{ config, ... }:

{
  services.pomerium = {
    enable = true;
    secretsFile = config.my.vault.secrets.pomerium.path;

    settings = {
      address = ":443";
      grpc_address = ":5443";
      http_redirect_addr = ":80";
      dns_lookup_family = "AUTO";

      idp_provider = "google";
      idp_client_id = "136257844546-qsa6hi1oqqoq2bnt93deo4e70ggbn1p8.apps.googleusercontent.com";
      idp_request_params = {
        hd = "lukegb.com";
        login_hint = "lukegb@lukegb.com";
      };

      jwt_claims_headers = [
        "email"
        "user"
      ];

      # Note autocert = true; not set here.
      autocert_ca = "https://dv.acme-v02.api.pki.goog/directory";
      autocert_email = "acme@lukegb.com";
      autocert_must_staple = true;
      autocert_dir = "/var/lib/pomerium/autocert";

      grpc_insecure = true;

      timeout_read = "0";  # We have some long-lived connections...
      timeout_write = "0";
      timeout_idle = "0";

      forward_auth_url = "https://fwdauth.int.lukegb.com";
      authenticate_service_url = "https://auth.int.lukegb.com";
      signout_redirect_url = "https://logged-out.int.lukegb.com";
      authorize_service_url = "http://etheroute-lon01.int.as205479.net:5443";
      databroker_service_url = "http://etheroute-lon01.int.as205479.net:5443";
    };
  };

  my.vault.secrets.pomerium = {
    template = ''
      {{ with secret "kv/apps/pomerium" }}
      COOKIE_SECRET={{ .Data.data.cookieSecret }}
      SHARED_SECRET={{ .Data.data.sharedSecret }}
      IDP_CLIENT_SECRET={{ .Data.data.idpClientSecret }}
      SIGNING_KEY={{ .Data.data.signingKey }}
      IDP_SERVICE_ACCOUNT={{ .Data.data.googleServiceAccount }}
      AUTOCERT_EAB_KEY_ID={{ .Data.data.eabKeyID }}
      AUTOCERT_EAB_MAC_KEY={{ .Data.data.eabMacKey }}
      {{ end }}
    '';
    group = "root";
    reloadOrRestartUnits = [ "pomerium.service" ];
  };
}