fix: make PoC work, add openvpn_exporter

This commit is contained in:
Stefan Reimer 2022-05-25 21:06:19 +02:00
parent d66b1127eb
commit 86ae814832
4 changed files with 19 additions and 12 deletions

View File

@ -1,11 +1,15 @@
ARG ALPINE_VERSION=3.15 ARG ALPINE_VERSION=3.15
FROM alpine:${ALPINE_VERSION} FROM alpine:${ALPINE_VERSION}
ARG ALPINE_VERSION
LABEL zero-downtime.net.image.maintainer="stefan@zero-downtime.net" \ LABEL zero-downtime.net.image.maintainer="stefan@zero-downtime.net" \
zero-downtime.net.image.license="AGPLv3" zero-downtime.net.image.license="AGPLv3"
RUN apk upgrade -U --available --no-cache && \ RUN cd /etc/apk/keys && \
wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
echo "@kubezero https://cdn.zero-downtime.net/alpine/v${ALPINE_VERSION}/kubezero" >> /etc/apk/repositories && \
apk upgrade -U --available --no-cache && \
apk add --no-cache \ apk add --no-cache \
openvpn \ openvpn \
nftables \ nftables \
@ -13,7 +17,8 @@ RUN apk upgrade -U --available --no-cache && \
easy-rsa \ easy-rsa \
openvpn-auth-pam \ openvpn-auth-pam \
google-authenticator \ google-authenticator \
libqrencode && \ libqrencode \
openvpn_exporter@kubezero && \
ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin
# Needed by scripts # Needed by scripts
@ -25,6 +30,7 @@ ENV EASYRSA=/usr/share/easy-rsa \
VOLUME ["/etc/openvpn"] VOLUME ["/etc/openvpn"]
EXPOSE 1194/udp EXPOSE 1194/udp
EXPOSE 9176/tcp
CMD ["ovpn_run"] CMD ["ovpn_run"]
@ -33,4 +39,3 @@ RUN chmod a+x /usr/local/bin/*
# Add support for OTP authentication using a PAM module # Add support for OTP authentication using a PAM module
ADD ./otp/openvpn /etc/pam.d/ ADD ./otp/openvpn /etc/pam.d/

View File

@ -3,4 +3,3 @@ IMAGE := zdt-openvpn
REGION := us-east-1 REGION := us-east-1
include .ci/podman.mk include .ci/podman.mk

View File

@ -128,5 +128,8 @@ if [ $? = 0 ]; then
fi fi
fi fi
echo "Starting openvpn_exporter"
openvpn_exporter --openvpn.status_paths /var/run/openvpn-status.log &
echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'" echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
exec openvpn ${ARGS[@]} ${USER_ARGS[@]} exec openvpn ${ARGS[@]} ${USER_ARGS[@]}

View File

@ -1,7 +1,7 @@
# Uses google authenticator library as PAM module using a single folder for all users tokens # Uses google authenticator library as PAM module using a single folder for all users tokens
# User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users # User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
# See https://github.com/google/google-authenticator-libpam#usersome-user # See https://github.com/google/google-authenticator-libpam#usersome-user
auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root authtok_prompt=pin
# Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so) # Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
account sufficient pam_permit.so account sufficient pam_permit.so