#!/bin/bash

#
# Get an OpenVPN client configuration file
#

if [ "$DEBUG" == "1" ]; then
    set -x
fi

set -e

if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
fi
if [ -z "$EASYRSA_PKI" ]; then
    export EASYRSA_PKI="$OPENVPN/pki"
fi

[ -f $OPENVPN/server ] || { echo "Missing OpenVPN server setup!"; exit 1; }

cn="$1"
type="$2"
[ -z "$type" ] && type="ovpn"

server="$(cat $OPENVPN/server)"

set +x

if [ "$type" == "ovpn" -o "$type" == "combined" ]; then
	if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
			echo "Unable to find certificate or key for \"${cn}\" !" >&2
			exit 1
	fi

	echo "
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM

auth-user-pass
reneg-sec 0
#static-challenge "Enter Google Authenticator Code:" 1

# comp-lzo yes
user nobody
verb 3

remote $server

<key>
$(cat $EASYRSA_PKI/private/${cn}.key)
</key>
<cert>
$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)
</cert>
<ca>
$(cat $EASYRSA_PKI/ca.crt)
</ca>
<tls-auth>
$(cat $EASYRSA_PKI/ta.key)
</tls-auth>
"
fi


# TOTP incl. QRCODE
if [ "$type" == "totp" -o "$type" == "combined" ]; then
	if [ ! -f "${OPENVPN}/otp/${cn}.google_authenticator" ]; then
		echo "Unable to find TOTP data for \"${cn}\" !" >&2
		exit 1
	fi

	# secret is always first line
	secret="$(head -1 ${OPENVPN}/otp/${cn}.google_authenticator)"

  # remaining one time codes are at the bottom, max 5
  onetime="$(tail -n +2 ${OPENVPN}/otp/${cn}.google_authenticator | grep -v \")"

	# Output as UTF8 and remove all ANSI control to allow piping eg. into yopass
	echo "otpauth://totp/${cn}?secret=${secret}&issuer=${server}" | qrencode -o - -t ANSIUTF8 | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g"

	echo "Your new secret key is: $secret"
  echo "Your emergency scratch codes are:"
  echo "$onetime"

fi