From b54d67e343e6c927bc7172e21a888365f1e7cb45 Mon Sep 17 00:00:00 2001
From: Benjamin Renard <brenard@easter-eggs.com>
Date: Mon, 1 Jan 2024 18:07:59 +0100
Subject: [PATCH] Add README.md file

---
 README.md    | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 apache2.conf | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 README.md
 create mode 100644 apache2.conf

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..4b65508
--- /dev/null
+++ b/README.md
@@ -0,0 +1,52 @@
+# Home Assistant add-on to get access to your Home Assistant via OpenVPN and a reverse proxy
+
+This Home Assistant add-on allow you to mount a tunnel to your external host that have to run OpenVPN server and a reverse proxy to access to your Home Assistant. In this container, you have:
+
+- a SSH service with root access (if you declare your SSH pub key)
+- a OpenVPN client
+- a Haproxy configured to get access to your Home Assistant
+
+## Installation
+
+Firstly, you need to add this custom add-on repository:
+
+[![Open your Home Assistant instance and show the add add-on repository dialog with a specific repository URL pre-filled.](https://my.home-assistant.io/badges/supervisor_add_addon_repository.svg)](https://my.home-assistant.io/redirect/supervisor_add_addon_repository/?repository_url=https%3A%2F%2Fgitea.zionetrix.net%2Fbn8%2Fha-remote-vpn-addon)
+
+When it's done, you could search and install the _Remote VPN access_ addon. Don't forget to enable the _Start on boot_ and _Watchdog_ options. On the first start, the add-on will initialize it's configuration in `addon_configs/xxxxxxxx_ha_remote_vpn`.
+
+## Configuration
+
+### On the container
+
+You have to:
+
+- put your external host IP address or domain name in `srv/openvpn/client.conf` (on the `remote` line at the begining of the file)
+- put your Home Assistant local IP address in `srv/haproxy/haproxy.cfg` (on the `server` line at the end of the file). Note: default is `172.30.32.1` and should fit on standard installation.
+- pur your SSH public key in `srv/ssh/authorized_keys`
+
+After, restart the addon to apply new configuration.
+
+## On your external host
+
+You have to:
+
+- install and configure OpenVPN using the provide `srv/openvpn/server.conf` and the `secret.key` file that will be generated by the client container on its first start
+- install and configure the reverse proxy of your choice, for instance, Apache2: on a Debian host :
+  - Install it : `apt install apache2`
+  - Copy `apache2.conf` in `/etc/apache2/sites-available/home.conf` and ajust it for your needs
+  - Enable required modules and the site : `a2enmod proxy_http proxy_wstunnel rewrite ssl && a2ensite home && service apache2 restart`
+
+### On your Home Assistant
+
+You have to authorized access via your reverse proxy by adding the following lines in your `configuration.yaml` file:
+
+```yaml
+http:
+  use_x_forwarded_for: true
+  trusted_proxies:
+    - 172.30.33.1
+```
+
+**Note:** Adjust your addon container IP address in the list `trusted_proxies`.
+
+After, restart the HomeAssistant to apply new HTTP configuration.
diff --git a/apache2.conf b/apache2.conf
new file mode 100644
index 0000000..2a23db8
--- /dev/null
+++ b/apache2.conf
@@ -0,0 +1,42 @@
+<VirtualHost *:80>
+	ServerName ha.example.com
+
+	DocumentRoot /var/www/empty
+	
+	RewriteEngine on
+	RewriteCond %{REQUEST_URI} !(^/\.well-known/.*$)
+	RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=307]
+
+	ErrorLog /var/log/apache2/ha.example.com.error.log
+	CustomLog /var/log/apache2/ha.example.com.access.log combined
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName ha.example.com
+
+	SSLEngine On
+	#SSLCertificateFile    /etc/letsencrypt/live/ha.example.com/cert.pem
+	#SSLCertificateKeyFile /etc/letsencrypt/live/ha.example.com/privkey.pem
+	#SSLCACertificateFile  /etc/letsencrypt/live/ha.example.com/chain.pem
+	SSLCertificateFile    /etc/ssl/private/ssl-cert-snakeoil.key
+	SSLCertificateKeyFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+	DocumentRoot /var/www/html
+
+	# Home-Assistant
+	ProxyPreserveHost On
+	ProxyRequests off
+	ProxyPass /api/websocket ws://172.16.88.2:80/api/websocket
+	ProxyPassReverse /api/websocket ws://172.16.88.2:80/api/websocket
+	ProxyPass / http://172.16.88.2:80/
+	ProxyPassReverse / http://172.16.88.2:80/
+
+	RewriteEngine on
+	RewriteCond %{HTTP:Upgrade} =websocket [NC]
+	RewriteRule /(.*)  ws://172.16.88.2:80/$1 [P,L]
+	RewriteCond %{HTTP:Upgrade} !=websocket [NC]
+	RewriteRule /(.*)  http://172.16.88.2:80/$1 [P,L]
+
+	ErrorLog /var/log/apache2/ha.example.com.error.log
+	CustomLog /var/log/apache2/ha.example.com.access.log combined
+</VirtualHost>