fix: make PoC work, add openvpn_exporter

2022-05-25 21:06:19 +02:00 · 2022-05-25 21:06:19 +02:00 · 86ae814832
parent d66b1127eb
commit 86ae814832
4 changed files with 19 additions and 12 deletions
--- a/25
+++ b/25
@ -1,20 +1,25 @@
 ARG ALPINE_VERSION=3.15

 FROM alpine:${ALPINE_VERSION}
+ARG ALPINE_VERSION

 LABEL zero-downtime.net.image.maintainer="stefan@zero-downtime.net" \
      zero-downtime.net.image.license="AGPLv3"

-RUN apk upgrade -U --available --no-cache && \
+RUN cd /etc/apk/keys && \
+    wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
+    echo "@kubezero https://cdn.zero-downtime.net/alpine/v${ALPINE_VERSION}/kubezero" >> /etc/apk/repositories && \
+    apk upgrade -U --available --no-cache && \
    apk add --no-cache \
-    openvpn \
-    nftables \
-    bash \
-    easy-rsa \
-    openvpn-auth-pam \
-    google-authenticator \
-    libqrencode && \
-    ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin
+      openvpn \
+      nftables \
+      bash \
+      easy-rsa \
+      openvpn-auth-pam \
+      google-authenticator \
+      libqrencode \
+      openvpn_exporter@kubezero && \
+      ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin

 # Needed by scripts
 ENV OPENVPN=/etc/openvpn
@ -25,6 +30,7 @@ ENV EASYRSA=/usr/share/easy-rsa \
 VOLUME ["/etc/openvpn"]

 EXPOSE 1194/udp
+EXPOSE 9176/tcp

 CMD ["ovpn_run"]

@ -33,4 +39,3 @@ RUN chmod a+x /usr/local/bin/*

 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
-
--- a/1
+++ b/1
@ -3,4 +3,3 @@ IMAGE := zdt-openvpn
 REGION := us-east-1

 include .ci/podman.mk
-
--- a/bin/ovpn_run
+++ b/bin/ovpn_run
@ -128,5 +128,8 @@ if [ $? = 0 ]; then
    fi
 fi

+echo "Starting openvpn_exporter"
+openvpn_exporter --openvpn.status_paths /var/run/openvpn-status.log &
+
 echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
 exec openvpn ${ARGS[@]} ${USER_ARGS[@]}
--- a/otp/openvpn
+++ b/otp/openvpn
@ -1,7 +1,7 @@
 # Uses google authenticator library as PAM module using a single folder for all users tokens
 # User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
 # See https://github.com/google/google-authenticator-libpam#usersome-user
-auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root
+auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root authtok_prompt=pin

 # Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
 account sufficient pam_permit.so