+f=$server_dir/dh2048.pem
+if [[ ! -e $f ]]; then
+ openssl dhparam -out $f 2048
+fi
+
+f=$server_dir/ta-$name.key
+if [[ ! -e $f ]]; then
+ openvpn --genkey --secret $server_dir/ta-$name.key
+fi
+
+
+if ! $keys_exist; then
+ # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
+ if $new; then
+ echo 'set_var EASYRSA_NS_SUPPORT "yes"' >vars
+ ./easyrsa init-pki
+ ./easyrsa --batch build-ca nopass
+ ./easyrsa --days=3650 build-server-full $name nopass
+ else
+ # dun care about settning cert cn etc from the non-example values
+ source vars
+ # doesnt exist in buster
+ ./clean-all # note: removes and creates /etc/openvpn/easy-rsa/keys
+ # accept default prompts
+ echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
+
+ # This builds the server's key/cert. argument is the name of the file,
+ # but it also is the default common name of the cert.
+ # 'server' is the default name in our conf file for the name of the file
+ # and I've seen no reason to change it.
+ # Note, this is not idempotent.
+ { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server $name
+ ./build-dh
+ fi
+fi
+
+if [[ -e /usr/share/doc/openvpn/examples/sample-config-files/server.conf ]]; then
+ cat /usr/share/doc/openvpn/examples/sample-config-files/server.conf >$conf
+else
+ # pre-bullsye name
+ gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >$conf
+fi
+
+cafile=$server_dir/ca-$name.crt
+cp $ca_origin $cafile
+cp ${keyfiles[@]} $server_dir
+# for legacy systems
+for f in ${keyfiles[@]} $cafile; do
+ ln -sf server/${f##*/} /etc/openvpn
+done
+
+cat >>$conf <<EOF
+
+# I cat an extra blank line to start because the example config does
+# not have a final newline. ....