terraform {
  required_version = ">= 1.6"
  backend "s3" {
    bucket = "fuku-terraform"
    key    = "authentik/terraform"
    region = "us-east-1"
  }
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "2024.8.4"
    }
  }
}

data "authentik_user" "catalin" {
  username = "catalin"
}

resource "authentik_group" "ci" {
  name  = "ci"
  users = [data.authentik_user.catalin.id]
}

resource "authentik_group" "admins" {
  name         = "authentik Admins"
  is_superuser = true
}

resource "authentik_group" "vpn" {
  name         = "vpn"
  is_superuser = false
}


module "firezone" {
  source              = "../modules/authentik-oidc"
  app_name            = "Firezone"
  app_slug            = "firezone"
  client_id           = var.firezone_client_id
  client_secret       = var.firezone_client_secret
  app_access_group_id = authentik_group.admins.id
  redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
  app_icon            = "https://www.firezone.dev/icon.svg"
  app_description     = "VPN"
  app_publisher       = "Firezone"
  app_url             = "https://fz.fukurokuju.dev"
  sub_mode            = "hashed_user_id"
}

module "gitea" {
  source              = "../modules/authentik-oidc"
  app_name            = "Gitea"
  app_slug            = "gitea"
  client_id           = var.gitea_client_id
  client_secret       = var.gitea_client_secret
  app_access_group_id = ""
  redirect_uris       = ["https://git.roboces.dev/user/oauth2/authentik/callback"]
  app_icon            = "https://git.roboces.dev/assets/img/logo.svg"
  app_description     = "Beyond coding. We forge."
  app_publisher       = "Forgejo"
  app_url             = "https://git.roboces.dev/user/oauth2/authentik"
  sub_mode            = "hashed_user_id"
}

module "miniflux" {
  source              = "../modules/authentik-oidc"
  app_name            = "Miniflux"
  app_slug            = "miniflux"
  client_id           = var.miniflux_client_id
  client_secret       = var.miniflux_client_secret
  app_access_group_id = ""
  redirect_uris       = ["https://feeds.roboces.dev/oauth2/oidc/callback", "https://feeds.fuku/oauth2/oidc/callback"]
  app_icon            = "https://miniflux.app/favicon.ico"
  app_description     = "RSS aggregator"
  app_publisher       = "Miniflux"
  app_url             = "https://feeds.roboces.dev"
  sub_mode            = "hashed_user_id"
}

module "portainer" {
  source              = "../modules/authentik-oidc"
  app_name            = "Portainer"
  app_slug            = "portainer"
  client_id           = var.portainer_client_id
  client_secret       = var.portainer_client_secret
  app_access_group_id = authentik_group.admins.id
  redirect_uris = [
    "https://containers.fukurokuju.dev/"
  ]
  app_icon        = "https://www.portainer.io/hubfs/crane-icon.svg"
  app_description = "Kubernetes and Docker container Management Software"
  app_publisher   = "Portainer"
  app_url         = "https://containers.fukurokuju.dev/"
  sub_mode        = "hashed_user_id"
}

module "paperless" {
  source              = "../modules/authentik-oidc"
  app_name            = "Paperless"
  app_slug            = "paperless"
  client_id           = var.paperless_client_id
  client_secret       = var.paperless_client_secret
  app_access_group_id = ""
  redirect_uris       = ["https://paperless.roboces.dev/accounts/oidc/authentik/login/callback/"]
  app_icon            = "https://paperless.roboces.dev/favicon.ico"
  app_description     = "Document manager"
  app_publisher       = "Paperless"
  app_url             = "https://paperless.roboces.dev"
}

module "sonarr" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "Sonarr"
  app_slug                     = "sonarr"
  app_access_group_id          = authentik_group.admins.id
  app_url                      = "https://sonarr.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:38013/"
  internal_host_ssl_validation = false
  app_icon                     = "https://sonarr.tv/img/logo.png"
}

module "radarr" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "Radarr"
  app_slug                     = "radarr"
  app_access_group_id          = authentik_group.admins.id
  app_url                      = "https://radarr.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:38012/"
  internal_host_ssl_validation = false
  app_icon                     = "https://radarr.video/img/background/logo.png"
}

module "lidarr" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "Lidarr"
  app_slug                     = "lidarr"
  app_access_group_id          = authentik_group.admins.id
  app_url                      = "https://lidarr.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:38010/"
  internal_host_ssl_validation = false
  app_icon                     = "https://lidarr.audio/img/background/logo.png"
}

module "netbird" {
  source              = "../modules/authentik-oidc"
  app_name            = "netbird"
  app_slug            = "netbird"
  client_id           = var.netbird_client_id
  client_secret       = var.netbird_client_secret
  client_type         = "public"
  app_access_group_id = authentik_group.vpn.id
  redirect_uris = [
    "https://vpn.fukurokuju.dev",
    "https://vpn.fukurokuju.dev.*",
    "http://localhost:53000"
  ]
  sub_mode = "user_id"
  extra_property_mappings = [
    "goauthentik.io/providers/oauth2/scope-authentik_api"
  ]
  app_icon = "https://vpn.fukurokuju.dev/apple-icon.png"
}