terraform {
  required_version = ">= 1.6"
  backend "s3" {
    bucket = "fuku-terraform"
    key    = "authentik/terraform"
    region = "us-east-1"
  }
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "2024.2.0"
    }
  }
}

data "authentik_user" "catalin" {
  username = "catalin"
}

resource "authentik_group" "ci" {
  name  = "ci"
  users = [data.authentik_user.catalin.id]
}

resource "authentik_group" "admins" {
  name         = "authentik Admins"
  is_superuser = true
}

module "argo-workflows" {
  source              = "../modules/authentik"
  app_name            = "Argo Workflows"
  app_slug            = "argo-workflows"
  client_id           = var.argo_workflows_client_id
  client_secret       = var.argo_workflows_client_secret
  app_access_group_id = authentik_group.ci.id
  redirect_uris       = ["https://ci.fuku/oauth2/callback"]
  app_icon            = "https://argoproj.github.io/icons/icon-512x512.png"
  app_description     = "Kubernetes-native workflow engine supporting DAG and step-based workflows"
  app_publisher       = "Argo Project"
  app_url             = "https://ci.fuku"
}

module "firezone" {
  source              = "../modules/authentik"
  app_name            = "Firezone"
  app_slug            = "firezone"
  client_id           = var.firezone_client_id
  client_secret       = var.firezone_client_secret
  app_access_group_id = authentik_group.admins.id
  redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
  app_icon            = "https://www.firezone.dev/icon.svg"
  app_description     = "VPN"
  app_publisher       = "Firezone"
  app_url             = "https://fz.fukurokuju.dev"
  sub_mode            = "hashed_user_id"
}

module "gitea" {
  source              = "../modules/authentik"
  app_name            = "Gitea"
  app_slug            = "gitea"
  client_id           = var.gitea_client_id
  client_secret       = var.gitea_client_secret
  app_access_group_id = ""
  redirect_uris       = ["https://git.roboces.dev/user/oauth2/authentik/callback"]
  app_icon            = "https://about.gitea.com/gitea.svg"
  app_description     = "Git with a cup of Tea 🍵"
  app_publisher       = "Gitea"
  app_url             = "https://git.roboces.dev/user/oauth2/authentik"
  sub_mode            = "hashed_user_id"
}

module "miniflux" {
  source              = "../modules/authentik"
  app_name            = "Miniflux"
  app_slug            = "miniflux"
  client_id           = var.miniflux_client_id
  client_secret       = var.miniflux_client_secret
  app_access_group_id = ""
  redirect_uris       = ["https://feeds.roboces.dev/oauth2/oidc/callback"]
  app_icon            = "https://miniflux.app/favicon.ico"
  app_description     = "RSS aggregator"
  app_publisher       = "Miniflux"
  app_url             = "https://feeds.roboces.dev"
  sub_mode            = "hashed_user_id"
}