# Configuration for oauth2_proxy, which is used as a handler for nginx
# auth-request setups.
#
# This module exports a helper function at
# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped
# around nginx server configuration blocks to configure their
# authentication setup.
{ config, depot, pkgs, lib, ... }:

let
  description = "OAuth2 proxy to authenticate TVL services";
  cfg = config.services.depot.oauth2_proxy;
  configFile = pkgs.writeText "oauth2_proxy.cfg" ''
    email_domains = [ "*" ]
    http_address = "127.0.0.1:${toString cfg.port}"
    provider = "keycloak-oidc"
    client_id = "oauth2-proxy"
    oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL"
    reverse_proxy = true
    set_xauthrequest = true
  '';

  # Depend on the Keycloak service if it is running on the same
  # machine.
  depends_on = lib.optional config.services.keycloak.enable "keycloak.service";
in
{
  options.services.depot.oauth2_proxy = {
    enable = lib.mkEnableOption description;

    port = lib.mkOption {
      description = "Port to listen on";
      type = lib.types.int;
      default = 2884; # "auth"
    };

    secretsFile = lib.mkOption {
      type = lib.types.str;
      description = "EnvironmentFile from which to load secrets";
      default = config.age.secretsDir + "/oauth2_proxy";
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.oauth2_proxy = {
      inherit description;
      after = depends_on;
      wants = depends_on;
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Restart = "always";
        RestartSec = "5s";
        DynamicUser = true;
        EnvironmentFile = cfg.secretsFile;
        ExecStart = "${pkgs.oauth2-proxy}/bin/oauth2-proxy --config ${configFile}";
      };
    };
  };
}