terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
    hcloud = {
      source = "hetznercloud/hcloud"
      version = "~> 1.45.0"
    }
    healthchecksio = {
      source = "kristofferahl/healthchecksio"
      version = "~> 1.6.0"
    }
    ovh = {
      source = "ovh/ovh"
      version = "~> 0.48.0"
    }
    scaleway = {
      source = "scaleway/scaleway"
      version = "~> 2.43.0"
    }
    tailscale = {
      source = "tailscale/tailscale"
      version = "~> 0.16.0"
    }

    authentik = {
      source = "goauthentik/authentik"
      version = "~> 2024.8.0"
    }
    mailcow = {
      source = "l-with/mailcow"
      version = "~> 0.7.5"
    }
    postgresql = {
      source = "cyrilgdn/postgresql"
      version = "~> 1.23.0"
    }
  }

  backend "s3" {
    bucket         = var.backend_bucket
    access_key     = var.backend_access_key
    secret_key     = var.backend_secret_key
    key            = "terraform.tfstate"
    region         = var.backend_region
    encrypt        = true
    endpoints      = {
      s3           = var.backend_endpoint
    }

    # Disable AWS-specific features
    skip_credentials_validation = true
    skip_region_validation      = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
  }

  encryption {
    key_provider "pbkdf2" "encryption" {
      passphrase = var.passphrase
    }

    method "aes_gcm" "encryption" {
      keys = key_provider.pbkdf2.encryption
    }

    state {
      method = method.aes_gcm.encryption
      enforced = true
    }
  }
}

provider "aws" {
  region     = var.aws_region
  access_key = var.aws_access_key
  secret_key = var.aws_secret_key
}

provider "hcloud" {
  token = var.hcloud_token
}

provider "healthchecksio" {
  api_key = var.healthchecksio_api_key
}

provider "ovh" {
  endpoint = "ovh-eu"
  application_key = var.ovh_application_key
  application_secret = var.ovh_application_secret
  consumer_key = var.ovh_consumer_key
}

provider "scaleway" {
  organization_id = var.scaleway_organization_id
  project_id = var.scaleway_project_id
  access_key = var.scaleway_access_key
  secret_key = var.scaleway_secret_key
  region = "nl-ams"
  zone = "nl-ams-1"
}

provider "tailscale" {
  api_key = var.tailscale_api_key
  tailnet = var.tailscale_tailnet
}

module "infrastructure" {
  source = "./modules/infrastructure"

  scaleway_project_id = var.scaleway_project_id

  default_ssh_key = var.default_ssh_key

  hosts = var.hosts
  services = var.services
  email_domains = var.email_domains
}

provider "authentik" {
  url   = var.authentik_url
  token = var.authentik_token
}

provider "mailcow" {
  host_name = var.mailcow_host_name
  api_key   = var.mailcow_api_key
}

provider "postgresql" {
  host            = var.postgresql_host
  port            = var.postgresql_port
  database        = "postgres"
  username        = var.postgresql_username
  password        = var.postgresql_password
  sslmode         = "verify-full"
  connect_timeout = 15
}

module "services" {
  source = "./modules/services"

  authentik_url = var.authentik_url

  services = var.services
}