resource "hcloud_network" "network" {
  name     = "network"
  ip_range = "10.0.0.0/16"
}

resource "hcloud_network_subnet" "subnet" {
  type         = "cloud"
  network_id   = hcloud_network.network.id
  network_zone = "eu-central"
  ip_range     = "10.0.10.0/24"
}

/* -------------------------------------------------------------------------- */

resource "hcloud_primary_ip" "public_ip" {
  name          = "repository-public-ip"
  datacenter    = local.datacenter
  type          = "ipv4"
  assignee_type = "server"
  auto_delete   = false
}

resource "hcloud_ssh_key" "gitea_ssh_key" {
  name       = "repository-ssh-key"
  public_key = file(var.public_gitea_ssh_key_path)
}

resource "hcloud_server" "gitea_server_instance" {
  name        = "repository-gitea-server"
  image       = local.server_image
  server_type = local.server_type
  datacenter  = local.datacenter
  ssh_keys    = [hcloud_ssh_key.gitea_ssh_key.id]

  public_net {
    ipv4_enabled = true
    ipv4         = hcloud_primary_ip.public_ip.id
    ipv6_enabled = false
  }

  network {
    network_id = hcloud_network.network.id
    ip = local.gitea_ip
    alias_ips = [ ]
  }

  depends_on = [ hcloud_network_subnet.subnet ]
}

resource "hcloud_firewall" "server_firewall" {
  name = "repository-server-firewall"

  # Allow ICMP.
  rule {
    direction  = "in"
    protocol   = "icmp"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  # Allow all out.
  rule {
    direction       = "out"
    protocol        = "tcp"
    port            = "any"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  # Poke holes for applications, and SSH.
  dynamic "rule" {
    for_each = ["80", "443", "22", "2222"]

    content {
      direction  = "in"
      protocol   = "tcp"
      port       = rule.value
      source_ips = ["0.0.0.0/0", "::/0"]
    }
  }
}

resource "hcloud_firewall_attachment" "server_fw_attachment" {
  firewall_id = hcloud_firewall.server_firewall.id
  server_ids  = [hcloud_server.gitea_server_instance.id]
}

/* -------------------------------------------------------------------------- */

resource "hcloud_ssh_key" "runner_ssh_key" {
  name       = "repository-runner-ssh-key"
  public_key = file(var.public_runner_ssh_key_path)
}

resource "hcloud_server" "runner_instance" {
  name        = "repository-runner-server"
  image       = local.server_image
  server_type = local.server_type
  datacenter  = local.datacenter
  ssh_keys    = [hcloud_ssh_key.runner_ssh_key.id]

  network {
    network_id = hcloud_network.network.id
    ip = local.runner_ip
    alias_ips = [ ]
  }

  public_net {
    ipv4_enabled = false
    ipv6_enabled = false
  }

  depends_on = [ hcloud_network_subnet.subnet ]
}