terraform {
  backend "consul" {
    path = "nidito/state/service/club-patito"
  }

  required_providers {
    acme = {
      source  = "vancluever/acme"
      version = "~> 2.5.3"
    }

    digitalocean = {
      source = "digitalocean/digitalocean"
      version = "~> 2.16.0"
    }

    vault = {
      source  = "hashicorp/vault"
      version = "~> 3.7.0"
    }
  }

  required_version = ">= 1.0.0"
}

locals {
  policies = {
    "sys/capabilities-self" = ["update"]
    "auth/token/renew-self" = ["update"]
    "config/kv/provider:cdn" = ["read"]
    "config/kv/pati.to:club" = ["read"]
    "cfg/infra/tree/provider:cdn" = ["read"]
    "cfg/svc/tree/pati.to:club" = ["read"]
  }

  mx_servers = {
    "mxa.mailgun.org." = 10,
    "mxb.mailgun.org." = 10,
  }
}

provider "acme" {
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

// DO tokens for compute resources
data "vault_generic_secret" "DO" {
  path = "cfg/infra/tree/provider:digitalocean"
}

provider "digitalocean" {
  token = data.vault_generic_secret.DO.data.patito
}

provider "digitalocean" {
  alias = "compute"
  token = data.vault_generic_secret.DO.data.token
}

data "digitalocean_droplet" "bedstuy" {
  provider = digitalocean.compute
  name = "bedstuy"
}

resource "vault_policy" "service" {
  name = "club-patito"
  policy = <<-HCL
  %{ for path in sort(keys(local.policies)) }path "${path}" {
    capabilities = ${jsonencode(local.policies[path])}
  }

  %{ endfor }
  HCL
}

resource "digitalocean_record" "to_pati_club" {
  domain = "pati.to"
  type   = "A"
  ttl    = 3600
  name   = "club"
  value  = data.digitalocean_droplet.bedstuy.ipv4_address
}

resource "digitalocean_record" "txt_smtp_domainkey" {
  domain = "pati.to"
  type   = "TXT"
  name   = "mailo._domainkey.mail.club"
  value  = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG2sUJLqDOqMnjMy3+fNI0rdrGb8VrI84yloaXE9R8aLEXkm0jlANiFEmVF7s7ZvoDoKm0v5Lm/JsvM/Rl8n9TS2QYMqhmVsEmuBHwOVhekUDW/LKvfDxfNhmbquvU4z+/fn2WBx19dLG3Ctao7pbL7B9TKR+sPJUNoFWRseucMQIDAQAB"
}

resource "digitalocean_record" "txt_spf" {
  domain = "pati.to"
  type   = "TXT"
  name   = "mail.club"
  value  = "v=spf1 include:mailgun.org ~all;"
}

resource "digitalocean_record" "mx" {
  for_each = local.mx_servers
  domain   = "pati.to"
  type     = "MX"
  name     = "mail.club"
  value    = each.key
  priority = each.value
}


data "terraform_remote_state" "registration" {
  backend = "consul"
  workspace = "default"
  config = {
    address = "consul.service.casa.consul:5554"
    scheme = "https"
    path = "nidito/state/letsencrypt/registration"
  }
}

resource acme_certificate cert {
  account_key_pem           = data.terraform_remote_state.registration.outputs.account_key
  common_name               = "pati.to"
  subject_alternative_names = ["*.pati.to"]
  recursive_nameservers = ["1.1.1.1:53", "8.8.8.8:53"]

  dns_challenge {
    provider = "digitalocean"
    config = {
      DO_AUTH_TOKEN = data.vault_generic_secret.DO.data.patito
      DO_PROPAGATION_TIMEOUT = 60
      DO_TTL = 30
    }
  }
}

resource vault_generic_secret cert {
  path = "nidito/tls/${acme_certificate.cert.common_name}"
  data_json = jsonencode({
    private_key = acme_certificate.cert.private_key_pem,
    cert = join("", [
      acme_certificate.cert.certificate_pem,
      acme_certificate.cert.issuer_pem,
    ])
    issuer = acme_certificate.cert.issuer_pem,
    bare_cert = acme_certificate.cert.certificate_pem,
  })
}