resource "random_id" "jellyfin_client_id" {
  byte_length = 16
}

resource "authentik_provider_oauth2" "jellyfin" {
  name      = "Jellyfin"
  client_id = random_id.jellyfin_client_id.id

  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
  invalidation_flow  = data.authentik_flow.default-invalidation-flow.id

  allowed_redirect_uris = [
    {
      matched_mode = "strict",
      url          = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik",
    },
    {
      matched_mode = "regex",
      url          = ".*",
    }
  ]

  property_mappings = [
    data.authentik_property_mapping_provider_scope.scope-email.id,
    data.authentik_property_mapping_provider_scope.scope-profile.id,
    data.authentik_property_mapping_provider_scope.scope-openid.id,
  ]
  lifecycle {
    ignore_changes = [
      signing_key,
      authentication_flow,
    ]
  }
}

resource "authentik_application" "jellyfin" {
  name              = "Jellyfin"
  slug              = "jellyfin"
  protocol_provider = authentik_provider_oauth2.jellyfin.id
  meta_launch_url   = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
}
resource "kubernetes_secret" "jellyfin_oidc" {
  metadata {
    name      = "jellyfin-oidc"
    namespace = "jellyfin"
  }
  data = {
    client-secret = authentik_provider_oauth2.jellyfin.client_secret
  }
}