forked ssh and installed tinc

tinc/CHANGELOG.md

@@ -0,0 +1,2 @@
+# Changelog
+

tinc/DOCS.md

@@ -0,0 +1,110 @@
+# Home Assistant Add-on: Terminal & SSH
+
+## Installation
+
+Follow these steps to get the add-on installed on your system:
+
+1. This add-on is only visible to "Advanced Mode" users. To enable advanced mode, go to **Profile** -> and turn on **Advanced Mode**.
+2. Navigate in your Home Assistant frontend to **Supervisor** -> **Add-on Store**.
+3. Find the "Terminal & SSH" add-on and click it.
+4. Click on the "INSTALL" button.
+
+## How to use
+
+This add-on adds two main features to your Home Assistant installation:
+
+- a web terminal that you can use from your browser, and
+- enable connecting to your system using an SSH client.
+
+Regardless of how you connect (using the web terminal or using an SSH client), you end up in this add-on's container. The Home Assistant configuration
+directory is located on the path `/config`.
+
+This add-on comes bundled with [The Home Assistant CLI](https://www.home-assistant.io/hassio/commandline/). Try it out using:
+
+```bash
+ha help
+```
+
+### The Web Terminal
+
+You can access the web terminal by clicking the "Open Web UI" button on this add-on's Info tab. If you set the "Show in sidebar" setting (found on the same Info tab) to "on", a shortcut is added to the sidebar allowing you to access the web terminal quickly.
+
+### SSH Server Connection
+
+Remote SSH access from the network is disabled by default (See Network below).  To connect using an SSH client, such as PuTTY or Linux terminal, you need to supply additional configuration for this add-on. To enable SSH connectivity, you need to:
+
+- Provide authentication credentials - a password or SSH key(s)
+- Specify which TCP port to bind to, on the Home Assistant host
+
+You can then connect to the port specified, using the username `root`. Please note that enabling the SSH Server potentially makes your Home Assistant system less secure, as it might enable anyone on the internet to try to access your system. The security of your system also depends on your network set up, router settings, use of firewalls, etc. As a general recommendation, you should not activate this part of the add-on unless you understand the ramifications.
+
+If you enable connecting to the SSH Server using an SSH client, you are strongly recommended to use private/public keys to log in. As long as you keep the private part of your key safe, this makes your system much harder to break into. Using passwords is, therefore, generally considered a less secure mechanism. To generate private/public SSH keys, follow the [instructions for Windows][keygen-windows] and [these for other platforms][keygen].
+
+Enabling login via password will disable key-based login. You can not run both variants at the same time.
+
+## Configuration
+
+Add-on configuration:
+
+```yaml
+authorized_keys:
+  - "ssh-rsa AKDJD3839...== my-key"
+password: ''
+apks: []
+server:
+  tcp_forwarding: false
+```
+
+### Option: `apks`
+
+Additional software packages to install in the add-on container.
+
+### Option: `authorized_keys`
+
+Your **public keys** that you wish to accept for login. You can authorize multiple keys by adding multiple public keys to the list.
+
+If you get errors when adding your key, it is likely that the public key you're trying to add, contains characters that intervene with YAML syntax. Try enclosing your key in double quotes to avoid this issue.
+
+### Option: `password`
+
+Set a password for login. **We do NOT recommend this variant**.
+
+### Option group  `server`
+
+Some SSH server options.
+
+#### Option `tcp_forwarding`
+
+Specifies whether TCP forwarding is permitted or not.
+
+**Note**: _Enabling this option lowers the security of your SSH server! Nevertheless, this warning is debatable._
+
+## Network
+
+This section is only relevant if you want to connect to Home Assistant using an SSH client, such as PuTTY or Linux terminal. To enable SSH remote access from the Network, specify the desired SSH TCP server port in the Network configuration input box. The number you enter will be used to map that port from the host into the running "Terminal & SSH" add-on. The standard port used for the SSH protocol is `22`.  
+
+Remote SSH access can be disabled again, by clearing the input box, saving the configuration and restarting the add-on.
+
+## Known issues and limitations
+
+- This add-on will not enable you to install packages or do anything as root.
+  This is not working with Home Assistant.
+
+## Support
+
+Got questions?
+
+You have several options to get them answered:
+
+- The [Home Assistant Discord Chat Server][discord].
+- The Home Assistant [Community Forum][forum].
+- Join the [Reddit subreddit][reddit] in [/r/homeassistant][reddit]
+
+In case you've found a bug, please [open an issue on our GitHub][issue].
+
+[discord]: https://discord.gg/c5DvZ4e
+[forum]: https://community.home-assistant.io
+[issue]: https://github.com/home-assistant/hassio-addons/issues
+[keygen-windows]: https://www.digitalocean.com/community/tutorials/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps
+[keygen]: https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
+[reddit]: https://reddit.com/r/homeassistant

