terraform {
  required_providers {
    helm = {
      source = "hashicorp/helm"
      version = "~> 2.11.0"
    }
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "~> 2.23.0"
    }
    keycloak = {
      source = "mrparkers/keycloak"
      version = "4.3.1"
    }
  }
  backend "kubernetes" {
    secret_suffix    = "tfstate"
    config_path      = "~/.kube/config"
    namespace        = "dan-terraform"
  }
}

provider "kubernetes" {
  config_path = "~/.kube/config"
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

provider "keycloak" {
  client_id = "terraform"
  client_secret = var.keycloak_client_secret
  url = "https://keycloak.${var.domain_suffix}"
}

resource "kubernetes_namespace" "gitea_ns" {
  metadata {
    name = var.gitea_namespace
  }
}

resource "helm_release" "gitea" {
  name       = "gitea"

  repository = "https://dl.gitea.com/charts/"
  chart      = "gitea"
  namespace  = var.gitea_namespace

  set {
    name  = "ingress.enabled"
    value = "true"
  }

  set {
    name = "ingress.annotations.\"cert-manager\\.io\\/cluster-issuer\""
    value = "letsencrypt-prod"
  }

  set {
    name = "ingress.hosts[0].host"
    value = "git.${var.domain_suffix}"
  }

  set {
    name = "ingress.hosts[0].paths[0].path"
    value = "/"
  }

  set {
    name = "ingress.hosts[0].paths[0].pathType"
    value = "Prefix"
  }

  set {
    name = "ingress.tls[0].secretName"
    value = "tls-gitea"
  }

  set {
    name = "ingress.tls[0].hosts[0]"
    value = "git.${var.domain_suffix}"
  }

  set {
    name = "persistence.enabled"
    value = "true"
  }

  set {
    name = "global.storageClass"
    value = var.storageclass
  }

  set {
    name = "gitea.oauth[0].name"
    value = "md1clv.im"
  }

  set {
    name = "gitea.oauth[0].provider"
    value = "openidConnect"
  }

  set {
    name = "gitea.oauth[0].key"
    value = "gitea"
  }

  set {
    name = "gitea.oauth[0].secret"
    value = var.keycloak_gitea_secret
  }

  set {
    name = "gitea.oauth[0].autoDiscoverUrl"
    value = "https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/.well-known/openid-configuration"
  }
}

resource "helm_release" "keycloak" {
  name                       = "keycloak"
  namespace                  = var.keycloak_namespace
  repository                 = "https://charts.bitnami.com/bitnami/"
  chart                      = "keycloak"
  create_namespace           = true

  set {
    name = "auth.adminPassword"
    value = var.keycloak_admin_pass
  }

  set {
    name = "auth.adminUser"
    value = "admin"
  }
  
  set {
    name = "global.storageClass"
    value = var.storageclass
  }
  
  set {
    name = "ingress.annotations.cert-manager\\.io/cluster-issuer"
    value = "letsencrypt-prod"
  }

  set {
    name = "ingress.enabled"
    value = "true"
  }

  set {
    name = "ingress.hostname"
    value = "keycloak.${var.domain_suffix}"
  }

  set {
    name = "ingress.tls"
    value = "true"
  }

  set {
    name = "postgresql.auth.password"
    value = var.postgres_password
  }

  set {
    name = "proxy"
    value = "edge"
  }
}

resource "keycloak_realm" "realm" {
  realm   = "DC_Cloud"
  enabled = true
  default_signature_algorithm = "RS256"
}

resource "keycloak_openid_client" "gitea_client" {
  realm_id            = keycloak_realm.realm.id
  client_id           = "gitea"

  enabled             = true

  access_type         = "CONFIDENTIAL"
  standard_flow_enabled = true
  implicit_flow_enabled = true
  client_secret = var.keycloak_gitea_secret
  valid_redirect_uris = [
    "https://git.${var.domain_suffix}/*"
  ]
}