module "dns" {
  source = "../dns"
}

data "hcloud_ssh_keys" "nixos_vpn" {
}

resource "hcloud_server" "nixos_vpn" {
  name        = "nixos-vpn"
  image       = "debian-12"
  keep_disk   = true
  server_type = var.server_type
  location    = var.server_location
  ssh_keys    = data.hcloud_ssh_keys.nixos_vpn.ssh_keys.*.name
  backups     = false

  lifecycle {
    ignore_changes  = [ssh_keys]
    prevent_destroy = true
  }
}

module "deploy" {
  depends_on             = [local_file.nixos_vars]
  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
  nixos_system_attr      = ".#nixosConfigurations.vpn.config.system.build.toplevel"
  nixos_partitioner_attr = ".#nixosConfigurations.vpn.config.system.build.diskoScriptNoDeps"
  target_host            = hcloud_server.nixos_vpn.ipv4_address
  instance_id            = hcloud_server.nixos_vpn.id
  debug_logging          = true
  extra_files_script     = "${path.module}/decrypt-age-keys.sh"
  extra_environment = {
    SOPS_FILE = var.sops_file
  }
}

locals {
  nixos_vars = {
    hostname        = var.hostname
    domain_realname = module.dns.domain_realname
    domain_netname  = module.dns.domain_netname
    ipv4_address    = hcloud_server.nixos_vpn.ipv4_address
    ipv6_address    = hcloud_server.nixos_vpn.ipv6_address
    ssh_keys        = data.hcloud_ssh_keys.nixos_vpn.ssh_keys.*.public_key
  }
}

output "ipv4_address" {
  value = hcloud_server.nixos_vpn.ipv4_address
}

output "ipv6_address" {
  value = hcloud_server.nixos_vpn.ipv6_address
}

output "domain_realname" {
  value = module.dns.domain_realname
}

output "domain_netname" {
  value = module.dns.domain_netname
}

output "hostname" {
  value = var.hostname
}