9 changed files with 7 additions and 60 deletions
--- a/.ci/README.md
+++ b/.ci/README.md
@ -14,7 +14,7 @@ include .ci/podman.mk

 Add subtree to your project:
 ```
-git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash
+git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
 ```


--- a/.gitattributes
+++ b/.gitattributes
@ -1 +0,0 @@
-*.png filter=lfs diff=lfs merge=lfs -text
--- a/10
+++ b/10
@ -1,4 +1,4 @@
-ARG ALPINE_VERSION=3.21
+ARG ALPINE_VERSION=3.20

 FROM alpine:${ALPINE_VERSION}
 ARG ALPINE_VERSION
@ -36,14 +36,10 @@ EXPOSE 1194/udp

 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/* && \
-    mkdir -p /etc/openvpn-oauth \
-             /opt/http-assets
+    mkdir -p /etc/openvpn-oauth

 # Add support for OTP authentication using a PAM module
-ADD ./pam.d/openvpn /etc/pam.d/
-
-# Add http branding assets
-ADD ./http-assets /opt/http-assets
+ADD ./otp/openvpn /etc/pam.d/

 # Breaks all easyrsa commands locally due to UID mappings
 # would require podman as plain docker doesnt support keep-id
--- a/bin/openvpn-auth-oauth2.sh
+++ b/bin/openvpn-auth-oauth2.sh
@ -1,6 +0,0 @@
-#!/bin/sh
-
-# copy http-assets
-cp /opt/http-assets/* /etc/openvpn-oauth/http-assets
-
-openvpn-auth-oauth2 --config /etc/openvpn-oauth/config.yaml
--- a/bin/ovpn_create_client
+++ b/bin/ovpn_create_client
@ -32,9 +32,6 @@ cat << EOF | easyrsa build-client-full "$cn" nopass
 yes
 EOF

-# Do not overwrite potential existing config during the re-issue flow
-if [ ! -f /etc/openvpn/otp/${cn}.google_authenticator ] ; then
 # Skip confirmation if not running in interctive mode. Essential for integration tests.
 google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
 		-l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q
-fi
--- a/bin/ovpn_revokeclient
+++ b/bin/ovpn_revokeclient
@ -32,6 +32,4 @@ echo "Revoked $cn"
 echo "Updating crl.pem"
 easyrsa gen-crl

-rm -f $OPENVPN/pki/issued/$cn.crt $OPENVPN/pki/private/$cn.key $OPENVPN/pki/reqs/$cn.req
-# do not delete OTP to allow reuse after re-issued cert, left overs OTP data wont hurt anyone
-# rm -f $OPENVPN/otp/$cn.google_authenticator
+rm -f $OPENVPN/pki/issued/$cn.crt $OPENVPN/pki/private/$cn.key $OPENVPN/pki/reqs/$cn.req $OPENVPN/otp/$cn.google_authenticator
--- a/http-assets/logo.png
+++ b/http-assets/logo.png
--- a/http-assets/style.css
+++ b/http-assets/style.css
@ -1,34 +0,0 @@
-/* overlay for MVP.css v1.15 - https://github.com/andybrewer/mvp */
-
-:root {
-    --active-brightness: 0.85;
-    --border-radius: 5px;
-    --box-shadow: 2px 2px 10px;
-    --color-accent: #118bee15;
-    --color-bg: #0d0711;
-    --color-bg-secondary: #e9e9e9;
-    --color-link: #118bee;
-    --color-secondary: #920de9;
-    --color-secondary-accent: #920de90b;
-    --color-shadow: #f4f4f4;
-    --color-table: #118bee;
-    --color-text: #737f8a;
-    --color-text-secondary: #999;
-    --color-scrollbar: #cacae8;
-    --font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;
-    --hover-brightness: 1.2;
-    --justify-important: center;
-    --justify-normal: left;
-    --line-height: 1.5;
-    --width-card: 285px;
-    --width-card-medium: 460px;
-    --width-card-wide: 800px;
-    --width-content: 1080px;
-}
-
-header {
-    background-image: url(logo.png);
-    background-repeat: no-repeat;
-    background-position-x: center;
-    text-align: var(--justify-important);
-}
--- a/pam.d/openvpn
+++ b/pam.d/openvpn