tinc/Dockerfile

@@ -0,0 +1,85 @@
+ARG BUILD_FROM
+FROM $BUILD_FROM
+
+# Setup base
+ARG LIBWEBSOCKETS_VERSION
+ARG TTYD_VERSION
+RUN \
+    set -x \ 
+    && apk add --no-cache \
+        bash-completion \
+        pulseaudio-utils \
+        alsa-plugins-pulse \
+        bluez \
+        git \
+        libuv \
+        mosquitto-clients \
+        nano \
+        openssh \
+        pwgen \
+        tmux \
+        vim \
+    \
+    && apk add --no-cache --virtual .build-dependencies \
+        bsd-compat-headers \
+        build-base \
+        linux-headers \
+        cmake \
+        json-c-dev \
+        libuv-dev \
+        openssl-dev \
+        zlib-dev \
+    \
+    && sed -i "s/ash/bash/" /etc/passwd \
+    \
+    && git clone --branch "v${LIBWEBSOCKETS_VERSION}" --depth=1 \
+        https://github.com/warmcat/libwebsockets.git /tmp/libwebsockets \
+    \
+    && mkdir -p /tmp/libwebsockets/build \
+    && cd /tmp/libwebsockets/build \
+    && cmake .. \
+        -DCMAKE_BUILD_TYPE=MinSizeRel \
+        -DCMAKE_INSTALL_PREFIX=/usr \
+        -DCMAKE_VERBOSE_MAKEFILE=TRUE \
+        -DLWS_IPV6=ON \
+        -DLWS_STATIC_PIC=ON \
+        -DLWS_UNIX_SOCK=OFF \
+        -DLWS_WITH_LIBUV=ON \
+        -DLWS_WITH_SHARED=ON \
+        -DLWS_WITHOUT_TESTAPPS=ON \
+    && make \
+    && make install \
+    \
+    && git clone --branch main --single-branch \
+        https://github.com/tsl0922/ttyd.git /tmp/ttyd \
+    && git -C /tmp/ttyd checkout "${TTYD_VERSION}" \
+    \
+    && mkdir -p /tmp/ttyd/build \
+    && cd /tmp/ttyd/build \
+    && cmake .. \
+        -DCMAKE_BUILD_TYPE=MinSizeRel \
+        -DCMAKE_INSTALL_PREFIX=/usr \
+        -DCMAKE_VERBOSE_MAKEFILE=TRUE \
+    && make \
+    && make install \
+    \
+    && apk del --no-cache --purge .build-dependencies \
+    && rm -f -r \
+        /root/.cache \
+        /root/.cmake \
+        /tmp/*
+
+# Add YAML highlighting for nano
+ADD https://raw.githubusercontent.com/scopatz/nanorc/master/yaml.nanorc /usr/share/nano/yaml.nanorc
+RUN sed -i 's/^#[[:space:]]*\(include "\/usr\/share\/nano\/\*\.nanorc".*\)/\1/' /etc/nanorc
+
+# Home Assistant CLI
+ARG BUILD_ARCH
+ARG CLI_VERSION
+RUN curl -Lso /usr/bin/ha \
+        "https://github.com/home-assistant/cli/releases/download/${CLI_VERSION}/ha_${BUILD_ARCH}" \
+    && chmod a+x /usr/bin/ha \
+    && /usr/bin/ha completion > /usr/share/bash-completion/completions/ha
+
+# Copy data
+COPY rootfs /

