# =============================================================================
# Realm
# =============================================================================

resource "keycloak_realm" "hexor" {
  realm   = "hexor"
  enabled = true

  display_name = "Hexor"

  login_theme   = "keycloak"
  account_theme = "keycloak.v3"

  registration_allowed     = false
  reset_password_allowed   = true
  remember_me              = true
  verify_email             = false
  login_with_email_allowed = true
  duplicate_emails_allowed = false

  ssl_required = "external"
}

# =============================================================================
# Google Identity Provider
# =============================================================================

resource "keycloak_oidc_google_identity_provider" "google" {
  realm         = keycloak_realm.hexor.id
  client_id     = var.google_client_id
  client_secret = var.google_client_secret

  trust_email = true
  sync_mode   = "IMPORT"
}

# =============================================================================
# Default groups
# =============================================================================

resource "keycloak_group" "users" {
  realm_id = keycloak_realm.hexor.id
  name     = "users"
}

resource "keycloak_default_groups" "default" {
  realm_id  = keycloak_realm.hexor.id
  group_ids = [keycloak_group.users.id]
}

# =============================================================================
# rsauth2-proxy client (production)
# =============================================================================

resource "keycloak_openid_client" "rsauth2_proxy" {
  realm_id  = keycloak_realm.hexor.id
  client_id = "rsauth2-proxy"

  name                         = "rsauth2-proxy"
  enabled                      = true
  access_type                  = "CONFIDENTIAL"
  standard_flow_enabled        = true
  direct_access_grants_enabled = false

  valid_redirect_uris = [
    "https://oauth.hexor.cy/callback",
  ]

  web_origins = [
    "https://oauth.hexor.cy",
  ]
}

resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
  realm_id   = keycloak_realm.hexor.id
  client_id  = keycloak_openid_client.rsauth2_proxy.id
  name       = "groups"
  claim_name = "groups"
  full_path  = false
}

resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
  realm_id  = keycloak_realm.hexor.id
  client_id = keycloak_openid_client.rsauth2_proxy.id

  default_scopes = [
    "openid",
    "profile",
    "email",
  ]
}

# =============================================================================
# rsauth2-proxy client (localhost testing)
# =============================================================================

resource "keycloak_openid_client" "rsauth2_proxy_dev" {
  realm_id  = keycloak_realm.hexor.id
  client_id = "rsauth2-proxy-dev"

  name                         = "rsauth2-proxy (dev)"
  enabled                      = true
  access_type                  = "CONFIDENTIAL"
  standard_flow_enabled        = true
  direct_access_grants_enabled = false

  valid_redirect_uris = [
    "http://localhost:8080/callback",
  ]

  web_origins = [
    "http://localhost:8080",
  ]
}

resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
  realm_id   = keycloak_realm.hexor.id
  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
  name       = "groups"
  claim_name = "groups"
  full_path  = false
}

resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
  realm_id  = keycloak_realm.hexor.id
  client_id = keycloak_openid_client.rsauth2_proxy_dev.id

  default_scopes = [
    "openid",
    "profile",
    "email",
  ]
}