#!/usr/bin/env bash
# Install VPN_EASYRSA_DIR for PHP-FPM (required) + Apache SetEnv (optional).
# Run: sudo bash /var/www/html/wordpress6/wordpress/EP/openvpn-pki/install-vpn-env.sh
set -euo pipefail

EASYRSA_DIR="${VPN_EASYRSA_DIR:-/opt/easy-rsa}"
PHP_POOL="${PHP_FPM_POOL:-/etc/php/8.2/fpm/pool.d/scala4.conf}"
APACHE_CONF="/etc/apache2/conf-available/vpn-easyrsa-env.conf"
REPO_APACHE="$(dirname "$0")/apache-conf-vpn-easyrsa.conf"

if [[ "$(id -u)" -ne 0 ]]; then
  echo "Run: sudo bash $0" >&2
  exit 1
fi

if [[ ! -f "$PHP_POOL" ]]; then
  echo "PHP pool not found: $PHP_POOL — set PHP_FPM_POOL=... and re-run." >&2
  exit 1
fi

if grep -q '^\s*env\[VPN_EASYRSA_DIR\]' "$PHP_POOL" 2>/dev/null; then
  echo "PHP-FPM already has env[VPN_EASYRSA_DIR] in $PHP_POOL"
else
  printf '\n; OpenVPN Easy-RSA (vpn-config.php / vpn-admin)\nenv[VPN_EASYRSA_DIR] = %s\n' "$EASYRSA_DIR" >> "$PHP_POOL"
  echo "Appended env[VPN_EASYRSA_DIR] to $PHP_POOL"
fi

if [[ -f "$REPO_APACHE" ]]; then
  sed "s|/opt/easy-rsa|$EASYRSA_DIR|g" "$REPO_APACHE" > "$APACHE_CONF"
  echo "Wrote $APACHE_CONF"
  a2enconf vpn-easyrsa-env 2>/dev/null || true
else
  echo "Optional Apache conf skipped (missing $REPO_APACHE)"
fi

systemctl reload php8.2-fpm
echo "Reloaded php8.2-fpm"

systemctl reload apache2
echo "Reloaded apache2"

echo ""
echo "PHP should see VPN_EASYRSA_DIR=$EASYRSA_DIR (verify: php -r \"echo getenv('VPN_EASYRSA_DIR');\" may be empty in CLI; use a phpinfo() page or test vpn-admin)."