{ config, lib, pkgs, ... }:

{
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers.tinyauth = {
    image = "ghcr.io/steveiliop56/tinyauth:v4";
    ports = [
      "3009:3000"
    ];
    environment = {
      "APP_URL" = "https://tinyauth.${config.homelab.domain}";

      "PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth";
      "PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2";
      "PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token";
      "PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo";
      "PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm";
      "PROVIDERS_KANIDM_SCOPES" = "openid email profile groups";
      "PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}";
    };

  environmentFiles = [
      # set variable PROVIDERS_KANIDM_CLIENT_SECRET here
      /var/lib/tinyauth
    ];
  };

  services.caddy.extraConfig = ''
    (tinyauth_forwarder) {
      forward_auth 127.0.0.1:3009 {
        uri /api/auth/caddy
      }
    }
  '';


  services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:3009
    '';
  };
}