radarr: Setup OpenID auth

hosts/architect/radarr.nix

@@ -15,10 +15,33 @@ in {
       enableACME = true;
       locations."/" = {
         proxyPass = "http://localhost:7878";
-        extraConfig = ''
+        extraConfig = let
-          allow 10.0.0.0/24;
+          realm = "master";
-          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
+          client_id = "radarr";
-          deny all;
+          client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
+          redirect_uri = "https://${domain}";
+        in ''
+          access_by_lua_block {
+            local opts = {
+              redirect_uri_path = "/redirect_uri",
+              accept_none_alg = true,
+              discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
+              client_id = "${client_id}",
+              client_secret = "${client_secret}",
+              logout_path = "/logout",
+              redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
+              redirect_after_logout_with_id_token_hint = false,
+          }
+
+            -- call introspect for OAuth 2.0 Bearer Access Token validation
+            local res, err = require("resty.openidc").authenticate(opts)
+
+            if err then
+              ngx.status = 403
+              ngx.say(err)
+              ngx.exit(ngx.HTTP_FORBIDDEN)
+            end
+          }
         '';
       };
     };