#!/usr/bin/env bash
# Connect to Sophos SSL VPN via openvpn management interface (same as NM)
set -euo pipefail

VPN_USER="d-chrka"
OVPN="/home/d-chrka@internal.lan/Downloads/sslvpn-fixed.ovpn"
LOGFILE="/tmp/vpn-sophos.log"
MGMT_SOCK="/tmp/vpn-mgmt-$$.sock"
DNS_SERVER="172.21.20.201"
DNS_SEARCH="krah-gruppe.de internal.lan krah.intranet.de hirsau.seuffer resistec.pri krahicenet.local"
CERT_DIR="/home/chk/.local/share/networkmanagement/certificates/nm-openvpn"

PW=$(secret-tool lookup service sslvpn user "$VPN_USER")
OTP_SECRET=$(secret-tool lookup service sslvpn-totp user "$VPN_USER")

# Wait for fresh OTP window (>20s remaining)
while true; do
    REMAINING=$(( 30 - ($(date +%s) % 30) ))
    [ "$REMAINING" -gt 20 ] && break
    echo "Waiting for fresh OTP window (${REMAINING}s remaining)..."
    sleep $(( REMAINING + 1 ))
done

OTP=$(oathtool --totp -b "$OTP_SECRET")
echo "OTP generated, $(( 30 - ($(date +%s) % 30) ))s valid"

# Up-script: configure DNS once tun is up
UPSCRIPT=$(mktemp /dev/shm/vpn-up-XXXXXX)
cat > "$UPSCRIPT" << EOF
#!/bin/bash
DEV="\$1"
resolvectl dns "\$DEV" $DNS_SERVER
resolvectl domain "\$DEV" ~krah-gruppe.de ~internal.lan ~krah.intranet.de ~hirsau.seuffer ~resistec.pri ~krahicenet.local
resolvectl default-route "\$DEV" no
echo "DNS configured on \$DEV" >> "$LOGFILE"
EOF
chmod +x "$UPSCRIPT"

echo "Connecting..."
sudo openvpn \
    --config "$OVPN" \
    --remote rcdro1.krah-gruppe.de 8443 udp \
    --cert "$CERT_DIR/sslvpn-fixed-cert.pem" \
    --key "$CERT_DIR/sslvpn-fixed-key.pem" \
    --auth-nocache \
    --management "$MGMT_SOCK" unix \
    --management-query-passwords \
    --auth-retry interact \
    --script-security 2 \
    --up "$UPSCRIPT" \
    --daemon vpn-sophos \
    --log "$LOGFILE"

# Feed credentials via management interface
sleep 1
(
    printf 'username "Auth" %s\n' "$VPN_USER"
    sleep 0.2
    printf 'password "Auth" "%s%s"\n' "$PW" "$OTP"
    sleep 2
) | socat - UNIX-CONNECT:"$MGMT_SOCK" 2>/dev/null || true

# Wait for tun interface
echo -n "Waiting for tunnel"
for i in $(seq 1 30); do
    if ip link show tun0 &>/dev/null; then
        echo " connected."
        echo "Disconnect: ~/bin/vpn-disconnect.sh"
        rm -f "$UPSCRIPT"
        exit 0
    fi
    echo -n "."
    sleep 1
done

rm -f "$UPSCRIPT" "$MGMT_SOCK"
echo " failed. Log: sudo cat $LOGFILE"
exit 1