#!/bin/bash

#
# Run the OpenVPN server normally
#

if [ "$DEBUG" == "1" ]; then
  set -x
fi

set -e

cd $OPENVPN

# bootstrap things?
if [[ "$BOOTSTRAP_CA" == "TRUE" ]]; then
    echo "bootstrapping ca"

    #check if it already exist to not overwrite things
    if [ -f "/etc/openvpn/ovpn_env.sh" ]; then
        echo "config already initialized - skipping"
    else
        ovpn_genconfig -u $PROTOCOL://$VPN_HOSTNAME
        source "$OPENVPN/ovpn_env.sh"
        easyrsa init-pki

        easyrsa --batch --req-cn=$CA_SERVERNAME build-ca nopass

        easyrsa gen-dh
        openvpn --genkey secret $EASYRSA_PKI/ta.key
        # For a server key with a password, manually init; this is autopilot
        easyrsa build-server-full "$OVPN_CN" nopass

        # Generate the CRL for client/server certificates revocation.
        easyrsa gen-crl
    fi
fi


# Build runtime arguments array based on environment
USER_ARGS=("${@}")
ARGS=()

IPTABLES="iptables-nft"

# Checks if ARGS already contains the given value
function hasArg {
    local element
    for element in "${@:2}"; do
        [ "${element}" == "${1}" ] && return 0
    done
    return 1
}

# Adds the given argument if it's not already specified.
function addArg {
    local arg="${1}"
    [ $# -ge 1 ] && local val="${2}"
    if ! hasArg "${arg}" "${USER_ARGS[@]}"; then
        ARGS+=("${arg}")
        [ $# -ge 1 ] && ARGS+=("${val}")
    fi
}

# set up iptables rules and routing
# this allows rules/routing to be altered by supplying this function
# in an included file, such as ovpn_env.sh
function setupIptablesAndRouting {
      $IPTABLES -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || {
      $IPTABLES -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
    }
    for i in "${OVPN_ROUTES[@]}"; do
          $IPTABLES -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || {
          $IPTABLES -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
        }
    done
}


addArg "--config" "$OPENVPN/openvpn.conf"

source "$OPENVPN/ovpn_env.sh"

mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
fi

if [ -d "$OPENVPN/ccd" ]; then
    addArg "--client-config-dir" "$OPENVPN/ccd"
fi

# When using --net=host, use this to specify nat device.
[ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0

# Setup NAT forwarding if requested
if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
	# call function to setup iptables rules and routing
	# this allows rules to be customized by supplying
	# a replacement function in, for example, ovpn_env.sh
	setupIptablesAndRouting
fi

# Use a copy of crl.pem as the CRL Needs to be readable by the user/group
# OpenVPN is running as.  Only pass arguments to OpenVPN if it's found.
if [ "$EASYRSA_PKI/crl.pem" -nt "$OPENVPN/crl.pem" ]; then
    cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
    chmod 644 "$OPENVPN/crl.pem"
fi

if [ -r "$OPENVPN/crl.pem" ]; then
    addArg "--crl-verify" "$OPENVPN/crl.pem"
fi

ip -6 route show default 2>/dev/null
if [ $? = 0 ]; then
    echo "Checking IPv6 Forwarding"
    if [ "$(</proc/sys/net/ipv6/conf/all/disable_ipv6)" != "0" ]; then
        echo "Sysctl error for disable_ipv6, please run docker with '--sysctl net.ipv6.conf.all.disable_ipv6=0'"
    fi

    if [ "$(</proc/sys/net/ipv6/conf/default/forwarding)" != "1" ]; then
        echo "Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'"
    fi

    if [ "$(</proc/sys/net/ipv6/conf/all/forwarding)" != "1" ]; then
        echo "Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'"
    fi
fi

echo "Starting openvpn_exporter"
openvpn_exporter --openvpn.status_paths /var/run/openvpn-status.log &

echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
exec openvpn ${ARGS[@]} ${USER_ARGS[@]}