#!/bin/bash
# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# usage: $0 SERVER_HOST [DEST_HOST]
# ssh to SERVER_HOST, create a cert & client config, put it on
# DEST_HOST, or localhost by default. Assumes server was setup
# by the other script in this dir.

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

usage() {
    cat <<'EOF'
usage: ${0##*/} VPN_SERVER_HOST [CLIENT_HOST]

Generate a client cert and config and install it on locally or on
CLIENT_HOST if given.  Uses default config options, and expects be able
to ssh to VPN_SERVER_HOST and CLIENT_HOST.
EOF
    exit ${1:-0}
}

case $1 in
    -h|--help|*) usage 0 ;;
esac

(($# <= 2)) || usage 1

host=$1
shell="bash -c"
if [[ $2 ]]; then
    shell="ssh $2"
fi

# bash or else we get motd spam. note sleep 2, sleep 1 failed.
ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn'
set -eE -o pipefail
cd /etc/openvpn/easy-rsa
source vars >/dev/null

# uuidgen because common name must be unique
{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key client &>/dev/null

d=\$(mktemp -d)
cp /etc/openvpn/easy-rsa/keys/ca.crt \
   /etc/openvpn/update-resolv-conf \
   /usr/share/doc/openvpn/examples/sample-config-files/client.conf \$d
mv /etc/openvpn/easy-rsa/keys/client.{crt,key} \$d

sed -i --follow-symlinks "s/^remote .*/remote $host 1194/" \$d/client.conf

tar cz -C \$d .
rm -rf \$d
EOF