tinc/README.md

@@ -0,0 +1,17 @@
+# Home Assistant Add-on: SSH server
+
+Allow logging in remotely to Home Assistant using SSH or just the web terminal with Ingress.
+
+![Supports aarch64 Architecture][aarch64-shield] ![Supports amd64 Architecture][amd64-shield] ![Supports armhf Architecture][armhf-shield] ![Supports armv7 Architecture][armv7-shield] ![Supports i386 Architecture][i386-shield]
+
+## About
+
+Setting up an SSH server allows access to your Home Assistant folders with any SSH
+client. It also includes a command-line tool to access the Home Assistant API.
+
+
+[aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
+[amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
+[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
+[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
+[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg

tinc/build.yaml

@@ -0,0 +1,13 @@
+build_from:
+  aarch64: ghcr.io/home-assistant/aarch64-base:3.14
+  amd64: ghcr.io/home-assistant/amd64-base:3.14
+  armhf: ghcr.io/home-assistant/armhf-base:3.14
+  armv7: ghcr.io/home-assistant/armv7-base:3.14
+  i386: ghcr.io/home-assistant/i386-base:3.14
+codenotary:
+  signer: notary@home-assistant.io
+  base_image: notary@home-assistant.io
+args:
+  CLI_VERSION: 4.14.0
+  LIBWEBSOCKETS_VERSION: 4.2.1
+  TTYD_VERSION: 3e37e33b1cd927ae8f25cfbcf0da268723b6d230

tinc/config.yaml

@@ -0,0 +1,47 @@
+version: 9.3.0
+slug: tinc
+name: Tinc
+description: Allow logging in remotely to Home Assistant using SSH
+url: https://github.com/home-assistant/hassio-addons/tree/master/ssh
+advanced: true
+arch:
+  - armhf
+  - armv7
+  - aarch64
+  - amd64
+  - i386
+host_dbus: true
+image: homeassistant/{arch}-addon-ssh
+ingress: true
+init: false
+map:
+  - config:rw
+  - ssl:rw
+  - addons:rw
+  - share:rw
+  - backup:rw
+  - media:rw
+options:
+  apks: []
+  authorized_keys: []
+  password: ""
+  server:
+    tcp_forwarding: false
+panel_icon: mdi:console
+panel_title: Terminal
+ports:
+  22/tcp: null
+schema:
+  apks:
+    - str
+  authorized_keys:
+    - str
+  password: password
+  server:
+    tcp_forwarding: bool
+startup: services
+uart: true
+privileged:
+  - NET_ADMIN
+devices:
+  - /dev/net/tun

tinc/rootfs/etc/cont-init.d/apks.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# SSH install additional packages on startup
+# ==============================================================================
+
+if ! bashio::config.has_value "apks"; then
+    bashio::exit.ok
+fi
+
+apk update \
+    || bashio::exit.nok "Failed updating Alpine packages indexes"
+
+for package in $(bashio::config "apks"); do
+    apk add "$package" \
+        || bashio::exit.nok "Failed installing ${package}"
+done

tinc/rootfs/etc/cont-init.d/keygen.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# SSH Host keys
+# ==============================================================================
+readonly KEYS_PATH=/data/host_keys
+
+if ! bashio::fs.directory_exists "${KEYS_PATH}"; then
+    bashio::log.info "Generating host keys..."
+
+    mkdir -p "${KEYS_PATH}"
+    ssh-keygen -A || bashio::exit.nok "Failed to create host keys!"
+    cp -fp /etc/ssh/ssh_host* "${KEYS_PATH}/"
+else
+    bashio::log.info "Restoring host keys..."
+    cp -fp "${KEYS_PATH}"/* /etc/ssh/
+fi

