# Hetzner Cloud Provider Resources
# Conditionally created when var.cloud_provider == "hetzner"

# =============================================================================
# SSH KEY DATA SOURCE
# =============================================================================

data "hcloud_ssh_key" "keys" {
  for_each = toset(var.ssh_key_names)
  name     = each.key
}

# =============================================================================
# NETWORK (Optional - for multi-server deployments)
# =============================================================================

resource "hcloud_network" "agent" {
  count = var.create_network && local.is_hetzner ? 1 : 0

  name      = "${var.server_name}-network"
  ip_range  = var.network_ip_range
}

resource "hcloud_network_subnet" "agent" {
  count = var.create_network && local.is_hetzner ? 1 : 0

  network_id   = hcloud_network.agent[0].id
  type         = "cloud"
  network_zone = var.network_zone
  ip_range     = cidrsubnet(var.network_ip_range, 8, 0)
}

# =============================================================================
# FIREWALL
# =============================================================================

resource "hcloud_firewall" "agent" {
  count = local.is_hetzner ? 1 : 0

  name = "${var.server_name}-firewall"

  # Inbound: SSH only
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = tostring(var.ssh_port)
    source_ips = var.ssh_allowed_ips
  }

  # Outbound: Allow all
  rule {
    direction       = "out"
    protocol        = "tcp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "udp"
    port            = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction       = "out"
    protocol        = "icmp"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }
}

# =============================================================================
# SERVER
# =============================================================================

resource "hcloud_server" "agent" {
  count = local.is_hetzner ? 1 : 0

  name        = var.server_name
  image       = var.server_image
  server_type = var.server_type_hetzner
  location    = var.location_hetzner

  ssh_keys = [for key in data.hcloud_ssh_key.keys : key.id]

  # Network attachment (if enabled)
  dynamic "network" {
    for_each = var.create_network ? [1] : []
    content {
      network_id = hcloud_network.agent[0].id
    }
  }

  # Labels for organization
  labels = {
    project     = var.project_name
    environment = var.environment
    framework   = var.agent_framework
    managed     = "terraform"
  }

  # Firewall attachment
  firewall_ids = [hcloud_firewall.agent[0].id]

  # Cloud-init user data
  user_data = local.userdata

  # Public IPv4 and IPv6 (enabled by default)
  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }
}

# =============================================================================
# FIREWALL ATTACHMENT (Reference)
# =============================================================================

resource "hcloud_firewall_attachment" "agent" {
  count = local.is_hetzner ? 1 : 0

  firewall_id = hcloud_firewall.agent[0].id
  server_ids  = [hcloud_server.agent[0].id]
}