From c9e46ec073d13a4f43c910f60dfe93ab5f419388 Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <depasquale+git@giugl.io>
Date: Fri, 28 Oct 2022 14:43:55 +0200
Subject: [PATCH] radarr: Use openid.nix template

---
 hosts/architect/openid.nix | 25 +++++++++++++++++++++++++
 hosts/architect/radarr.nix | 27 +++------------------------
 2 files changed, 28 insertions(+), 24 deletions(-)
 create mode 100644 hosts/architect/openid.nix

diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix
new file mode 100644
index 0000000..74020f9
--- /dev/null
+++ b/hosts/architect/openid.nix
@@ -0,0 +1,25 @@
+{
+  openresty_oidc_block = { realm, client_id, client_secret, redirect_uri }: ''
+    access_by_lua_block {
+      local opts = {
+        redirect_uri_path = "/redirect_uri",
+        accept_none_alg = true,
+        discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
+        client_id = "${client_id}",
+        client_secret = "${client_secret}",
+        logout_path = "/logout",
+        redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
+        redirect_after_logout_with_id_token_hint = false,
+    }
+
+      -- call introspect for OAuth 2.0 Bearer Access Token validation
+      local res, err = require("resty.openidc").authenticate(opts)
+
+      if err then
+        ngx.status = 403
+        ngx.say(err)
+        ngx.exit(ngx.HTTP_FORBIDDEN)
+      end
+    }
+  '';
+}
diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix
index 08d97f4..f0dda97 100644
--- a/hosts/architect/radarr.nix
+++ b/hosts/architect/radarr.nix
@@ -3,6 +3,7 @@
 let
   domain = "htrad.giugl.io";
   network = import ./network.nix;
+  auth_block = (import ./openid.nix).openresty_oidc_block;
 in {
   services = {
     radarr = {
@@ -15,34 +16,12 @@ in {
       enableACME = true;
       locations."/" = {
         proxyPass = "http://localhost:7878";
-        extraConfig = let
+        extraConfig = auth_block {
           realm = "master";
           client_id = "radarr";
           client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
           redirect_uri = "https://${domain}";
-        in ''
-          access_by_lua_block {
-            local opts = {
-              redirect_uri_path = "/redirect_uri",
-              accept_none_alg = true,
-              discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
-              client_id = "${client_id}",
-              client_secret = "${client_secret}",
-              logout_path = "/logout",
-              redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
-              redirect_after_logout_with_id_token_hint = false,
-          }
-
-            -- call introspect for OAuth 2.0 Bearer Access Token validation
-            local res, err = require("resty.openidc").authenticate(opts)
-
-            if err then
-              ngx.status = 403
-              ngx.say(err)
-              ngx.exit(ngx.HTTP_FORBIDDEN)
-            end
-          }
-        '';
+        };
       };
     };
   };