Post-Tyranny-Tech-Infrastructure/tofu/network.tf

# Private Network Configuration
# Enables client servers to communicate without public IPs

# Private Network
resource "hcloud_network" "private" {
  name     = "client-private-network"
  ip_range = "10.0.0.0/16"

  labels = {
    managed = "terraform"
    purpose = "client-internal"
  }
}

# Subnet for client servers
resource "hcloud_network_subnet" "clients" {
  network_id   = hcloud_network.private.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "10.0.0.0/24"
}

# Note: Client servers attach to private network via main.tf dynamic block

# Edge Server Configuration
# Single public-facing reverse proxy for all clients

# SSH key for edge server
resource "hcloud_ssh_key" "edge" {
  name       = "edge-server-deploy-key"
  public_key = file("${path.module}/../keys/ssh/edge.pub")
}

# Edge server (public IP + private network)
resource "hcloud_server" "edge" {
  name        = "edge"
  server_type = var.edge_server_type
  image       = "ubuntu-24.04"
  location    = var.edge_location
  ssh_keys    = [hcloud_ssh_key.edge.id]
  firewall_ids = [hcloud_firewall.client_firewall.id]

  labels = {
    role    = "edge-proxy"
    managed = "terraform"
  }

  # Enable backups
  backups = var.enable_snapshots

  # User data for initial setup
  user_data = <<-EOF
    #cloud-config
    package_update: true
    package_upgrade: true
    packages:
      - curl
      - wget
      - git
      - python3
      - python3-pip
    runcmd:
      - hostnamectl set-hostname edge
  EOF

  # Ensure public network is enabled
  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }
}

# Attach edge server to private network
resource "hcloud_server_network" "edge" {
  server_id  = hcloud_server.edge.id
  network_id = hcloud_network.private.id
  ip         = "10.0.0.2"  # Fixed IP for edge server (10.0.0.1 is gateway)
}

# NAT Gateway Route
# Routes all internet-bound traffic from private network through edge server
resource "hcloud_network_route" "nat_gateway" {
  network_id  = hcloud_network.private.id
  destination = "0.0.0.0/0"
  gateway     = "10.0.0.2"  # Edge server acts as NAT gateway
}