resource "hcloud_firewall" "cthulhu_nodes_public" {
  name = "cthulhu-nodes-public"

  rule {
    description = "Allow ICMP (ping)"
    direction   = "in"
    protocol    = "icmp"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }

  rule {
    description = "Allow SSH"
    direction   = "in"
    protocol    = "tcp"
    port        = "22"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }

  rule {
    description = "Allow HTTP"
    direction   = "in"
    protocol    = "tcp"
    port        = "80"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }

  rule {
    description = "Allow HTTPS"
    direction   = "in"
    protocol    = "tcp"
    port        = "443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }

  rule {
    description = "Allow HTTP/3"
    direction   = "in"
    protocol    = "udp"
    port        = "443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }

  rule {
    description = "Allow Kubernetes API Server"
    direction   = "in"
    protocol    = "tcp"
    port        = "6443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
}

resource "hcloud_firewall" "cthulhu_nodes_private" {
  name = "cthulhu-nodes-private"

  rule {
    description = "Allow ICMP (ping)"
    direction   = "in"
    protocol    = "icmp"
    source_ips  = [hcloud_network.cthulhu.ip_range]
  }

  rule {
    description = "Allow eveyrthing TCP on all ports"
    direction   = "in"
    protocol    = "tcp"
    port        = "any"
    source_ips  = [hcloud_network.cthulhu.ip_range]
  }

  rule {
    description = "Allow eveyrthing UDP on all ports"
    direction   = "in"
    protocol    = "udp"
    port        = "any"
    source_ips  = [hcloud_network.cthulhu.ip_range]
  }
}