{ config, ... }:
let
  inherit (import ./lib.nix config) mkContainer blazestar havenisms;
in
{
  sops.secrets = {
    "oauth2-proxy/cookie-secret" = {
      restartUnits = [ "podman-oauth2-proxy.service" ];
      mode = "0400";
    };
    "oauth2-proxy/client-secret" = {
      restartUnits = [ "podman-oauth2-proxy.service" ];
      mode = "0400";
    };
  };

  sops.templates."oauth2-proxy.env".content = ''
    OAUTH2_PROXY_HTTP_ADDRESS='0.0.0.0:4180'
    OAUTH2_PROXY_COOKIE_SECRET='${config.sops.placehoder."oauth2-proxy/cookie-secret"}'
    OAUTH2_PROXY_COOKIE_DOMAINS='.${blazestar} .${havenisms}'
    OAUTH2_PROXY_WHITELIST_DOMAINS='.${blazestar} .${havenisms}'
    OAUTH2_PROXY_PROVIDER='oidc'
    OAUTH2_PROXY_CLIENT_ID='oauth2-proxy'
    OAUTH2_PROXY_CLIENT_SECRET='${config.sops.placehoder."oauth2-proxy/client-secret"}'
    OAUTH2_PROXY_EMAIL_DOMAINS='*'
    OAUTH2_PROXY_OIDC_ISSUER_URL='https://auth.${blazestar}/realms/master'
    OAUTH2_PROXY_REDIRECT_URL='https://auth.${blazestar}/oauth2/callback'
    OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=true
    OAUTH2_PROXY_COOKIE_CSRF_EXPIRE='5m'
    OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR="/templates"
    OAUTH2_PROXY_REVERSE_PROXY=true
  '';

  virtualisation.oci-containers.containers.oauth2-proxy = mkContainer {
    image = "quay.io/oauth2-proxy/oauth2-proxy";
    hostName = "oauth";
    domain = blazestar;
    port = "4180";
    homepageOpts = {
      group = "Infra";
      name = "OAuth2-Proxy";
      icon = "oauth2-proxy.png";
      description = "An OAuth2 Reverse Proxy";
    };
    volumes = [
    ];
    environment = {
    };
  };
}