#!/bin/bash

#
# Initialize the EasyRSA PKI
#

if [ "$DEBUG" == "1" ]; then
  set -x
fi

set -e

if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
fi

[ -f $OPENVPN/server ] || { echo "Missing OpenVPN server setup!"; exit 1; }

cn="$1"
server="$(cat $OPENVPN/server)"

# generate client cert
if [ -f "$EASYRSA_PKI/issued/${cn}.crt" ]; then
  echo "Certificate for \"${cn}\" already exists !" >&2
  exit 1
fi

cat << EOF | easyrsa build-client-full "$cn" nopass
yes
EOF

# Generate OpenVPN users via google authenticator
mkdir -p /etc/openvpn/otp

# Skip confirmation if not running in interctive mode. Essential for integration tests.
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
		-l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q