resource "random_id" "paperless_client_id" {
  byte_length = 16
}

resource "authentik_provider_oauth2" "paperless" {
  name = "Paperless"
  #  Required. You can use the output of:
  #     $ openssl rand -hex 16
  client_id = random_id.paperless_client_id.id

  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id

  redirect_uris = [
    "https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
  ]

  property_mappings = [
    data.authentik_scope_mapping.scope-email.id,
    data.authentik_scope_mapping.scope-profile.id,
    data.authentik_scope_mapping.scope-openid.id,
  ]
  lifecycle {
    ignore_changes = [
      signing_key,
      authentication_flow,
    ]
  }
}

resource "authentik_application" "paperless" {
  name              = "Paperless"
  slug              = "paperless"
  protocol_provider = authentik_provider_oauth2.paperless.id
}

#data "template_file" "paperless-config" {
#  template = "${file("${path.module}/paperless.tpl")}"
#  vars = {
#    client_id = authentik_provider_oauth2.paperless.client_id
#  }
#}

resource "kubernetes_namespace" "paperless" {
  metadata {
    name = "paperless-ngx"
  }
  lifecycle {
    ignore_changes = [
      metadata[0].labels
    ]
  }
}
resource "kubernetes_secret" "paperless-env" {
  metadata {
    name      = "paperless-env"
    namespace = kubernetes_namespace.paperless.metadata[0].name
  }
  data = {
    "PAPERLESS_APPS" = "allauth.socialaccount.providers.openid_connect"
    "PAPERLESS_SOCIALACCOUNT_PROVIDERS" = templatefile(
      "${path.module}/paperless.tpl",
      {
        client_id     = authentik_provider_oauth2.paperless.client_id,
        client_secret = authentik_provider_oauth2.paperless.client_secret
      }
    )
  }
}