Update the whole project

.woodpecker.yaml

@@ -13,25 +13,22 @@ matrix:
 steps:
   build-${TARGET}:
     name: Build ${TARGET}
-    image: zot.badhouseplants.net/badhouseplants/badhouseplants-builder:latest
+    image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:latest
     secrets:
-      - registry_token
+      - gitea_token
-    environment:
-      CONTAINER_REGISTRY: zot.badhouseplants.net
     privileged: true
     depends_on: []
     backend_options:
       kubernetes:
         resources:
           requests:
-            memory: 1024Mi
+            memory: 500Mi
-            cpu: 300m
+            cpu: 200m
           limits:
-            memory: 1024Mi
+            memory: 500Mi
+            cpu: 200m
         securityContext:
           privileged: true
-        nodeSelector:
-          kubernetes.io/arch: "amd64"
     commands:
       - source ./env/${TARGET}.env
       - ./scripts/$SCRIPT

bin/start_openvpn

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+if [ -z "$( ls -A '/opt/data/openvpn' )" ] || [ "${EASY_RSA_REGEN}" == "true" ]; then
+    rm -rf /opt/data/openvpn/*
+    # -- It should prepare certs with easy-rsa
+    /usr/share/easy-rsa/easyrsa init-pki
+    # -- Currently only no password
+    /usr/share/easy-rsa/easyrsa build-ca nopass
+    /usr/share/easy-rsa/easyrsa gen-dh
+    `unset EASYRSA_REQ_CN && /usr/share/easy-rsa/easyrsa build-server-full server nopass`
+    # -- Generate the CRL for client/server certificates revocation.
+    /usr/share/easy-rsa/easyrsa gen-crl
+    openvpn --genkey tls-crypt-v2-server "pki/private/${EASYRSA_REQ_CN}.pem"
+    openvpn --genkey secret > "ta.key"
+
+else
+   echo "Easy RSA config is already prepared, skipping"
+fi
+
+cp /opt/data/openvpn/ta.key /etc/openvpn/server
+openvpn --config /opt/config/server.conf

containerfiles/Containerfile

@@ -16,7 +16,7 @@ RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version
 RUN tar -xf /tmp/openvpn.tar.gz  -C /tmp && rm -f /tmp/openvpn.tar.gz
 RUN mv /tmp/openvpn-${OPENVPN_VERSION} /output/openvpn
 
-FROM ubuntu:22.04 as builder
+FROM ubuntu:24.04 as builder
 # ------------------------------------------------------
 # -- TODO: Define it only once
 # ------------------------------------------------------
@@ -31,36 +31,34 @@ WORKDIR /src/openvpn
 RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
 RUN make && make install
 RUN mkdir /output
-RUN cp $(which openvpn) /output/
+RUN cp $(which openvpn) /output
+RUN cp /src/openvpn/sample/sample-config-files/server.conf /output
 
 # ------------------------------------------------------
 # -- Final container
 # ------------------------------------------------------
-FROM ubuntu:22.04
+FROM ubuntu:24.04
-LABEL maintainer="allanger <allanger@zohomail.com>"
+LABEL maintainer="allanger <allanger@badhouseplants.net>"
-COPY --from=builder /output /src
+VOLUME /opt/data/openvpn
+WORKDIR /opt/data/openvpn
+
+ENV EASYRSA_BATCH=yes
+ENV EASYRSA_REQ_CN=openvpn-server
+
+COPY --from=builder /output/openvpn /src/openvpn
+COPY --from=builder /output/server.conf /opt/config/server.conf
+
 # -------------------------------------------------------
 # -- Prepare system deps
+# -- It's also installing the openvpn package but 
+# -- it's required for getting dependencies, later
+# -- it's rewritten by the binary that from the builder
 # -------------------------------------------------------
-RUN apt update && apt install openvpn easy-rsa iptables -y && \
+RUN apt update &&\
-  mv /src/openvpn $(which openvpn)
+      apt upgrade -y && \
-
+      apt install openvpn easy-rsa -y && \
-# Needed by scripts
+      mv /src/openvpn $(which openvpn)
-ENV OPENVPN /etc/openvpn
-
-# Prevents refused client connection because of an expired CRL
-ENV EASYRSA_CRL_DAYS 3650
-
-VOLUME ["/etc/openvpn"]
-
-# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
-EXPOSE 1194
 
 CMD ["ovpn_run"]
 
-COPY --chmod='755' ./bin /usr/local/bin
+COPY --chmod='755' ./bin /usr/local/bin
-# -----------------------------------------------------------
-# -- Add support for OTP authentication using a PAM module
-# -- I have no idea how it works yet
-# -----------------------------------------------------------
-WORKDIR /etc/openvpn

containerfiles/Containerfile-XOR

@@ -23,7 +23,7 @@ RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ ve
 RUN tar -xf /tmp/tunnelblick.tar.gz  -C /tmp && rm -f /tmp/tunnelblick.tar.gz
 RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
 
-FROM ubuntu:24.04 as builder
+FROM ubuntu as builder
 # ------------------------------------------------------
 # -- TODO: Define it only once
 # ------------------------------------------------------

env/openvpn.env

@@ -1,3 +1,3 @@
-export OPENVPN_VERSION=2.6.5
+export OPENVPN_VERSION=2.6.11
 export CONTAINERFILE=./containerfiles/Containerfile
 export SCRIPT=build_upstream.sh

scripts/build_xor.sh

@@ -1,7 +1,6 @@
 #!/usr/bin/env sh
 git clone https://github.com/Tunnelblick/Tunnelblick.git /tmp/tunnelblick
-git -C /tmp/tunnelblick checkout $TUNNELBLICK_VERSION
 export OPENVPN_VERSION=$(ls /tmp/tunnelblick/third_party/sources/openvpn | sed 's/openvpn-//g' | sort  -k1,1nr -k2,2n -k3,3n | head -n 1)
 export CUSTOM_TAG="v$OPENVPN_VERSION-XOR-$TUNNELBLICK_VERSION"
 export BUILD_ARGS="--build-arg OPENVPN_VERSION=$OPENVPN_VERSION --build-arg TUNNELBLICK_VERSION=$TUNNELBLICK_VERSION"
-build-container
+build-container