{ lib, ... }:

let
  domain = "htrad.giugl.io";
  network = import ./network.nix;
in {
  services = {
    radarr = {
      enable = true;
      group = "media";
    };

    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:7878";
        extraConfig = let
          realm = "master";
          client_id = "radarr";
          client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
          redirect_uri = "https://${domain}";
        in ''
          access_by_lua_block {
            local opts = {
              redirect_uri_path = "/redirect_uri",
              accept_none_alg = true,
              discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
              client_id = "${client_id}",
              client_secret = "${client_secret}",
              logout_path = "/logout",
              redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
              redirect_after_logout_with_id_token_hint = false,
          }

            -- call introspect for OAuth 2.0 Bearer Access Token validation
            local res, err = require("resty.openidc").authenticate(opts)

            if err then
              ngx.status = 403
              ngx.say(err)
              ngx.exit(ngx.HTTP_FORBIDDEN)
            end
          }
        '';
      };
    };
  };

  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
  '';

  users.groups.media.members = [ "radarr" ];
}