From 69ffff50e084d8436743191a724faa735b41c22d Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <depasquale+git@giugl.io>
Date: Fri, 28 Oct 2022 14:35:43 +0200
Subject: [PATCH] radarr: Setup OpenID auth

---
 hosts/architect/radarr.nix | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix
index 2f6e8ca..08d97f4 100644
--- a/hosts/architect/radarr.nix
+++ b/hosts/architect/radarr.nix
@@ -15,10 +15,33 @@ in {
       enableACME = true;
       locations."/" = {
         proxyPass = "http://localhost:7878";
-        extraConfig = ''
-          allow 10.0.0.0/24;
-          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
-          deny all;
+        extraConfig = let
+          realm = "master";
+          client_id = "radarr";
+          client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
+          redirect_uri = "https://${domain}";
+        in ''
+          access_by_lua_block {
+            local opts = {
+              redirect_uri_path = "/redirect_uri",
+              accept_none_alg = true,
+              discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
+              client_id = "${client_id}",
+              client_secret = "${client_secret}",
+              logout_path = "/logout",
+              redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
+              redirect_after_logout_with_id_token_hint = false,
+          }
+
+            -- call introspect for OAuth 2.0 Bearer Access Token validation
+            local res, err = require("resty.openidc").authenticate(opts)
+
+            if err then
+              ngx.status = 403
+              ngx.say(err)
+              ngx.exit(ngx.HTTP_FORBIDDEN)
+            end
+          }
         '';
       };
     };