#!/usr/bin/env bash
# Initialize Easy-RSA PKI under /var/lib/easy-rsa (or first argument).
# Run on the server:  sudo bash /path/to/init-easy-rsa-pki.sh
#
# Optional: EASYRSA_CA_CN="My Company CA" sudo bash init-easy-rsa-pki.sh
# Optional: first argument = Easy-RSA home directory (default /var/lib/easy-rsa)

set -euo pipefail

EASYRSA_HOME="${1:-/var/lib/easy-rsa}"
CA_CN="${EASYRSA_CA_CN:-MyVPN-CA}"

if [[ "$(id -u)" -ne 0 ]]; then
  echo "Run as root: sudo bash $0 [EASYRSA_HOME]" >&2
  exit 1
fi

if ! id www-data &>/dev/null; then
  echo "User www-data not found. Adjust this script for your PHP user." >&2
  exit 1
fi

if [[ ! -x "$EASYRSA_HOME/easyrsa" ]]; then
  echo "Creating $EASYRSA_HOME with make-cadir..."
  mkdir -p "$(dirname "$EASYRSA_HOME")"
  make-cadir "$EASYRSA_HOME"
fi

if [[ -f "$EASYRSA_HOME/pki/ca.crt" ]]; then
  echo "CA already exists: $EASYRSA_HOME/pki/ca.crt (nothing to do)."
  ls -la "$EASYRSA_HOME/pki/ca.crt"
  exit 0
fi

chown -R www-data:www-data "$EASYRSA_HOME"

echo "==> init-pki"
sudo -u www-data bash -c "cd '$EASYRSA_HOME' && EASYRSA_BATCH=1 ./easyrsa init-pki"

# Avoid OpenSSL "Can't load .../.rnd into RNG" on first run (harmless if it still appears once).
sudo -u www-data touch "$EASYRSA_HOME/pki/.rnd"
sudo -u www-data chmod 600 "$EASYRSA_HOME/pki/.rnd"

echo "==> build-ca nopass (CN=$CA_CN)"
sudo -u www-data bash -c "cd '$EASYRSA_HOME' && EASYRSA_BATCH=1 EASYRSA_REQ_CN='$CA_CN' ./easyrsa build-ca nopass"

chown -R www-data:www-data "$EASYRSA_HOME"
chmod 700 "$EASYRSA_HOME"

echo ""
echo "OK: CA created at $EASYRSA_HOME/pki/ca.crt"
ls -la "$EASYRSA_HOME/pki/ca.crt"

echo ""
echo "Next: set for PHP / Apache or php-fpm:"
echo "  VPN_EASYRSA_DIR=$EASYRSA_HOME"
echo "Then reload apache2 or php-fpm."