#!/bin/bash

SERVER_DNS=$1
DEST_DIR=/storage/.kodi/userdata/addon_data/service.openvpn.server/

if [ -z "$SERVER_DNS" ] || [ -z "$DEST_DIR" ]; then
    echo "Usage: $0 <server_dns_name>"
    exit 1
fi

echo "Generating server: $SERVER_DNS"
echo "into directory   : $DEST_DIR"
echo "Press ENTER to start."
read


# Create directory structure
mkdir -p "$DEST_DIR"
chmod 700 "$DEST_DIR"
cd "$DEST_DIR"
echo "$SERVER_DNS" > server.dns

echo "--- Generating PKI for Server: $SERVER_DNS ---"
echo "    Directory:"
echo "    $DEST_DIR"

# 1. Create a local openssl.cnf to bypass LibreELEC limitations
echo "[1/6] Creating local OpenSSL configuration..."
cat <<EOF > openssl.cnf
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[ v3_server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:$SERVER_DNS
EOF

export OPENSSL_CONF="./openssl.cnf"

# 2. Generate CA (Key + Certificate)
echo "[2/6] Generating Certificate Authority (CA)..."
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
    -subj "/CN=OpenVPN-CA-$SERVER_DNS" -out ca.crt -extensions v3_ca

# 3. Generate Server Key and CSR
echo "[3/6] Generating Server Key and CSR..."
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=$SERVER_DNS" -out server.csr

# 4. Sign Server Certificate
echo "[4/6] Signing Server Certificate..."
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
    -out server.crt -days 3650 -sha256 -extfile openssl.cnf -extensions v3_server

# 5. Generate DH Parameters and TLS-Auth Key
echo "[5/6] Generating DH parameters (this may take a while)..."
openssl dhparam -out dh.pem 2048
openvpn --genkey secret ta.key

# 6. Cleanup
echo "[6/6] Cleaning up temporary files..."
rm server.csr openssl.cnf ca.srl

# 7. Config
echo "[ / ] Updating openvpn.conf file"
cp /storage/.kodi/addons/service.openvpn.server/openvpn.conf "$DEST_DIR"

echo "------------------------------------------------"
echo "Done! The following files are ready for use:"
ls -F

echo "Restarting openvpn service"
systemctl restart service.openvpn.server