infra/main.tf

locals {
  prod_env_file = file("${path.module}/files/env/prod.env")
  prod_compose  = file("${path.module}/files/stacks/docker-compose.prod.yml")
  ops_env_file  = file("${path.module}/files/env/ops.env")
  ops_compose   = file("${path.module}/files/stacks/docker-compose.ops.yml")
}

resource "tls_private_key" "deploy" {
  algorithm = "ED25519"
}

resource "hcloud_ssh_key" "default" {
  name       = "writekit"
  public_key = var.ssh_public_key
}

resource "hcloud_network" "writekit" {
  name     = "writekit-internal"
  ip_range = "10.0.0.0/16"
}

resource "hcloud_network_subnet" "writekit" {
  network_id   = hcloud_network.writekit.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "10.0.0.0/24"
}

resource "hcloud_server" "prod" {
  name        = "writekit-prod"
  image       = "ubuntu-24.04"
  server_type = var.prod_server_type
  location    = var.location
  ssh_keys    = [hcloud_ssh_key.default.id]

  user_data = templatefile("${path.module}/files/cloud-init/prod.yml", {
    ssh_public_key        = var.ssh_public_key
    deploy_ssh_public_key = tls_private_key.deploy.public_key_openssh
    env_file              = local.prod_env_file
    docker_compose        = local.prod_compose
  })

  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }
}

resource "hcloud_server_network" "prod" {
  server_id  = hcloud_server.prod.id
  network_id = hcloud_network.writekit.id
  ip         = "10.0.0.2"
}

resource "hcloud_firewall" "prod" {
  name = "writekit-prod"

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = var.allowed_ssh_ips
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = ["10.0.0.0/24"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "80"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "tcp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "udp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "icmp"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }
}

resource "hcloud_firewall_attachment" "prod" {
  firewall_id = hcloud_firewall.prod.id
  server_ids  = [hcloud_server.prod.id]
}

resource "hcloud_server" "ops" {
  name        = "writekit-ops"
  image       = "ubuntu-24.04"
  server_type = var.ops_server_type
  location    = var.location
  ssh_keys    = [hcloud_ssh_key.default.id]

  user_data = templatefile("${path.module}/files/cloud-init/ops.yml", {
    ssh_public_key         = var.ssh_public_key
    deploy_ssh_private_key = tls_private_key.deploy.private_key_openssh
    env_file               = local.ops_env_file
    docker_compose         = local.ops_compose
  })

  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }

  labels = {
    environment = "ops"
    managed_by  = "terraform"
  }
}

resource "hcloud_server_network" "ops" {
  server_id  = hcloud_server.ops.id
  network_id = hcloud_network.writekit.id
  ip         = "10.0.0.3"
}

resource "hcloud_firewall" "ops" {
  name = "writekit-ops"

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = var.allowed_ssh_ips
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "80"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "2222"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "5000"
    source_ips = ["10.0.0.0/24"]
  }

  rule {
    direction       = "out"
    protocol        = "tcp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "udp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "icmp"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }
}

resource "hcloud_firewall_attachment" "ops" {
  firewall_id = hcloud_firewall.ops.id
  server_ids  = [hcloud_server.ops.id]
}

resource "cloudflare_record" "root" {
  zone_id = var.cloudflare_zone_id
  name    = "@"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "wildcard" {
  zone_id = var.cloudflare_zone_id
  name    = "*"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "staging" {
  zone_id = var.cloudflare_zone_id
  name    = "staging"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "staging_wildcard" {
  zone_id = var.cloudflare_zone_id
  name    = "*.staging"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
  proxied = false
}

resource "cloudflare_record" "source" {
  zone_id = var.cloudflare_zone_id
  name    = "source"
  content = hcloud_server.ops.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_record" "ci" {
  zone_id = var.cloudflare_zone_id
  name    = "ci"
  content = hcloud_server.ops.ipv4_address
  type    = "A"
  proxied = true
}

resource "cloudflare_r2_bucket" "assets" {
  account_id = var.cloudflare_account_id
  name       = "writekit-assets"
  location   = "WEUR"
}