tinc/rootfs/etc/cont-init.d/profile.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# Setup persistent user settings
+# ==============================================================================
+readonly DIRECTORIES=(addons backup config share ssl)
+
+# Persist shell history by redirecting .bash_history to /data
+if ! bashio::fs.file_exists /data/.bash_profile; then
+    touch /data/.bash_history
+    chmod 600 /data/.bash_history
+fi
+
+# Make Home Assistant TOKEN available on the CLI
+mkdir -p /etc/profile.d
+bashio::var.json \
+    supervisor_token "${SUPERVISOR_TOKEN}" \
+    | tempio \
+        -template /usr/share/tempio/homeassistant.profile \
+        -out /etc/profile.d/homeassistant.sh
+
+
+# Persist shell profile by redirecting .bash_profile to /data
+if ! bashio::fs.file_exists /data/.bash_profile; then
+    touch /data/.bash_profile
+    chmod 600 /data/.bash_profile
+fi
+
+# Links some common directories to the user's home folder for convenience
+for dir in "${DIRECTORIES[@]}"; do
+    ln -s "/${dir}" "${HOME}/${dir}" \
+        || bashio::log.warning "Failed linking common directory: ${dir}"
+done
+
+# Sets up the users .ssh folder to be persistent
+if ! bashio::fs.directory_exists /data/.ssh; then
+    mkdir -p /data/.ssh \
+        || bashio::exit.nok 'Failed to create a persistent .ssh folder'
+
+    chmod 700 /data/.ssh \
+        || bashio::exit.nok \
+            'Failed setting permissions on persistent .ssh folder'
+fi

tinc/rootfs/etc/cont-init.d/ssh.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# SSH setup & user
+# ==============================================================================
+if bashio::config.has_value 'authorized_keys'; then
+    bashio::log.info "Setup authorized_keys"
+
+    mkdir -p /data/.ssh
+    chmod 700 /data/.ssh
+    rm -f /data/.ssh/authorized_keys
+    while read -r line; do
+        echo "$line" >> /data/.ssh/authorized_keys
+    done <<< "$(bashio::config 'authorized_keys')"
+
+    chmod 600 /data/.ssh/authorized_keys
+
+    # Unlock account
+    PASSWORD="$(pwgen -s 64 1)"
+    echo "root:${PASSWORD}" | chpasswd 2&> /dev/null
+elif bashio::config.has_value 'password'; then
+    bashio::log.info "Setup password login"
+
+    PASSWORD=$(bashio::config 'password')
+    echo "root:${PASSWORD}" | chpasswd 2&> /dev/null
+elif bashio::var.has_value "$(bashio::addon.port 22)"; then
+    bashio::exit.nok "You need to setup a login!"
+fi
+
+# Generate config
+mkdir -p /etc/ssh
+tempio \
+    -conf /data/options.json \
+    -template /usr/share/tempio/sshd_config \
+    -out /etc/ssh/sshd_config

tinc/rootfs/etc/fix-attrs.d/cli

@@ -0,0 +1,4 @@
+/usr/bin/hassio false root 0755 0755
+/usr/bin/ha false root 0755 0755
+/usr/local/bin/reboot false root 0755 0755
+/usr/local/bin/shutdown false root 0755 0755

tinc/rootfs/etc/fix-attrs.d/profile

@@ -0,0 +1,2 @@
+/data/.bash_history false root 0600 0755
+/data/.bash_profile false root 0600 0755

tinc/rootfs/etc/fix-attrs.d/ssh

@@ -0,0 +1,3 @@
+/data/.ssh false root 0644 0700
+/data/.ssh/authorized_keys false root 0600 0755
+/etc/ssh false root 0644 0755

tinc/rootfs/etc/services.d/sshd/finish

@@ -0,0 +1,8 @@
+#!/usr/bin/execlineb -S1
+# ==============================================================================
+# Take down the S6 supervision tree when sshd fails
+# ==============================================================================
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
+
+s6-svscanctl -t /var/run/s6/services

