infra/main.tf

locals {
  prod_env_file = file("${path.module}/files/env/prod.env")
  prod_compose  = file("${path.module}/files/stacks/docker-compose.prod.yml")
  ops_env_file  = file("${path.module}/files/env/ops.env")
  ops_compose   = file("${path.module}/files/stacks/docker-compose.ops.yml")
}

resource "tls_private_key" "deploy" {
  algorithm = "ED25519"
}

resource "hcloud_ssh_key" "default" {
  name       = "writekit"
  public_key = var.ssh_public_key
}

resource "hcloud_network" "writekit" {
  name     = "writekit-internal"
  ip_range = "10.0.0.0/16"
}

resource "hcloud_network_subnet" "writekit" {
  network_id   = hcloud_network.writekit.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "10.0.0.0/24"
}

resource "hcloud_server" "prod" {
  name        = "writekit-prod"
  image       = "ubuntu-24.04"
  server_type = var.prod_server_type
  location    = var.location
  ssh_keys    = [hcloud_ssh_key.default.id]

  user_data = templatefile("${path.module}/files/cloud-init/prod.yml", {
    ssh_public_key        = var.ssh_public_key
    deploy_ssh_public_key = tls_private_key.deploy.public_key_openssh
    env_file              = local.prod_env_file
    docker_compose        = local.prod_compose
  })

  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }
}

resource "hcloud_server_network" "prod" {
  server_id  = hcloud_server.prod.id
  network_id = hcloud_network.writekit.id
  ip         = "10.0.0.2"
}

resource "hcloud_firewall" "prod" {
  name = "writekit-prod"

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = var.allowed_ssh_ips
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = ["10.0.0.0/24"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "80"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "tcp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "udp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "icmp"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }
}

resource "hcloud_firewall_attachment" "prod" {
  firewall_id = hcloud_firewall.prod.id
  server_ids  = [hcloud_server.prod.id]
}

resource "hcloud_server" "ops" {
  name        = "writekit-ops"
  image       = "ubuntu-24.04"
  server_type = var.ops_server_type
  location    = var.location
  ssh_keys    = [hcloud_ssh_key.default.id]

  user_data = templatefile("${path.module}/files/cloud-init/ops.yml", {
    ssh_public_key         = var.ssh_public_key
    deploy_ssh_private_key = tls_private_key.deploy.private_key_openssh
    env_file               = local.ops_env_file
    docker_compose         = local.ops_compose
  })

  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }

  labels = {
    environment = "ops"
    managed_by  = "terraform"
  }
}

resource "hcloud_server_network" "ops" {
  server_id  = hcloud_server.ops.id
  network_id = hcloud_network.writekit.id
  ip         = "10.0.0.3"
}

resource "hcloud_firewall" "ops" {
  name = "writekit-ops"

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = var.allowed_ssh_ips
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "80"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "2222"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "5000"
    source_ips = ["10.0.0.0/24"]
  }

  rule {
    direction       = "out"
    protocol        = "tcp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "udp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "icmp"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }
}

resource "hcloud_firewall_attachment" "ops" {
  firewall_id = hcloud_firewall.ops.id
  server_ids  = [hcloud_server.ops.id]
}

resource "cloudflare_record" "root" {
  zone_id = var.cloudflare_zone_id
  name    = "@"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "wildcard" {
  zone_id = var.cloudflare_zone_id
  name    = "*"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "staging" {
  zone_id = var.cloudflare_zone_id
  name    = "staging"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "staging_wildcard" {
  zone_id = var.cloudflare_zone_id
  name    = "*.staging"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "source" {
  zone_id = var.cloudflare_zone_id
  name    = "source"
  content = hcloud_server.ops.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "ci" {
  zone_id = var.cloudflare_zone_id
  name    = "ci"
  content = hcloud_server.ops.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_r2_bucket" "assets" {
  account_id = var.cloudflare_account_id
  name       = "writekit-assets"
  location   = "WEUR"
}
init 2026-01-09 00:22:05 +02:00			`locals {`
			`prod_env_file = file("${path.module}/files/env/prod.env")`
			`prod_compose = file("${path.module}/files/stacks/docker-compose.prod.yml")`
			`ops_env_file = file("${path.module}/files/env/ops.env")`
			`ops_compose = file("${path.module}/files/stacks/docker-compose.ops.yml")`
			`}`

			`resource "tls_private_key" "deploy" {`
			`algorithm = "ED25519"`
			`}`

			`resource "hcloud_ssh_key" "default" {`
			`name = "writekit"`
			`public_key = var.ssh_public_key`
			`}`

			`resource "hcloud_network" "writekit" {`
			`name = "writekit-internal"`
			`ip_range = "10.0.0.0/16"`
			`}`

			`resource "hcloud_network_subnet" "writekit" {`
			`network_id = hcloud_network.writekit.id`
			`type = "cloud"`
			`network_zone = "eu-central"`
			`ip_range = "10.0.0.0/24"`
			`}`

			`resource "hcloud_server" "prod" {`
			`name = "writekit-prod"`
			`image = "ubuntu-24.04"`
			`server_type = var.prod_server_type`
			`location = var.location`
			`ssh_keys = [hcloud_ssh_key.default.id]`

