resource "hcloud_primary_ip" "public_ip" {
  name          = "repository-public-ip"
  datacenter    = local.datacenter
  type          = "ipv4"
  assignee_type = "server"
  auto_delete   = false
}

resource "hcloud_ssh_key" "ssh_key" {
  name       = "repository-ssh-key"
  public_key = file(var.public_ssh_key_path)
}

resource "hcloud_server" "server_instance" {
  name        = "repository-server"
  image       = local.server_image
  server_type = local.server_type
  datacenter  = local.datacenter
  ssh_keys    = [hcloud_ssh_key.ssh_key.id]

  public_net {
    ipv4_enabled = true
    ipv4         = hcloud_primary_ip.public_ip.id
    ipv6_enabled = false
  }
}

resource "hcloud_firewall" "server_firewall" {
  name = "repository-server-firewall"

  # Allow ICMP.
  rule {
    direction  = "in"
    protocol   = "icmp"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  # Allow all out.
  rule {
    direction       = "out"
    protocol        = "tcp"
    port            = "any"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  # Poke holes for applications, and SSH.
  dynamic "rule" {
    for_each = ["80", "443", "22", "2222"]

    content {
      direction  = "in"
      protocol   = "tcp"
      port       = rule.value
      source_ips = ["0.0.0.0/0", "::/0"]
    }
  }
}

resource "hcloud_firewall_attachment" "server_fw_attachment" {
  firewall_id = hcloud_firewall.server_firewall.id
  server_ids  = [hcloud_server.server_instance.id]
}