tinc/rootfs/etc/services.d/sshd/run

@@ -0,0 +1,13 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# Start sshd service if enabled
+# ==============================================================================
+
+# If SSH is disabled, use a fake sleep process
+if ! bashio::var.has_value "$(bashio::addon.port 22)"; then
+    bashio::log.warning "SSH port is disabled. Prevent start of SSH server." 
+    exec sleep infinity
+fi
+
+bashio::log.info "Starting the SSH daemon..."
+exec /usr/sbin/sshd -D -e

tinc/rootfs/etc/services.d/ttyd/finish

@@ -0,0 +1,8 @@
+#!/usr/bin/execlineb -S1
+# ==============================================================================
+# Take down the S6 supervision tree when ttyd fails
+# ==============================================================================
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
+
+s6-svscanctl -t /var/run/s6/services

tinc/rootfs/etc/services.d/ttyd/run

@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# Start ttyd service for ingress
+# ==============================================================================
+bashio::log.info "Starting Web Terminal..."
+cd /root || bashio::exit.nok "Can't find root folder!"
+
+exec ttyd -p 8099 tmux -u new -A -s homeassistant bash -l

tinc/rootfs/root/.bash_history

@@ -0,0 +1 @@
+/data/.bash_history

tinc/rootfs/root/.bash_profile

@@ -0,0 +1 @@
+/data/.bash_profile

tinc/rootfs/root/.ssh

@@ -0,0 +1 @@
+/data/.ssh

tinc/rootfs/root/.tmux.conf

@@ -0,0 +1,25 @@
+set-option -g default-terminal $TERM
+set-option -g base-index 1
+setw -g pane-base-index 1
+setw -g window-status-format "#[fg=white]#[bg=blue] #I #[bg=blue]#[fg=white] #W "
+setw -g window-status-current-format "#[bg=brightmagenta]#[fg=white] *#I #[fg=white,bold]#[bg=cyan] [#W] "
+set -g status-fg white
+set -g status-bg blue
+set -g status-left ''
+set -g status-right '%a %m-%d %H:%M'
+set -g mouse on
+unbind C-b
+set-option -g prefix C-a
+bind-key C-a send-prefix
+bind | split-window -h
+bind \\ split-window -h
+bind - split-window -v
+unbind '"'
+unbind %
+bind -n M-Left select-pane -L
+bind -n M-Right select-pane -R
+bind -n M-Up select-pane -U
+bind -n M-Down select-pane -D
+set -s escape-time 0
+bind-key -T copy-mode-vi MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "xclip -selection clipboard -i"
+bind-key -T copy-mode MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "xclip -selection clipboard -i"

tinc/rootfs/usr/bin/hassio

@@ -0,0 +1,3 @@
+#!/usr/bin/env bashio
+bashio::log.yellow "The 'hassio' command is deprecated, please use 'ha' instead!"
+ha "$@"

tinc/rootfs/usr/local/bin/reboot

@@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# This script overrides the reboot command to reboot the host machine.
+# ==============================================================================
+bashio::host.reboot

tinc/rootfs/usr/local/bin/shutdown

@@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# This script overrides the shutdown command to shutdown the host machine.
+# ==============================================================================
+bashio::host.shutdown

tinc/rootfs/usr/share/tempio/homeassistant.profile

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+export PS1="\[\e[0;32m\][\h \W]\$ \[\e[m\]"
+export SUPERVISOR_TOKEN={{ .supervisor_token }}
+
+ha banner

tinc/rootfs/usr/share/tempio/sshd_config

@@ -0,0 +1,26 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# Logging
+LogLevel INFO
+
+# Default
+AllowTcpForwarding {{ if .server.tcp_forwarding }}yes{{ else }}no{{ end }}
+GatewayPorts no
+X11Forwarding no
+
+Subsystem       sftp    /usr/lib/ssh/sftp-server
+
+# Authentication:
+PermitRootLogin yes
+
+Banner none
+PrintMotd no
+
+{{ if .authorized_keys }}
+PasswordAuthentication no
+{{ else if .password }}
+PasswordAuthentication yes
+PermitEmptyPasswords no
+{{ end }}
+