feat: add http-assets

15e4d1f ci: make work with main branch

git-subtree-dir: .ci
git-subtree-split: 15e4d1f589c8e055944b2a4b58a9a50728e245b4

.ci/README.md

@@ -14,7 +14,7 @@ include .ci/podman.mk
 
 Add subtree to your project:
 ```
-git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
+git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash
 ```
 
 

.gitattributes

@@ -0,0 +1 @@
+*.png filter=lfs diff=lfs merge=lfs -text

Dockerfile

@@ -1,4 +1,4 @@
-ARG ALPINE_VERSION=3.20
+ARG ALPINE_VERSION=3.21
 
 FROM alpine:${ALPINE_VERSION}
 ARG ALPINE_VERSION
@@ -36,10 +36,14 @@ EXPOSE 1194/udp
 
 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/* && \
-    mkdir -p /etc/openvpn-oauth
+    mkdir -p /etc/openvpn-oauth \
+             /opt/http-assets
 
 # Add support for OTP authentication using a PAM module
-ADD ./otp/openvpn /etc/pam.d/
+ADD ./pam.d/openvpn /etc/pam.d/
+
+# Add http branding assets
+ADD ./http-assets /opt/http-assets
 
 # Breaks all easyrsa commands locally due to UID mappings
 # would require podman as plain docker doesnt support keep-id

bin/openvpn-auth-oauth2.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# copy http-assets
+cp /opt/http-assets/* /etc/openvpn-oauth/http-assets
+
+openvpn-auth-oauth2 --config /etc/openvpn-oauth/config.yaml

bin/ovpn_create_client

@@ -32,6 +32,9 @@ cat << EOF | easyrsa build-client-full "$cn" nopass
 yes
 EOF
 
-# Skip confirmation if not running in interctive mode. Essential for integration tests.
-google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
+# Do not overwrite potential existing config during the re-issue flow
+if [ ! -f /etc/openvpn/otp/${cn}.google_authenticator ] ; then
+  # Skip confirmation if not running in interctive mode. Essential for integration tests.
+  google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
 		-l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q
+fi

bin/ovpn_revokeclient

@@ -32,4 +32,6 @@ echo "Revoked $cn"
 echo "Updating crl.pem"
 easyrsa gen-crl
 
-rm -f $OPENVPN/pki/issued/$cn.crt $OPENVPN/pki/private/$cn.key $OPENVPN/pki/reqs/$cn.req $OPENVPN/otp/$cn.google_authenticator
+rm -f $OPENVPN/pki/issued/$cn.crt $OPENVPN/pki/private/$cn.key $OPENVPN/pki/reqs/$cn.req
+# do not delete OTP to allow reuse after re-issued cert, left overs OTP data wont hurt anyone
+# rm -f $OPENVPN/otp/$cn.google_authenticator

http-assets/style.css

@@ -0,0 +1,34 @@
+/* overlay for MVP.css v1.15 - https://github.com/andybrewer/mvp */
+
+:root {
+    --active-brightness: 0.85;
+    --border-radius: 5px;
+    --box-shadow: 2px 2px 10px;
+    --color-accent: #118bee15;
+    --color-bg: #0d0711;
+    --color-bg-secondary: #e9e9e9;
+    --color-link: #118bee;
+    --color-secondary: #920de9;
+    --color-secondary-accent: #920de90b;
+    --color-shadow: #f4f4f4;
+    --color-table: #118bee;
+    --color-text: #737f8a;
+    --color-text-secondary: #999;
+    --color-scrollbar: #cacae8;
+    --font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;
+    --hover-brightness: 1.2;
+    --justify-important: center;
+    --justify-normal: left;
+    --line-height: 1.5;
+    --width-card: 285px;
+    --width-card-medium: 460px;
+    --width-card-wide: 800px;
+    --width-content: 1080px;
+}
+
+header {
+    background-image: url(logo.png);
+    background-repeat: no-repeat;
+    background-position-x: center;
+    text-align: var(--justify-important);
+}