client start)
# Note: to manually generate it, run:
# openvpn --genkey secret /etc/openvpn/homeassistant.key
# cp /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key
# chmod 400 /config/openvpn/homeassistant.key /etc/openvpn/homeassistant.key
secret /etc/openvpn/homeassistant.key
cipher AES-256-CBC
# Keepalive
ping 30
# Allow remote address changed
float
# IP address inside VPN
ifconfig 172.16.88.1 255.255.255.0
route-gateway 172.16.88.2
# Optional routes recheable througt the remote host
# route 192.168.9.0 255.255.255.0
# Run openvpn using this specified user & group
user nobody
group nogroup
persist-key
persist-tun
## Logging
# Log level (0-9)
verb 3
# Max repeat count for logged messages
mute 10
# Daemon log
log /var/log/openvpn/homeassistant.log
# Daemon status file
status /var/log/openvpn/homeassistant.status
# Managing interface
# management 127.0.0.1 7588

2
rootfs/srv/ssh/.gitignore vendored Executable file
View file

@ -0,0 +1,2 @@
*_key
*_key.pub

1
rootfs/srv/ssh/authorized_keys Executable file
View file

@ -0,0 +1 @@
# Put your SSH key here to get access to your container (as root)

View file

@ -0,0 +1 @@
PermitRootLogin prohibit-password