#!/bin/bash

#
# Initialize the EasyRSA PKI
#

if [ "$DEBUG" == "1" ]; then
  set -x
else
  exec 2> /dev/null
fi

set -e

# these might get lost if empty syncing to object storage
mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd
touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty

# Finally generate server cert
cat << EOF | easyrsa build-server-full "$1" nopass
yes
EOF

# write server FQDN
echo "$1" > $OPENVPN/server

# static server config
cat <<EOF > $OPENVPN/openvpn.conf
port 1194
proto udp
dev tun
topology subnet
cipher AES-256-GCM

keepalive 10 120

user nobody
group nogroup

persist-key
persist-tun

status /var/run/openvpn-status.log
status-version 3
verb 3

verify-client-cert require
reneg-sec 0

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password snafu pin PASSWORD"
#plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
#auth-user-pass-optional

ifconfig-pool-persist ipp.txt

ca /etc/openvpn/ca.crt
dh /etc/openvpn/dh.pem
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/ta.key

# Include local config last
config /etc/openvpn/local.conf
EOF