#!/bin/sh

#
# Initialize the PKI and OpenVPN configs
#

set -ex

cn=$1

if [ -z "$cn" ]; then
    echo "Common name not specified"
    exit 1
fi

# Provides a sufficient warning before erasing pre-existing files
easyrsa init-pki

# For a CA key with a password, manually init; this is autopilot
easyrsa build-ca nopass

easyrsa gen-dh
openvpn --genkey --secret $OPENVPN/pki/ta.key

# Was nice to autoset, but probably a bad idea in practice, users should
# have to explicitly specify the common name of their server
#if [ -z "$cn"]; then
#    #TODO: Handle IPv6 (when I get a VPS with IPv6)...
#    ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)
#    ptr=$(dig +short -x $ip4 | sed -e 's:\.$::')
#
#    [ -n "$ptr" ] && cn=$ptr || cn=$ip4
#fi

echo "$cn" > $OPENVPN/servername

easyrsa build-server-full $cn nopass

[ -f "$OPENVPN/udp1194.conf" ] || cat > "$OPENVPN/udp1194.conf" <<EOF
server 192.168.255.128 255.255.255.128
verb 3
#duplicate-cn
key $EASYRSA_PKI/private/$cn.key
ca $EASYRSA_PKI/ca.crt
cert $EASYRSA_PKI/issued/$cn.crt
dh $EASYRSA_PKI/dh.pem
tls-auth $EASYRSA_PKI/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"

proto udp
port 1194
dev tun1194
status /tmp/openvpn-status-1194.log
EOF