#!/bin/bash
set -eE -o pipefail

# Outputs the keyfiles to stdout as tar.gz

rm -f /tmp/vpn-mk-client-cert.log
exec 2>/tmp/vpn-mk-client-cert.log

name=$1
common_name=$2

echo common_name=$common_name >&2

server_dir=/etc/openvpn
if [[ -e /etc/openvpn/server ]]; then
  server_dir=/etc/openvpn/server
fi

cafile=$server_dir/ca.crt

new=true
keyfiles=(/etc/openvpn/easy-rsa/pki/{issued/$common_name.crt,private/$common_name.key})
if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
  new=false
  keyfiles=(/etc/openvpn/easy-rsa/keys/$name.{crt,key})
fi

if [[ ! -e $cafile ]]; then
  echo: error no cafile found at $cafile >/tmp/errors
  exit 1
fi

exists=true
for x in ${keyfiles[@]}; do
  if [[ ! -e $x ]]; then
    exists=false
    break
  fi
done


if ! $exists; then
  cd /etc/openvpn/easy-rsa
  if $new; then
    ./easyrsa build-client-full $common_name nopass >/dev/null
  else
    source vars >/dev/null

    { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name >/dev/null
  fi
fi

d=$(mktemp -d)
cp $cafile $d/$name-ca.crt
cp ${keyfiles[@]} $d

cp $server_dir/ta.key $d/$name-ta.key

tar cz -C $d .
rm -rf $d