			`user_data = templatefile("${path.module}/files/cloud-init/prod.yml", {`
			`ssh_public_key = var.ssh_public_key`
			`deploy_ssh_public_key = tls_private_key.deploy.public_key_openssh`
			`env_file = local.prod_env_file`
			`docker_compose = local.prod_compose`
			`})`

			`public_net {`
			`ipv4_enabled = true`
			`ipv6_enabled = true`
			`}`

			`labels = {`
			`environment = "production"`
			`managed_by = "terraform"`
			`}`
			`}`

			`resource "hcloud_server_network" "prod" {`
			`server_id = hcloud_server.prod.id`
			`network_id = hcloud_network.writekit.id`
			`ip = "10.0.0.2"`
			`}`

			`resource "hcloud_firewall" "prod" {`
			`name = "writekit-prod"`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "22"`
			`source_ips = var.allowed_ssh_ips`
			`}`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "22"`
			`source_ips = ["10.0.0.0/24"]`
			`}`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "80"`
			`source_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "443"`
			`source_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "out"`
			`protocol = "tcp"`
			`port = "1-65535"`
			`destination_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "out"`
			`protocol = "udp"`
			`port = "1-65535"`
			`destination_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "out"`
			`protocol = "icmp"`
			`destination_ips = ["0.0.0.0/0", "::/0"]`
			`}`
			`}`

			`resource "hcloud_firewall_attachment" "prod" {`
			`firewall_id = hcloud_firewall.prod.id`
			`server_ids = [hcloud_server.prod.id]`
			`}`

			`resource "hcloud_server" "ops" {`
			`name = "writekit-ops"`
			`image = "ubuntu-24.04"`
			`server_type = var.ops_server_type`
			`location = var.location`
			`ssh_keys = [hcloud_ssh_key.default.id]`

			`user_data = templatefile("${path.module}/files/cloud-init/ops.yml", {`
			`ssh_public_key = var.ssh_public_key`
			`deploy_ssh_private_key = tls_private_key.deploy.private_key_openssh`
			`env_file = local.ops_env_file`
			`docker_compose = local.ops_compose`
			`})`

			`public_net {`
			`ipv4_enabled = true`
			`ipv6_enabled = true`
			`}`

			`labels = {`
			`environment = "ops"`
			`managed_by = "terraform"`
			`}`
			`}`

			`resource "hcloud_server_network" "ops" {`
			`server_id = hcloud_server.ops.id`
			`network_id = hcloud_network.writekit.id`
			`ip = "10.0.0.3"`
			`}`

			`resource "hcloud_firewall" "ops" {`
			`name = "writekit-ops"`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "22"`
			`source_ips = var.allowed_ssh_ips`
			`}`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "80"`
			`source_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "443"`
			`source_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "2222"`
			`source_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "5000"`
			`source_ips = ["10.0.0.0/24"]`
			`}`

			`rule {`
			`direction = "out"`
			`protocol = "tcp"`
			`port = "1-65535"`
			`destination_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "out"`
			`protocol = "udp"`
			`port = "1-65535"`
			`destination_ips = ["0.0.0.0/0", "::/0"]`
			`}`

			`rule {`
			`direction = "out"`
			`protocol = "icmp"`
			`destination_ips = ["0.0.0.0/0", "::/0"]`
			`}`
			`}`

			`resource "hcloud_firewall_attachment" "ops" {`
			`firewall_id = hcloud_firewall.ops.id`
			`server_ids = [hcloud_server.ops.id]`
			`}`

			`resource "cloudflare_record" "root" {`
			`zone_id = var.cloudflare_zone_id`
			`name = "@"`
			`content = hcloud_server.prod.ipv4_address`
			`type = "A"`
			`proxied = true`
			`}`

			`resource "cloudflare_record" "wildcard" {`
			`zone_id = var.cloudflare_zone_id`
			`name = "*"`
			`content = hcloud_server.prod.ipv4_address`
			`type = "A"`
			`proxied = true`
			`}`

			`resource "cloudflare_record" "staging" {`
			`zone_id = var.cloudflare_zone_id`
			`name = "staging"`
			`content = hcloud_server.prod.ipv4_address`
			`type = "A"`
			`proxied = true`
			`}`

			`resource "cloudflare_record" "staging_wildcard" {`
			`zone_id = var.cloudflare_zone_id`
			`name = "*.staging"`
			`content = hcloud_server.prod.ipv4_address`
			`type = "A"`
			`proxied = true`
			`}`

			`resource "cloudflare_record" "source" {`
			`zone_id = var.cloudflare_zone_id`
			`name = "source"`
			`content = hcloud_server.ops.ipv4_address`
			`type = "A"`
			`proxied = true`
			`}`

			`resource "cloudflare_record" "ci" {`
			`zone_id = var.cloudflare_zone_id`
			`name = "ci"`
			`content = hcloud_server.ops.ipv4_address`
			`type = "A"`
			`proxied = true`
			`}`

			`resource "cloudflare_r2_bucket" "assets" {`
			`account_id = var.cloudflare_account_id`
			`name = "writekit-assets"`
			`location = "WEUR"`
			`}`