terraform {
  required_providers {
    digitalocean = {
      source  = "digitalocean/digitalocean"
      version = "~> 2.0"
    }
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.0"
    }
  }

  backend "s3" {
    endpoints = {
      s3 = "https://nyc3.digitaloceanspaces.com"
    }
    bucket                      = "lunarfront-infra"
    key                         = "terraform/gitea.tfstate"
    region                      = "us-east-1"          # required by S3 backend, ignored by Spaces
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_region_validation      = true
    skip_requesting_account_id  = true
    force_path_style            = true
  }
}

provider "digitalocean" {
  token = var.do_token
}

provider "cloudflare" {
  api_token = var.cloudflare_api_token
}

# ─── Cloudflare zone lookup ───────────────────────────────────────────────────

data "cloudflare_zone" "main" {
  name = var.domain
}

# ─── DNS records ──────────────────────────────────────────────────────────────

# Proxied through Cloudflare — web UI
resource "cloudflare_record" "gitea" {
  zone_id = data.cloudflare_zone.main.id
  name    = "git"
  type    = "A"
  content = var.cluster_lb_ip
  proxied = false
  ttl     = 3600
}

# DNS only — no Cloudflare proxy, for SSH git access
resource "cloudflare_record" "git_ssh" {
  zone_id = data.cloudflare_zone.main.id
  name    = "git-ssh"
  type    = "A"
  content = var.cluster_lb_ip
  proxied = false
  ttl     = 3600
}